The Chrome Enterprise policy list is moving! Please update your bookmarks to https://cloud.google.com/docs/chrome-enterprise/policies/.


Both Chromium and Google Chrome support the same set of policies. Please note that this document may include unreleased policies (i.e. their 'Supported on' entry refers to a not-yet released version of Google Chrome) which are subject to change or removal without notice and for which no guarantees of any kind are provided, including no guarantees with respect to their security and privacy properties.

These policies are strictly intended to be used to configure instances of Google Chrome internal to your organization. Use of these policies outside of your organization (for example, in a publicly distributed program) is considered malware and will likely be labeled as malware by Google and anti-virus vendors.

These settings don't need to be configured manually! Easy-to-use templates for Windows, Mac and Linux are available for download from https://www.chromium.org/administrators/policy-templates.

The recommended way to configure policy on Windows is via GPO, although provisioning policy via registry is still supported for Windows instances that are joined to a Microsoft® Active Directory® domain.




Policy NameDescription
Accessibility settings
ShowAccessibilityOptionsInSystemTrayMenuShow accessibility options in system tray menu
LargeCursorEnabledEnable large cursor
SpokenFeedbackEnabledEnable spoken feedback
HighContrastEnabledEnable high contrast mode
VirtualKeyboardEnabledEnable on-screen keyboard
VirtualKeyboardFeaturesEnable or disable various features on the on-screen keyboard
StickyKeysEnabledEnable sticky keys
KeyboardDefaultToFunctionKeysMedia keys default to function keys
ScreenMagnifierTypeSet screen magnifier type
DictationEnabledEnable the dictation accessibility feature
SelectToSpeakEnabledEnable select to speak
KeyboardFocusHighlightEnabledEnable the keyboard focus highlighting accessibility feature
CursorHighlightEnabledEnable the cursor highlight accessibility feature
CaretHighlightEnabledEnable the caret highlight accessibility feature
MonoAudioEnabledEnable the mono audio accessibility feature
AccessibilityShortcutsEnabledEnable accessibility features shortcuts
AutoclickEnabledEnable the autoclick accessibility feature
DeviceLoginScreenDefaultLargeCursorEnabledSet default state of the large cursor on the login screen
DeviceLoginScreenDefaultSpokenFeedbackEnabledSet the default state of spoken feedback on the login screen
DeviceLoginScreenDefaultHighContrastEnabledSet the default state of high contrast mode on the login screen
DeviceLoginScreenDefaultVirtualKeyboardEnabledSet default state of the on-screen keyboard on the login screen
DeviceLoginScreenDefaultScreenMagnifierTypeSet the default screen magnifier type enabled on the login screen
DeviceLoginScreenLargeCursorEnabledEnable the large cursor on the login screen
DeviceLoginScreenSpokenFeedbackEnabledEnable the spoken feedback on the login screen
DeviceLoginScreenHighContrastEnabledEnable the high contrast on the login screen
DeviceLoginScreenVirtualKeyboardEnabledEnable the virtual keyboard on the login screen
DeviceLoginScreenDictationEnabledEnable the dictation on the login screen
DeviceLoginScreenSelectToSpeakEnabledEnable the select to speak on the login screen
DeviceLoginScreenCursorHighlightEnabledEnable the cursor highlight on the login screen
DeviceLoginScreenCaretHighlightEnabledEnable the caret highlight on the login screen
DeviceLoginScreenMonoAudioEnabledEnable the mono audio on the login screen
DeviceLoginScreenAutoclickEnabledEnable the autoclick on the login screen
DeviceLoginScreenStickyKeysEnabledEnable the sticky keys on the login screen
DeviceLoginScreenKeyboardFocusHighlightEnabledEnable the keyboard focus highlighting accessibility feature
DeviceLoginScreenScreenMagnifierTypeSet the screen magnifier type on the login screen
DeviceLoginScreenShowOptionsInSystemTrayMenuShow accessibility options in system tray menu in the login screen
DeviceLoginScreenAccessibilityShortcutsEnabledEnable accessibility features shortcuts on the login screen
FloatingAccessibilityMenuEnabledEnables the floating accessibility menu
EnhancedNetworkVoicesInSelectToSpeakAllowedAllow the enhanced network text-to-speech voices in Select-to-speak
Allow or deny screen capture
ScreenCaptureAllowedAllow or deny screen capture
ScreenCaptureAllowedByOriginsAllow Desktop, Window, and Tab capture by these origins
WindowCaptureAllowedByOriginsAllow Window and Tab capture by these origins
TabCaptureAllowedByOriginsAllow Tab capture by these origins
SameOriginTabCaptureAllowedByOriginsAllow Same Origin Tab capture by these origins
Android settings
ArcEnabledEnable ARC
UnaffiliatedArcAllowedAllow unaffiliated users to use ARC
ArcPolicyConfigure ARC
ArcAppInstallEventLoggingEnabledLog events for Android app installs
ArcBackupRestoreServiceEnabledControl Android backup and restore service
ArcGoogleLocationServicesEnabledControl Android Google location services
ArcCertificatesSyncModeSet certificate availability for ARC-apps
AppRecommendationZeroStateEnabledEnable App Recommendations in Zero State of Search Box
DeviceArcDataSnapshotHoursIntervals when ARC data snapshot update process can be started for Managed Guest Sessions
ArcAppToWebAppSharingEnabledEnable sharing from Android apps to Web apps
Borealis
DeviceBorealisAllowedAllow devices to use Borealis on Google Chrome OS
UserBorealisAllowedAllow users to use Borealis on Google Chrome OS
Certificate management settings
RequiredClientCertificateForDeviceRequired device-wide Client Certificates
RequiredClientCertificateForUserRequired Client Certificates
Content settings
DefaultClipboardSettingDefault clipboard setting
DefaultCookiesSettingDefault cookies setting
DefaultFileSystemReadGuardSettingControl use of the File System API for reading
DefaultFileSystemWriteGuardSettingControl use of the File System API for writing
DefaultImagesSettingDefault images setting
DefaultInsecureContentSettingControl use of insecure content exceptions
DefaultJavaScriptSettingDefault JavaScript setting
DefaultJavaScriptJitSettingControl use of JavaScript JIT
DefaultLocalFontsSettingDefault Local Fonts permission setting
DefaultPopupsSettingDefault pop-ups setting
DefaultNotificationsSettingDefault notification setting
DefaultGeolocationSettingDefault geolocation setting
DefaultMediaStreamSettingDefault mediastream setting
DefaultSensorsSettingDefault sensors setting
DefaultWebBluetoothGuardSettingControl use of the Web Bluetooth API
DefaultWebUsbGuardSettingControl use of the WebUSB API
DefaultSerialGuardSettingControl use of the Serial API
DefaultWebHidGuardSettingControl use of the WebHID API
DefaultWindowPlacementSettingDefault Window Placement permission setting
ClipboardAllowedForUrlsAllow clipboard on these sites
ClipboardBlockedForUrlsBlock clipboard on these sites
AutoSelectCertificateForUrlsAutomatically select client certificates for these sites
CookiesAllowedForUrlsAllow cookies on these sites
CookiesBlockedForUrlsBlock cookies on these sites
CookiesSessionOnlyForUrlsLimit cookies from matching URLs to the current session
FileSystemReadAskForUrlsAllow read access via the File System API on these sites
FileSystemReadBlockedForUrlsBlock read access via the File System API on these sites
FileSystemWriteAskForUrlsAllow write access to files and directories on these sites
FileSystemWriteBlockedForUrlsBlock write access to files and directories on these sites
ImagesAllowedForUrlsAllow images on these sites
ImagesBlockedForUrlsBlock images on these sites
InsecureContentAllowedForUrlsAllow insecure content on these sites
InsecureContentBlockedForUrlsBlock insecure content on these sites
JavaScriptAllowedForUrlsAllow JavaScript on these sites
JavaScriptBlockedForUrlsBlock JavaScript on these sites
JavaScriptJitAllowedForSitesAllow JavaScript to use JIT on these sites
JavaScriptJitBlockedForSitesBlock JavaScript from using JIT on these sites
LegacySameSiteCookieBehaviorEnabledForDomainListRevert to legacy SameSite behavior for cookies on these sites
LocalFontsAllowedForUrlsAllow Local Fonts permission on these sites
LocalFontsBlockedForUrlsBlock Local Fonts permission on these sites
PopupsAllowedForUrlsAllow pop-ups on these sites
RegisteredProtocolHandlersRegister protocol handlers
PopupsBlockedForUrlsBlock pop-ups on these sites
NotificationsAllowedForUrlsAllow notifications on these sites
NotificationsBlockedForUrlsBlock notifications on these sites
SensorsAllowedForUrlsAllow access to sensors on these sites
SensorsBlockedForUrlsBlock access to sensors on these sites
WebUsbAllowDevicesForUrlsAutomatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
WebUsbAskForUrlsAllow WebUSB on these sites
WebUsbBlockedForUrlsBlock WebUSB on these sites
SerialAskForUrlsAllow the Serial API on these sites
SerialBlockedForUrlsBlock the Serial API on these sites
SerialAllowAllPortsForUrlsAutomatically grant permission to sites to connect all serial ports.
SerialAllowUsbDevicesForUrlsAutomatically grant permission to sites to connect to USB serial devices.
WebHidAskForUrlsAllow the WebHID API on these sites
WebHidBlockedForUrlsBlock the WebHID API on these sites
WebHidAllowAllDevicesForUrlsAutomatically grant permission to sites to connect to any HID device.
WebHidAllowDevicesForUrlsAutomatically grant permission to these sites to connect to HID devices with the given vendor and product IDs.
WebHidAllowDevicesWithHidUsagesForUrlsAutomatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage.
WindowPlacementAllowedForUrlsAllow Window Placement permission on these sites
WindowPlacementBlockedForUrlsBlock Window Placement permission on these sites
Date and time
SystemTimezoneTimezone
SystemTimezoneAutomaticDetectionConfigure the automatic timezone detection method
SystemUse24HourClockUse 24 hour clock by default
Default search provider
DefaultSearchProviderEnabledEnable the default search provider
DefaultSearchProviderNameDefault search provider name
DefaultSearchProviderKeywordDefault search provider keyword
DefaultSearchProviderSearchURLDefault search provider search URL
DefaultSearchProviderSuggestURLDefault search provider suggest URL
DefaultSearchProviderIconURLDefault search provider icon
DefaultSearchProviderEncodingsDefault search provider encodings
DefaultSearchProviderAlternateURLsList of alternate URLs for the default search provider
DefaultSearchProviderImageURLParameter providing search-by-image feature for the default search provider
DefaultSearchProviderNewTabURLDefault search provider new tab page URL
DefaultSearchProviderSearchURLPostParamsParameters for search URL which uses POST
DefaultSearchProviderSuggestURLPostParamsParameters for suggest URL which uses POST
DefaultSearchProviderImageURLPostParamsParameters for image URL which uses POST
Device update settings
ChromeOsReleaseChannelRelease channel
ChromeOsReleaseChannelDelegatedUsers may configure the Google Chrome OS release channel
DeviceAutoUpdateDisabledDisable Auto Update
DeviceAutoUpdateP2PEnabledAuto update P2P enabled
DeviceAutoUpdateTimeRestrictionsUpdate Time Restrictions
DeviceTargetVersionPrefixTarget Auto Update Version
DeviceTargetVersionSelectorAllow devices to select a specific version to update to
DeviceUpdateStagingScheduleThe staging schedule for applying a new update
DeviceUpdateScatterFactorAuto update scatter factor
DeviceUpdateAllowedConnectionTypesConnection types allowed for updates
DeviceUpdateHttpDownloadsEnabledAllow autoupdate downloads via HTTP
RebootAfterUpdateAutomatically reboot after update
DeviceRollbackToTargetVersionRollback to target version
DeviceRollbackAllowedMilestonesNumber of milestones rollback is allowed
DeviceQuickFixBuildTokenProvide users with Quick Fix Build
DeviceMinimumVersionConfigure minimum allowed Google Chrome OS version for the device.
DeviceMinimumVersionAueMessageConfigure auto update expiration message for DeviceMinimumVersion policy
Display
DeviceDisplayResolutionSet display resolution and scale factor
DisplayRotationDefaultSet default display rotation, reapplied on every reboot
Extensions
ExtensionInstallAllowlistConfigure extension installation allow list
ExtensionInstallBlocklistConfigure extension installation blocklist
ExtensionInstallForcelistConfigure the list of force-installed apps and extensions
ExtensionInstallSourcesConfigure extension, app, and user script install sources
ExtensionAllowedTypesConfigure allowed app/extension types
ExtensionSettingsExtension management settings
BlockExternalExtensionsBlocks external extensions from being installed
Gaia user identity management settings
GaiaOfflineSigninTimeLimitDaysLimit the time for which a user authenticated via GAIA without SAML can log in offline
Google Assistant
VoiceInteractionContextEnabledAllow Google Assistant to access screen context
VoiceInteractionHotwordEnabledAllow Google Assistant to listen for the voice activation phrase
AssistantVoiceMatchEnabledDuringOobeEnable Google Assistant voice match flow
Google Cast
EnableMediaRouterEnable Google Cast
ShowCastIconInToolbarShow the Google Cast toolbar icon
Google Drive
DriveDisabledDisable Drive in the Google Chrome OS Files app
DriveDisabledOverCellularDisable Google Drive over cellular connections in the Google Chrome OS Files app
HTTP authentication
AuthSchemesSupported authentication schemes
AllHttpAuthSchemesAllowedForOriginsList of origins allowing all HTTP authentication
DisableAuthNegotiateCnameLookupDisable CNAME lookup when negotiating Kerberos authentication
EnableAuthNegotiatePortInclude non-standard port in Kerberos SPN
BasicAuthOverHttpEnabledAllow Basic authentication for HTTP
AuthServerAllowlistAuthentication server allowlist
AuthNegotiateDelegateAllowlistKerberos delegation server allowlist
AuthNegotiateDelegateByKdcPolicyUse KDC policy to delegate credentials.
GSSAPILibraryNameGSSAPI library name
AuthAndroidNegotiateAccountTypeAccount type for HTTP Negotiate authentication
AllowCrossOriginAuthPromptCross-origin HTTP Authentication prompts
NtlmV2EnabledEnable NTLMv2 authentication.
Kerberos
KerberosEnabledEnable Kerberos functionality
KerberosRememberPasswordEnabledEnable 'Remember password' feature
KerberosAddAccountsAllowedUsers can add Kerberos accounts
KerberosAccountsConfigure Kerberos accounts
Kiosk settings
DeviceLocalAccountsDevice-local accounts
DeviceLocalAccountAutoLoginIdDevice-local account for auto-login
DeviceLocalAccountAutoLoginDelayDevice-local account auto-login timer
DeviceLocalAccountAutoLoginBailoutEnabledEnable bailout keyboard shortcut for auto-login
DeviceLocalAccountPromptForNetworkWhenOfflineEnable network configuration prompt when offline
AllowKioskAppControlChromeVersionAllow the auto launched with zero delay kiosk app to control Google Chrome OS version
Legacy Browser Support
AlternativeBrowserPathAlternative browser to launch for configured websites.
AlternativeBrowserParametersCommand-line parameters for the alternative browser.
BrowserSwitcherChromePathPath to Chrome for switching from the alternative browser.
BrowserSwitcherChromeParametersCommand-line parameters for switching from the alternative browser.
BrowserSwitcherDelayDelay before launching alternative browser (milliseconds)
BrowserSwitcherEnabledEnable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrlURL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherExternalGreylistUrlURL of an XML file that contains URLs that should never trigger a browser switch.
BrowserSwitcherKeepLastChromeTabKeep last tab open in Chrome.
BrowserSwitcherParsingModeSitelist parsing mode
BrowserSwitcherUrlListWebsites to open in alternative browser
BrowserSwitcherUrlGreylistWebsites that should never trigger a browser switch.
BrowserSwitcherUseIeSitelistUse Internet Explorer's SiteList policy for Legacy Browser Support.
Linux container
VirtualMachinesAllowedAllow devices to run virtual machines on ChromeOS
CrostiniAllowedUser is enabled to run Crostini
DeviceUnaffiliatedCrostiniAllowedAllow unaffiliated users to use Crostini
CrostiniExportImportUIAllowedUser is enabled to export / import Crostini containers via the UI
CrostiniAnsiblePlaybookCrostini Ansible playbook
CrostiniPortForwardingAllowedAllow users to [enable/configure] Crostini port forwarding
SystemTerminalSshAllowedAllow SSH outgoing client connections in Terminal System App
Microsoft® Active Directory® management settings
DeviceMachinePasswordChangeRateMachine password change rate
DeviceUserPolicyLoopbackProcessingModeUser policy loopback processing mode
DeviceKerberosEncryptionTypesAllowed Kerberos encryption types
DeviceGpoCacheLifetimeGPO cache lifetime
DeviceAuthDataCacheLifetimeAuthentication data cache lifetime
ChromadToCloudMigrationEnabledEnable the migration of Chromad devices into cloud management
Native Messaging
NativeMessagingBlocklistConfigure native messaging blocklist
NativeMessagingAllowlistConfigure native messaging allowlist
NativeMessagingUserLevelHostsAllow user-level Native Messaging hosts (installed without admin permissions)
Network File Shares settings
NetworkFileSharesAllowedControls Network File Shares for ChromeOS availability
NetBiosShareDiscoveryEnabledControls Network File Share discovery via NetBIOS
NTLMShareAuthenticationEnabledControls enabling NTLM as an authentication protocol for SMB mounts
NetworkFileSharesPreconfiguredSharesList of preconfigured network file shares.
Network settings
DeviceOpenNetworkConfigurationDevice-level network configuration
DeviceDataRoamingEnabledEnable data roaming
NetworkThrottlingEnabledEnable throttling network bandwidth
DeviceHostnameTemplateDevice network hostname template
DeviceHostnameUserConfigurableAllow user to configure their device hostname
DeviceWiFiFastTransitionEnabledEnable 802.11r Fast Transition
DeviceWiFiAllowedEnable WiFi
DeviceDockMacAddressSourceDevice MAC address source when docked
Other
UsbDetachableAllowlistAllowlist of USB detachable devices
DeviceAllowBluetoothAllow bluetooth on device
TPMFirmwareUpdateSettingsConfigure TPM firmware update behavior
DevicePolicyRefreshRateRefresh rate for Device Policy
DeviceBlockDevmodeBlock developer mode
DeviceAllowRedeemChromeOsRegistrationOffersAllow users to redeem offers through Google Chrome OS Registration
DeviceQuirksDownloadEnabledEnable queries to Quirks Server for hardware profiles
ExtensionCacheSizeSet Apps and Extensions cache size (in bytes)
DeviceOffHoursOff hours intervals when the specified device policies are released
SuggestedContentEnabledEnable Suggested Content
DeviceShowLowDiskSpaceNotificationShow notification when disk space is low
WebXRImmersiveArEnabledAllow creating WebXR's "immersive-ar" sessions
PromptOnMultipleMatchingCertificatesPrompt when multiple certificates match
DeviceKeylockerForStorageEncryptionEnabledControls use of AES Keylocker for user storage encryption if supported
Parental supervision settings
ParentAccessCodeConfigParent Access Code Configuration
PerAppTimeLimitsPer-App Time Limits
PerAppTimeLimitsAllowlistPer-App Time Limits Allowlist
UsageTimeLimitTime Limit
EduCoexistenceToSVersionThe valid version of Edu Coexistence Terms of Service
Password manager
PasswordManagerEnabledEnable saving passwords to the password manager
PasswordLeakDetectionEnabledEnable leak detection for entered credentials
PasswordDismissCompromisedAlertEnabledEnable dismissing compromised password alerts for entered credentials
PluginVm
PluginVmAllowedAllow devices to use a PluginVm on Google Chrome OS
PluginVmDataCollectionAllowedAllow PluginVm Product Analytics
PluginVmImagePluginVm image
PluginVmRequiredFreeDiskSpaceRequired free disk space for PluginVm
PluginVmUserIdPluginVm user id
UserPluginVmAllowedAllow users to use a PluginVm on Google Chrome OS
Power and shutdown
DeviceLoginScreenPowerManagementPower management on the login screen
UptimeLimitLimit device uptime by automatically rebooting
DeviceRebootOnShutdownAutomatic reboot on device shutdown
Power management
ScreenDimDelayACScreen dim delay when running on AC power
ScreenOffDelayACScreen off delay when running on AC power
ScreenLockDelayACScreen lock delay when running on AC power
IdleWarningDelayACIdle warning delay when running on AC power
IdleDelayACIdle delay when running on AC power
ScreenDimDelayBatteryScreen dim delay when running on battery power
ScreenOffDelayBatteryScreen off delay when running on battery power
ScreenLockDelayBatteryScreen lock delay when running on battery power
IdleWarningDelayBatteryIdle warning delay when running on battery power
IdleDelayBatteryIdle delay when running on battery power
IdleActionAction to take when the idle delay is reached
IdleActionACAction to take when the idle delay is reached while running on AC power
IdleActionBatteryAction to take when the idle delay is reached while running on battery power
LidCloseActionAction to take when the user closes the lid
PowerManagementUsesAudioActivitySpecify whether audio activity affects power management
PowerManagementUsesVideoActivitySpecify whether video activity affects power management
PresentationScreenDimDelayScalePercentage by which to scale the screen dim delay in presentation mode
AllowWakeLocksAllow wake locks
AllowScreenWakeLocksAllow screen wake locks
UserActivityScreenDimDelayScalePercentage by which to scale the screen dim delay if the user becomes active after dimming
WaitForInitialUserActivityWait for initial user activity
PowerManagementIdleSettingsPower management settings when the user becomes idle
ScreenLockDelaysScreen lock delays
PowerSmartDimEnabledEnable smart dim model to extend the time until the screen is dimmed
ScreenBrightnessPercentScreen brightness percent
DevicePowerPeakShiftBatteryThresholdSet power peak shift battery threshold in percent
DevicePowerPeakShiftDayConfigSet power peak shift day config
DevicePowerPeakShiftEnabledEnable peak shift power management
DeviceBootOnAcEnabledEnable boot on AC (alternating current)
DeviceAdvancedBatteryChargeModeEnabledEnable advanced battery charge mode
DeviceAdvancedBatteryChargeModeDayConfigSet advanced battery charge mode day config
DeviceBatteryChargeModeBattery charge mode
DeviceBatteryChargeCustomStartChargingSet battery charge custom start charging in percent
DeviceBatteryChargeCustomStopChargingSet battery charge custom stop charging in percent
DeviceUsbPowerShareEnabledEnable USB power share
DevicePowerAdaptiveChargingEnabledEnable adaptive charging model to hold charging process to extend battery life
Printing
PrintingEnabledEnable printing
CloudPrintProxyEnabledEnable Google Cloud Print proxy
PrintingAllowedColorModesRestrict printing color mode
PrintingAllowedDuplexModesRestrict printing duplex mode
PrintingAllowedPinModesRestrict PIN printing mode
PrintingAllowedBackgroundGraphicsModesRestrict background graphics printing mode
PrintingColorDefaultDefault printing color mode
PrintingDuplexDefaultDefault printing duplex mode
PrintingPinDefaultDefault PIN printing mode
PrintingBackgroundGraphicsDefaultDefault background graphics printing mode
PrintingPaperSizeDefaultDefault printing page size
PrintingSendUsernameAndFilenameEnabledSend username and filename to native printers
PrintingMaxSheetsAllowedMaximal number of sheets allowed to use for a single print job
PrintJobHistoryExpirationPeriodSet the time period in days for storing print jobs metadata
PrintingAPIExtensionsAllowlistExtensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
DisablePrintPreviewDisable Print Preview
PrintHeaderFooterPrint Headers and Footers
DefaultPrinterSelectionDefault printer selection rules
PrintersConfigures a list of printers
PrintersBulkConfigurationEnterprise printer configuration file
PrintersBulkAccessModePrinter configuration access policy.
PrintersBulkBlocklistDisabled enterprise printers
PrintersBulkAllowlistEnabled enterprise printers
DevicePrintersEnterprise printer configuration file for devices
DevicePrintersAccessModeDevice printers configuration access policy.
DevicePrintersBlocklistDisabled enterprise device printers
DevicePrintersAllowlistEnabled enterprise device printers
PrintPreviewUseSystemDefaultPrinterUse System Default Printer as Default
UserPrintersAllowedAllow access to CUPS printers
ExternalPrintServersExternal print servers
ExternalPrintServersAllowlistEnabled external print servers
PrinterTypeDenyListDisable printer types on the deny list
PrintRasterizationModePrint Rasterization Mode
PrintPdfAsImageAvailabilityPrint PDF as Image Available
PrintRasterizePdfDpiPrint Rasterize PDF DPI
DeletePrintJobHistoryAllowedAllow print job history to be deleted
PrintPostScriptModePrint PostScript Mode
PrintPdfAsImageDefaultPrint PDF as Image Default
Privacy screen settings
DeviceLoginScreenPrivacyScreenEnabledSet the state of privacy screen on the login screen
PrivacyScreenEnabledEnable privacy screen
Projector
ProjectorEnabledEnable Projector
ProjectorDogfoodForFamilyLinkEnabledEnable Projector dogfood for Family Link users
Proxy server
ProxyModeChoose how to specify proxy server settings
ProxyServerModeChoose how to specify proxy server settings
ProxyServerAddress or URL of proxy server
ProxyPacUrlURL to a proxy .pac file
ProxyBypassListProxy bypass rules
Quick Answers
QuickAnswersEnabledEnable Quick Answers
QuickAnswersDefinitionEnabledEnable Quick Answers Definition
QuickAnswersTranslationEnabledEnable Quick Answers Translation
QuickAnswersUnitConversionEnabledEnable Quick Answers Unit Conversion
Quick unlock
QuickUnlockModeAllowlistConfigure allowed quick unlock modes
QuickUnlockTimeoutSet how often user has to enter password to use quick unlock
PinUnlockMinimumLengthSet the minimum length of the lock screen PIN
PinUnlockMaximumLengthSet the maximum length of the lock screen PIN
PinUnlockWeakPinsAllowedEnable users to set weak PINs for the lock screen PIN
PinUnlockAutosubmitEnabledEnable PIN auto-submit feature on the lock and login screen.
Remote access
RemoteAccessHostClientDomainConfigure the required domain name for remote access clients
RemoteAccessHostClientDomainListConfigure the required domain names for remote access clients
RemoteAccessHostFirewallTraversalEnable firewall traversal from remote access host
RemoteAccessHostDomainConfigure the required domain name for remote access hosts
RemoteAccessHostDomainListConfigure the required domain names for remote access hosts
RemoteAccessHostRequireCurtainEnable curtaining of remote access hosts
RemoteAccessHostAllowClientPairingEnable or disable PIN-less authentication for remote access hosts
RemoteAccessHostAllowRelayedConnectionEnable the use of relay servers by the remote access host
RemoteAccessHostUdpPortRangeRestrict the UDP port range used by the remote access host
RemoteAccessHostMatchUsernameRequire that the name of the local user and the remote access host owner match
RemoteAccessHostAllowUiAccessForRemoteAssistanceAllow remote users to interact with elevated windows in remote assistance sessions
RemoteAccessHostAllowFileTransferAllow remote access users to transfer files to/from the host
RemoteAccessHostAllowRemoteAccessConnectionsAllow remote access connections to this machine
RemoteAccessHostMaximumSessionDurationMinutesMaximum session duration allowed for remote access connections
RemoteAccessHostClipboardSizeBytesThe maximum size, in bytes, that can be transferred between client and host via clipboard synchronization
RemoteAccessHostAllowRemoteSupportConnectionsAllow remote support connections to this machine
Remote attestation
AttestationEnabledForDeviceEnable remote attestation for the device
AttestationEnabledForUserEnable remote attestation for the user
AttestationExtensionAllowlistExtensions allowed to to use the remote attestation API
AttestationForContentProtectionEnabledEnable the use of remote attestation for content protection for the device
DeviceWebBasedAttestationAllowedUrlsURLs that will be granted access to perform the device attestation during SAML authentication
Safe Browsing settings
SafeBrowsingEnabledEnable Safe Browsing
SafeBrowsingExtendedReportingEnabledEnable Safe Browsing Extended Reporting
SafeBrowsingProtectionLevelSafe Browsing Protection Level
SafeBrowsingAllowlistDomainsConfigure the list of domains on which Safe Browsing will not trigger warnings.
PasswordProtectionWarningTriggerPassword protection warning trigger
PasswordProtectionLoginURLsConfigure the list of enterprise login URLs where password protection service should capture salted hashes of passwords.
PasswordProtectionChangePasswordURLConfigure the change password URL.
Saml user identity management settings
SamlInSessionPasswordChangeEnabledPassword synchronization between third-party SSO providers and Chrome devices
SamlPasswordExpirationAdvanceWarningDaysHow many days in advance to notify SAML users when their password is due to expire
LockScreenReauthenticationEnabledEnables online re-authentication on lock screen for SAML users
SAMLOfflineSigninTimeLimitLimit the time for which a user authenticated via SAML can log in offline
Sign-in settings
DeviceGuestModeEnabledEnable guest mode
DeviceUserAllowlistLogin user allow list
DeviceAllowNewUsersAllow creation of new user accounts
DeviceLoginScreenDomainAutoCompleteEnable domain name autocomplete during user sign in
DeviceShowUserNamesOnSigninShow usernames on login screen
DeviceWallpaperImageDevice wallpaper image
DeviceEphemeralUsersEnabledWipe user data on sign-out
LoginAuthenticationBehaviorConfigure the login authentication behavior
DeviceTransferSAMLCookiesTransfer SAML IdP cookies during login
LoginVideoCaptureAllowedUrlsURLs that will be granted access to video capture devices on SAML login pages
DeviceLoginScreenExtensionsConfigure the list of installed apps and extensions on the login screen
DeviceLoginScreenLocalesDevice sign-in screen locale
DeviceLoginScreenInputMethodsDevice sign-in screen keyboard layouts
DeviceLoginScreenSystemInfoEnforcedForce the sign-in screen to show or hide system information.
DeviceSecondFactorAuthenticationIntegrated second factor authentication mode
DeviceLoginScreenAutoSelectCertificateForUrlsAutomatically select client certificates for these sites on the sign-in screen
DeviceShowNumericKeyboardForPasswordShow numeric keyboard for password
DeviceFamilyLinkAccountsAllowedAllow addition of Family Link accounts to the device
DeviceLoginScreenPromptOnMultipleMatchingCertificatesPrompt when multiple certificates match on the sign-in screen
DeviceRunAutomaticCleanupOnLoginControl automatic cleanup during login
Startup, Home page and New Tab page
ShowHomeButtonShow Home button on toolbar
HomepageLocationConfigure the home page URL
HomepageIsNewTabPageUse New Tab Page as homepage
NewTabPageLocationConfigure the New Tab page URL
RestoreOnStartupAction on startup
RestoreOnStartupURLsURLs to open on startup
User and device reporting
EnableDeviceGranularReportingEnable granular reporting controls
ReportDeviceVersionInfoReport OS and firmware version
ReportDeviceBootModeReport device boot mode
ReportDeviceUsersReport device users
ReportDeviceActivityTimesReport device activity times
ReportDeviceAudioStatusReport device audio status
ReportDeviceNetworkConfigurationReport network configuration
ReportDeviceNetworkInterfacesReport device network interfaces
ReportDeviceNetworkStatusReport network status
ReportDeviceHardwareStatusReport hardware status
ReportDeviceSessionStatusReport information about active kiosk sessions
ReportDeviceGraphicsStatusReport display and graphics statuses
ReportDeviceCrashReportInfoReport information about crash reports.
ReportDeviceOsUpdateStatusReport OS update status
ReportDeviceBoardStatusReport board status
ReportDeviceCpuInfoReport CPU info
ReportDeviceTimezoneInfoReport Timezone info
ReportDeviceMemoryInfoReport memory info
ReportDeviceBacklightInfoReport backlight info
ReportDevicePeripheralsReport peripheral details
ReportDevicePowerStatusReport power status
ReportDeviceSecurityStatusReport device security status
ReportDeviceStorageStatusReport storage status
ReportDeviceAppInfoReport applications information
ReportDeviceBluetoothInfoReport Bluetooth info
ReportDeviceFanInfoReport fan info
ReportDeviceVpdInfoReport VPD info
ReportDeviceSystemInfoReport system info
ReportDeviceLoginLogoutReport login/logout
ReportCRDSessionsReport CRD sessions
ReportUploadFrequencyFrequency of device status report uploads
ReportArcStatusEnabledReport information about status of Android
HeartbeatEnabledSend network packets to the management server to monitor online status
HeartbeatFrequencyFrequency of monitoring network packets
LogUploadEnabledSend system logs to the management server
DeviceMetricsReportingEnabledEnable metrics reporting
Wilco DTC
DeviceWilcoDtcAllowedAllows wilco diagnostics and telemetry controller
DeviceWilcoDtcConfigurationWilco DTC configuration
AbusiveExperienceInterventionEnforceAbusive Experience Intervention Enforce
AccessCodeCastDeviceDurationSpecifies how long (in seconds) a cast device selected with an access code or QR code stays in the Google Cast menu's list of cast devices.
AccessCodeCastEnabledAllow users to select cast devices with an access code or QR code from within the Google Cast menu.
AccessibilityImageLabelsEnabledEnable Get Image Descriptions from Google.
AdditionalDnsQueryTypesEnabledAllow DNS queries for additional DNS record types
AdsSettingForIntrusiveAdsSitesAds setting for sites with intrusive ads
AdvancedProtectionAllowedEnable additional protections for users enrolled in the Advanced Protection program
AllowDeletingBrowserHistoryEnable deleting browser and download history
AllowDinosaurEasterEggAllow Dinosaur Easter Egg Game
AllowFileSelectionDialogsAllow invocation of file selection dialogs
AllowScreenLockPermit locking the screen
AllowSystemNotificationsAllows system notifications
AllowedDomainsForAppsDefine domains allowed to access Google Workspace
AllowedInputMethodsConfigure the allowed input methods in a user session
AllowedLanguagesConfigure the allowed languages in a user session
AlternateErrorPagesEnabledEnable alternate error pages
AlwaysOpenPdfExternallyAlways Open PDF files externally
AmbientAuthenticationInPrivateModesEnabledEnable Ambient Authentication for profile types.
ApplicationLocaleValueApplication locale
AudioCaptureAllowedAllow or deny audio capture
AudioCaptureAllowedUrlsURLs that will be granted access to audio capture devices without prompt
AudioOutputAllowedAllow playing audio
AudioProcessHighPriorityEnabledAllow the audio process to run with priority above normal on Windows
AudioSandboxEnabledAllow the audio sandbox to run
AutoFillEnabledEnable AutoFill
AutoLaunchProtocolsFromOriginsDefine a list of protocols that can launch an external application from listed origins without prompting the user
AutoOpenAllowedForURLsURLs where AutoOpenFileTypes can apply
AutoOpenFileTypesList of file types that should be automatically opened on download
AutofillAddressEnabledEnable AutoFill for addresses
AutofillCreditCardEnabledEnable AutoFill for credit cards
AutoplayAllowedAllow media autoplay
AutoplayAllowlistAllow media autoplay on a allowlist of URL patterns
BackForwardCacheEnabledControl the BackForwardCache feature.
BackgroundModeEnabledContinue running background apps when Google Chrome is closed
BlockThirdPartyCookiesBlock third party cookies
BookmarkBarEnabledEnable Bookmark Bar
BrowserAddPersonEnabledEnable add person in user manager
BrowserGuestModeEnabledEnable guest mode in browser
BrowserGuestModeEnforcedEnforce browser guest mode
BrowserLabsEnabledBrowser experiments icon in toolbar
BrowserLegacyExtensionPointsBlockedBlock Browser Legacy Extension Points
BrowserNetworkTimeQueriesEnabledAllow queries to a Google time service
BrowserSigninBrowser sign in settings
BrowserThemeColorConfigure the color of the browser's theme
BrowsingDataLifetimeBrowsing Data Lifetime Settings
BuiltInDnsClientEnabledUse built-in DNS client
BuiltinCertificateVerifierEnabledDetermines whether the built-in certificate verifier will be used to verify server certificates
CACertificateManagementAllowedAllow users to manage installed CA certificates.
CECPQ2EnabledCECPQ2 post-quantum key-agreement enabled for TLS
CORSNonWildcardRequestHeadersSupportCORS non-wildcard request headers support
CaptivePortalAuthenticationIgnoresProxyCaptive portal authentication ignores proxy
CertificateTransparencyEnforcementDisabledForCasDisable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
CertificateTransparencyEnforcementDisabledForLegacyCasDisable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
CertificateTransparencyEnforcementDisabledForUrlsDisable Certificate Transparency enforcement for a list of URLs
ChromeCleanupEnabledEnable Chrome Cleanup on Windows
ChromeCleanupReportingEnabledControl how Chrome Cleanup reports data to Google
ChromeOsLockOnIdleSuspendEnable lock when the device become idle or suspended
ChromeOsMultiProfileUserBehaviorControl the user behavior in a multiprofile session
ChromeVariationsDetermine the availability of variations
ClearBrowsingDataOnExitListClear Browsing Data on Exit
ClickToCallEnabledEnable the Click to Call Feature
ClientCertificateManagementAllowedAllow users to manage installed client certificates.
CloudManagementEnrollmentMandatoryEnable mandatory cloud management enrollment
CloudManagementEnrollmentTokenThe enrollment token of cloud policy
CloudPolicyOverridesPlatformPolicyGoogle Chrome cloud policy overrides Platform policy.
CloudUserPolicyMergeEnables merging of user cloud policies into machine-level policies
CloudUserPolicyOverridesCloudMachinePolicyAllow user cloud policies to override Chrome Browser Cloud Management policies.
CommandLineFlagSecurityWarningsEnabledEnable security warnings for command-line flags
ComponentUpdatesEnabledEnable component updates in Google Chrome
ContextualSearchEnabledEnable Touch to Search
DNSInterceptionChecksEnabledDNS interception checks enabled
DataLeakPreventionClipboardCheckSizeLimitSet minimal size limit for data leak prevention clipboard restriction
DataLeakPreventionReportingEnabledEnable data leak prevention reporting
DataLeakPreventionRulesListSets a list of data leak prevention rules.
DefaultBrowserSettingEnabledSet Google Chrome as Default Browser
DefaultDownloadDirectorySet default download directory
DefaultSearchProviderContextMenuAccessAllowedAllow default search provider context menu search access
DesktopSharingHubEnabledEnable desktop sharing in the omnibox and 3-dot menu
DeveloperToolsAvailabilityControl where Developer Tools can be used
DeveloperToolsDisabledDisable Developer Tools
DeviceAllowMGSToStoreDisplayPropertiesAllow Managed guest session to persist display properties
DeviceAllowedBluetoothServicesOnly allow connection to the Bluetooth services in the list
DeviceAttributesAllowedForOriginsAllow origins to query for device attributes
DeviceChromeVariationsDetermine the availability of variations on Google Chrome OS
DeviceDebugPacketCaptureAllowedAllow debug network packet captures
DeviceEncryptedReportingPipelineEnabledEnable the Encrypted Reporting Pipeline
DeviceI18nShortcutsEnabledAllows enabling/disabling international shortcut keys remaps
DeviceLocalAccountManagedSessionEnabledAllow managed session on device
DeviceLoginScreenPrimaryMouseButtonSwitchSwitch the primary mouse button to the right button on the login screen
DeviceLoginScreenWebUsbAllowDevicesForUrlsAutomatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.
DevicePciPeripheralDataAccessEnabledEnable Thunderbolt/USB4 peripheral data access
DevicePowerwashAllowedAllow the device to request powerwash
DeviceRebootOnUserSignoutForce device reboot when user sign out
DeviceReleaseLtsTagAllow device to receive LTS updates
DeviceRestrictedManagedGuestSessionEnabledRestricted managed guest sessions
DeviceScheduledRebootSet custom schedule to reboot kiosk devices
DeviceScheduledUpdateCheckSet custom schedule to check for updates
DeviceSystemWideTracingEnabledAllow collection of system-wide performance trace
Disable3DAPIsDisable support for 3D graphics APIs
DisableSafeBrowsingProceedAnywayDisable proceeding from the Safe Browsing warning page
DisableScreenshotsDisable taking screenshots
DisabledSchemesDisable URL protocol schemes
DiskCacheDirSet disk cache directory
DiskCacheSizeSet disk cache size in bytes
DisplayCapturePermissionsPolicyEnabledSpecifies whether the display-capture permissions-policy is checked or skipped.
DnsOverHttpsModeControls the mode of DNS-over-HTTPS
DnsOverHttpsTemplatesSpecify URI template of desired DNS-over-HTTPS resolver
DownloadBubbleEnabledEnable download bubble UI
DownloadDirectorySet download directory
DownloadRestrictionsAllow download restrictions
EasyUnlockAllowedAllow Smart Lock to be used
EcheAllowedAllow Eche to be enabled.
EditBookmarksEnabledEnable or disable bookmark editing
EmojiSuggestionEnabledEnable Emoji Suggestion
EnableExperimentalPoliciesEnables experimental policies
EnableOnlineRevocationChecksEnable online OCSP/CRL checks
EnableSyncConsentEnable displaying Sync Consent during sign-in
EnterpriseHardwarePlatformAPIEnabledEnables managed extensions to use the Enterprise Hardware Platform API
ExemptDomainFileTypePairsFromFileTypeDownloadWarningsDisable download file type extension-based warnings for specified file types on domains
ExplicitlyAllowedNetworkPortsExplicitly allowed network ports
ExtensionInstallEventLoggingEnabledLog events for policy based extension installs
ExternalProtocolDialogShowAlwaysOpenCheckboxShow an "Always open" checkbox in external protocol dialog.
ExternalStorageDisabledDisable mounting of external storage
ExternalStorageReadOnlyTreat external storage devices as read-only
FastPairEnabledEnable Fast Pair (fast Bluetooth pairing)
FetchKeepaliveDurationSecondsOnShutdownFetch keepalive duration on Shutdown
FloatingWorkspaceEnabledEnable Floating Workspace Service
ForceBrowserSigninEnable force sign in for Google Chrome
ForceEphemeralProfilesEphemeral profile
ForceGoogleSafeSearchForce Google SafeSearch
ForceLogoutUnauthenticatedUserEnabledForce logout the user when their account becomes unauthenticated
ForceMajorVersionToMinorPositionInUserAgentFreeze User-Agent string major version at 99
ForceMaximizeOnFirstRunMaximize the first browser window on first run
ForceSafeSearchForce SafeSearch
ForceYouTubeRestrictForce minimum YouTube Restricted Mode
ForceYouTubeSafetyModeForce YouTube Safety Mode
ForcedLanguagesConfigure the content and order of preferred languages
FullRestoreEnabledEnable the full restore feature
FullscreenAlertEnabledEnable fullscreen alert
FullscreenAllowedAllow fullscreen mode
GaiaLockScreenOfflineSigninTimeLimitDaysLimit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen
GetDisplayMediaSetSelectAllScreensAllowedForUrlsEnables auto-select for multi screen captures
GhostWindowEnabledEnable the ghost window feature
GloballyScopeHTTPAuthCacheEnabledEnable globally scoped HTTP auth cache
HSTSPolicyBypassListList of names that will bypass the HSTS policy check
HardwareAccelerationModeEnabledUse hardware acceleration when available
HeadlessModeControl use of the Headless Mode
HideWebStoreIconHide the web store from the New Tab Page and app launcher
HistoryClustersVisibleShow Journeys on the Chrome history page
HttpsOnlyModeAllow HTTPS-Only Mode to be enabled
ImportAutofillFormDataImport autofill form data from default browser on first run
ImportBookmarksImport bookmarks from default browser on first run
ImportHistoryImport browsing history from default browser on first run
ImportHomepageImport of homepage from default browser on first run
ImportSavedPasswordsImport saved passwords from default browser on first run
ImportSearchEngineImport search engines from default browser on first run
IncognitoEnabledEnable Incognito mode
IncognitoModeAvailabilityIncognito mode availability
InsecureFormsWarningsEnabledEnable warnings for insecure forms
InsecurePrivateNetworkRequestsAllowedSpecifies whether to allow websites to make requests to more-private network endpoints in an insecure manner
InsecurePrivateNetworkRequestsAllowedForUrlsAllow the listed sites to make requests to more-private network endpoints in an insecure manner.
InsightsExtensionEnabledEnable insights extension for reporting usage metrics
InstantTetheringAllowedAllow Instant Tethering to be used.
IntensiveWakeUpThrottlingEnabledControl the IntensiveWakeUpThrottling feature.
IntranetRedirectBehaviorIntranet Redirection Behavior
IsolateOriginsEnable Site Isolation for specified origins
IsolateOriginsAndroidEnable Site Isolation for specified origins on Android devices
JavascriptEnabledEnable JavaScript
KeepFullscreenWithoutNotificationUrlAllowListList of URLs which are allowed to remain in full screen mode without showing a notification
KeyPermissionsKey Permissions
LacrosAvailabilityMake the Lacros browser available
LacrosSecondaryProfilesAllowedAllow users to create and use secondary profiles, and use guest mode in the Lacros browser
LensCameraAssistedSearchEnabledAllow Google Lens camera assisted search
LensRegionSearchEnabledAllow Google Lens region search menu item to be shown in context menu if supported.
LockScreenMediaPlaybackEnabledAllows users to play media when the device is locked
LoginDisplayPasswordButtonEnabledShow the display password button on the login and lock screen
LookalikeWarningAllowlistDomainsSuppress lookalike domain warnings on domains
ManagedAccountsSigninRestrictionAdd restrictions on managed accounts
ManagedBookmarksManaged Bookmarks
ManagedConfigurationPerOriginSets managed configuration values to websites to specific origins
ManagedGuestSessionPrivacyWarningsEnabledReduce Managed-guest session auto-launch notifications
MaxConnectionsPerProxyMaximal number of concurrent connections to the proxy server
MaxInvalidationFetchDelayMaximum fetch delay after a policy invalidation
MediaRecommendationsEnabledEnable Media Recommendations
MediaRouterCastAllowAllIPsAllow Google Cast to connect to Cast devices on all IP addresses.
MetricsReportingEnabledEnable reporting of usage and crash-related data
NTPCardsVisibleShow cards on the New Tab Page
NTPContentSuggestionsEnabledShow content suggestions on the New Tab page
NTPCustomBackgroundEnabledAllow users to customize the background on the New Tab page
NTPMiddleSlotAnnouncementVisibleShow the middle slot announcement on the New Tab Page
NearbyShareAllowedAllow Nearby Share to be enabled.
NetworkPredictionOptionsEnable network prediction
NetworkServiceSandboxEnabledEnable the network service sandbox
NoteTakingAppsLockScreenAllowlistThe list of note-taking apps allowed on the Google Chrome OS lock screen
OpenNetworkConfigurationUser-level network configuration
OptimizationGuideFetchingEnabledEnable Optimization Guide Fetching
OriginAgentClusterDefaultEnabledAllows origin-keyed agent clustering by default.
OverrideSecurityRestrictionsOnInsecureOriginOrigins or hostname patterns for which restrictions on insecure origins should not apply
PaymentMethodQueryEnabledAllow websites to query for available payment methods.
PdfAnnotationsEnabledEnable PDF Annotations
PhoneHubAllowedAllow Phone Hub to be enabled.
PhoneHubNotificationsAllowedAllow Phone Hub notifications to be enabled.
PhoneHubTaskContinuationAllowedAllow Phone Hub task continuation to be enabled.
PinnedLauncherAppsList of pinned apps to show in the launcher
PolicyAtomicGroupsEnabledEnables the concept of policy atomic groups
PolicyDictionaryMultipleSourceMergeListAllow merging dictionary policies from different sources
PolicyListMultipleSourceMergeListAllow merging list policies from different sources
PolicyRefreshRateRefresh rate for user policy
PrimaryMouseButtonSwitchSwitch the primary mouse button to the right button
ProfilePickerOnStartupAvailabilityProfile picker availability on startup
PromotionalTabsEnabledEnable showing full-tab promotional content
PromptForDownloadLocationAsk where to save each file before downloading
ProxySettingsProxy settings
QuicAllowedAllow QUIC protocol
RelaunchHeadsUpPeriodSet the time of the first user relaunch notification
RelaunchNotificationNotify a user that a browser relaunch or device restart is recommended or required
RelaunchNotificationPeriodSet the time period for update notifications
RelaunchWindowSet the time interval for relaunch
RemoteDebuggingAllowedAllow remote debugging
RendererCodeIntegrityEnabledEnable Renderer Code Integrity
ReportCrostiniUsageEnabledReport information about usage of Linux apps
RequireOnlineRevocationChecksForLocalAnchorsRequire online OCSP/CRL checks for local trust anchors
RestrictAccountsToPatternsRestrict accounts that are visible in Google Chrome
RestrictSigninToPatternRestrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome
RestrictedManagedGuestSessionExtensionCleanupExemptListConfigure the list of extension IDs exempt from the restricted managed guest session clean-up procedure
RoamingProfileLocationSet the roaming profile directory
RoamingProfileSupportEnabledEnable the creation of roaming copies for Google Chrome profile data
SSLErrorOverrideAllowedAllow proceeding from the SSL warning page
SSLErrorOverrideAllowedForOriginsAllow proceeding from the SSL warning page on specific origins
SSLVersionMinMinimum SSL version enabled
SafeBrowsingForTrustedSourcesEnabledEnable Safe Browsing for trusted sources
SafeSitesFilterBehaviorControl SafeSites adult content filtering.
SamlLockScreenOfflineSigninTimeLimitDaysLimit the time for which a user authenticated via SAML can log in offline at the lock screen
SandboxExternalProtocolBlockedAllow Chrome to block navigations toward external protocols in sandboxed iframes
SavingBrowserHistoryDisabledDisable saving browser history
SchedulerConfigurationSelect task scheduler configuration
ScrollToTextFragmentEnabledEnable scrolling to text specified in URL fragments
SearchSuggestEnabledEnable search suggestions
SecondaryGoogleAccountSigninAllowedAllow Sign-in To Additional Google Accounts
SecurityKeyPermitAttestationURLs/domains automatically permitted direct Security Key attestation
SecurityTokenSessionBehaviorAction on security token removal (e.g., smart card) for Google Chrome OS.
SecurityTokenSessionNotificationSecondsDuration of the notification on smart card removal for Google Chrome OS.
SessionLengthLimitLimit the length of a user session
SessionLocalesSet the recommended locales for a managed session
SetTimeoutWithout1MsClampEnabledControl Javascript setTimeout() function minimum timeout.
SharedArrayBufferUnrestrictedAccessAllowedSpecifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context
SharedClipboardEnabledEnable the Shared Clipboard Feature
ShelfAlignmentControl the shelf position
ShelfAutoHideBehaviorControl shelf auto-hiding
ShowAppsShortcutInBookmarkBarShow the apps shortcut in the bookmark bar
ShowFullUrlsInAddressBarShow Full URLs
ShowLogoutButtonInTrayAdd a logout button to the system tray
SideSearchEnabledAllow showing the most recent default search engine results page in a Browser side panel
SignedHTTPExchangeEnabledEnable Signed HTTP Exchange (SXG) support
SigninAllowedAllow sign in to Google Chrome
SigninInterceptionEnabledEnable signin interception
SitePerProcessRequire Site Isolation for every site
SitePerProcessAndroidEnable Site Isolation for every site
SmartLockSigninAllowedAllow Smart Lock Signin to be used.
SmsMessagesAllowedAllow SMS Messages to be synced from phone to Chromebook.
SpellCheckServiceEnabledEnable or disable spell checking web service
SpellcheckEnabledEnable spellcheck
SpellcheckLanguageForce enable spellcheck languages
SpellcheckLanguageBlocklistForce disable spellcheck languages
StartupBrowserWindowLaunchSuppressedSuppress launching of browser window
StricterMixedContentTreatmentEnabledEnable stricter treatment for mixed content
SuggestLogoutAfterClosingLastWindowDisplay the logout confirmation dialog
SuppressDifferentOriginSubframeDialogsSuppress JavaScript Dialogs triggered from different origin subframes
SuppressUnsupportedOSWarningSuppress the unsupported OS warning
SyncDisabledDisable synchronization of data with Google
SyncTypesListDisabledList of types that should be excluded from synchronization
SystemFeaturesDisableListConfigure the camera, browser settings, os settings, scanning, web store, canvas, explore and crosh features to be disabled
SystemFeaturesDisableModeSet the user experience of disabled features
SystemProxySettingsConfigures System-proxy service for Google Chrome OS.
TaskManagerEndProcessEnabledEnable ending processes in Task Manager
TermsOfServiceURLSet the Terms of Service for a device-local account
ThirdPartyBlockingEnabledEnable third party software injection blocking
TosDialogBehaviorConfiguring the ToS behavior during first-run for CCT
TotalMemoryLimitMbSet limit on megabytes of memory a single Chrome instance can use.
TouchVirtualKeyboardEnabledEnable virtual keyboard
TranslateEnabledEnable Translate
U2fSecurityKeyApiEnabledAllow using the deprecated U2F Security Key API
URLAllowlistAllow access to a list of URLs
URLBlocklistBlock access to a list of URLs
UnifiedDesktopEnabledByDefaultMake Unified Desktop available and turn on by default
UnsafelyTreatInsecureOriginAsSecureOrigins or hostname patterns for which restrictions on insecure origins should not apply
UrlKeyedAnonymizedDataCollectionEnabledEnable URL-keyed anonymized data collection
UrlParamFilterEnabledControl the URL parameter filter feature
UserAgentClientHintsGREASEUpdateEnabledControl the User-Agent Client Hints GREASE Update feature.
UserAgentReductionEnable or disable the User-Agent Reduction.
UserAvatarImageUser avatar image
UserDataDirSet user data directory
UserDataSnapshotRetentionLimitLimits the number of user data snapshots retained for use in case of emergency rollback.
UserDisplayNameSet the display name for device-local accounts
UserFeedbackAllowedAllow user feedback
VideoCaptureAllowedAllow or deny video capture
VideoCaptureAllowedUrlsURLs that will be granted access to video capture devices without prompt
VmManagementCliAllowedSpecify VM CLI permission
VpnConfigAllowedAllow the user to manage VPN connections
WPADQuickCheckEnabledEnable WPAD optimization
WallpaperImageWallpaper image
WarnBeforeQuittingEnabledShow a warning dialog when the user is attempting to quit
WebAppInstallForceListConfigure list of force-installed Web Apps
WebAppSettingsWeb App management settings
WebAuthnFactorsConfigure allowed WebAuthn factors
WebRtcAllowLegacyTLSProtocolsAllow legacy TLS/DTLS downgrade in WebRTC
WebRtcEventLogCollectionAllowedAllow collection of WebRTC event logs from Google services
WebRtcIPHandlingThe IP handling policy of WebRTC
WebRtcLocalIpsAllowedUrlsURLs for which local IPs are exposed in WebRTC ICE candidates
WebRtcUdpPortRangeRestrict the range of local UDP ports used by WebRTC
WebSQLAccessForce WebSQL to be enabled.
WifiSyncAndroidAllowedAllow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone.
WindowOcclusionEnabledEnable Window Occlusion

Accessibility settings

Configure Google Chrome OS accessibility features.
Back to top

ShowAccessibilityOptionsInSystemTrayMenu

Show accessibility options in system tray menu
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ShowAccessibilityOptionsInSystemTrayMenu
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 27
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

Example value:
0x00000001 (Windows)
Back to top

LargeCursorEnabled

Enable large cursor
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LargeCursorEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True keeps the large cursor on. Setting the policy to False keeps the large cursor off.

If you set the policy, users can't change the feature. If not set, the large cursor is off at first, but users can turn it on any time.

Example value:
0x00000001 (Windows)
Back to top

SpokenFeedbackEnabled

Enable spoken feedback
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SpokenFeedbackEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True keeps spoken feedback on. Setting the policy to False keeps spoken feedback off.

If you set the policy, users can't change it. If not set, spoken feedback is off at first, but users can turn it on any time.

Example value:
0x00000001 (Windows)
Back to top

HighContrastEnabled

Enable high contrast mode
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\HighContrastEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True keeps High-contrast mode on. Setting the policy to False keeps High-contrast mode off.

If you set the policy, users can't change it. If not set, High-contrast mode is off, but users can turn it on any time.

Example value:
0x00000001 (Windows)
Back to top

VirtualKeyboardEnabled

Enable on-screen keyboard
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VirtualKeyboardEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 34
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True keeps the on-screen keyboard on. Setting the policy to False keeps the on-screen keyboard off unless other factors turn it on. See the TouchVirtualKeyboardEnabled policy as an example of these factors.

If you set the policy, users can't change it. If not set, the on-screen keyboard is off at first, but users can turn it on any time.

Example value:
0x00000001 (Windows)
Back to top

VirtualKeyboardFeatures

Enable or disable various features on the on-screen keyboard
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VirtualKeyboardFeatures
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable or disable various features on the on-screen keyboard. This policy takes effect only when "VirtualKeyboardEnabled" policy is enabled.

If one feature in this policy is set to True, it will be enabled on the on-screen keyboard.

If one feature in this policy is set to False or left unset, it will be disabled on the on-screen keyboard.

NOTE: this policy is only supported in PWA Kiosk mode.

Schema:
{ "properties": { "auto_complete_enabled": { "description": "A boolean flag indicating if the on-screen keyboard can provide auto-complete.", "type": "boolean" }, "auto_correct_enabled": { "description": "A boolean flag indicating if the on-screen keyboard can provide auto-correct.", "type": "boolean" }, "handwriting_enabled": { "description": "A boolean flag indicating if the on-screen keyboard can provide input via handwriting recognition.", "type": "boolean" }, "spell_check_enabled": { "description": "A boolean flag indicating if the on-screen keyboard can provide spell-check.", "type": "boolean" }, "voice_input_enabled": { "description": "A boolean flag indicating if the on-screen keyboard can provide voice input.", "type": "boolean" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\VirtualKeyboardFeatures = { "auto_complete_enabled": true, "auto_correct_enabled": true, "handwriting_enabled": false, "spell_check_enabled": false, "voice_input_enabled": false }
Back to top

StickyKeysEnabled

Enable sticky keys
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\StickyKeysEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 76
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True keeps sticky keys on. Setting the policy to False keeps sticky keys off.

If you set the policy, users can't change it. If not set, sticky keys is off at first, but users can turn it on any time.

Example value:
0x00000001 (Windows)
Back to top

KeyboardDefaultToFunctionKeys

Media keys default to function keys
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\KeyboardDefaultToFunctionKeys
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 35
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True makes the top row of keys on the keyboard act as function key commands. Pressing the Search key changes their behavior back to media keys.

If set to False or not set, the keyboard defaults to producing media key commands. Pressing the Search key changes them to function keys.

Example value:
0x00000001 (Windows)
Back to top

ScreenMagnifierType

Set screen magnifier type
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenMagnifierType
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to None turns the screen magnifier off.

If you set the policy, users can't change it. If not set, the screen magnifier is off at first, but users can turn it on any time.

  • 0 = Screen magnifier disabled
  • 1 = Full-screen magnifier enabled
  • 2 = Docked magnifier enabled
Example value:
0x00000001 (Windows)
Back to top

DictationEnabled

Enable the dictation accessibility feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DictationEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the dictation accessibility feature.

If this policy is set to enabled, the dictation will always be enabled.

If this policy is set to disabled, the dictation will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

SelectToSpeakEnabled

Enable select to speak
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SelectToSpeakEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 77
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the select to speak accessibility feature.

If this policy is set to true, the select to speak will always be enabled.

If this policy is set to false, the select to speak will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the select to speak is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

KeyboardFocusHighlightEnabled

Enable the keyboard focus highlighting accessibility feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\KeyboardFocusHighlightEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the keyboard focus highlighting accessibility feature.

This feature is responsible for highlighting the object that has the focus by the keyboard.

If this policy is set to enabled, the keyboard focus highlighting will always be enabled.

If this policy is set to disabled, the keyboard focus highlighting will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

CursorHighlightEnabled

Enable the cursor highlight accessibility feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CursorHighlightEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the cursor highlight accessibility feature.

This feature is responsible for highlighting the area that surrounds the mouse cursor while moving it.

If this policy is set to enabled, the cursor highlight will always be enabled.

If this policy is set to disabled, the cursor highlight will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the cursor highlight is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

CaretHighlightEnabled

Enable the caret highlight accessibility feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CaretHighlightEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the caret highlight accessibility feature.

This feature is responsible for highlighting the area that surrounds the caret while editing.

If this policy is set to enabled, the caret highlight will always be enabled.

If this policy is set to disabled, the caret highlight will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the caret highlight is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

MonoAudioEnabled

Enable the mono audio accessibility feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\MonoAudioEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the mono audio accessibility feature.

This feature is responsible for outputing stereo audio which includes different left and right channels, so different ears get different sounds.

If this policy is set to enabled, the mono audio will always be enabled.

If this policy is set to disabled, the mono audio will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the mono audio is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

AccessibilityShortcutsEnabled

Enable accessibility features shortcuts
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AccessibilityShortcutsEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable accessibility features shortcuts.

If this policy is set to true, accessibility features shortcuts will always be enabled.

If this policy is set to false, accessibility features shortcuts will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, accessibility features shortcuts will be enabled by default.

Example value:
0x00000001 (Windows)
Back to top

AutoclickEnabled

Enable the autoclick accessibility feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutoclickEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the autoclick accessibility feature.

This feature is responsible to click without physically pressing your mouse or touchpad, hover over the object you'd like to click.

If this policy is set to enabled, the autoclick will always be enabled.

If this policy is set to disabled, the autoclick will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the autoclick is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenDefaultLargeCursorEnabled

Set default state of the large cursor on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultLargeCursorEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to True turns the large cursor on at the sign-in screen. Setting the policy to False turns the large cursor off at the sign-in screen.

If you set the policy, users can temporarily turn the large cursor on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the large cursor is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenLargeCursorEnabled overrides this policy if the former is specified.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenDefaultSpokenFeedbackEnabled

Set the default state of spoken feedback on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultSpokenFeedbackEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to True turns spoken feedback on at the sign-in screen. Setting the policy to False turns spoken feedback off at the screen.

If you set the policy, users can temporarily turn spoken feedback on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, spoken feedback is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenSpokenFeedbackEnabled overrides this policy if the former is specified.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenDefaultHighContrastEnabled

Set the default state of high contrast mode on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultHighContrastEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to True turns High-contrast mode on at the sign-in screen. Setting the policy to False turns High-contrast mode off at the screen.

If you set the policy, users can temporarily change High-contrast mode, turning it on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, High-contrast mode is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenHighContrastEnabled overrides this policy if the former is specified.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenDefaultVirtualKeyboardEnabled (Deprecated)

Set default state of the on-screen keyboard on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultVirtualKeyboardEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 34
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy is deprecated, please use the DeviceLoginScreenVirtualKeyboardEnabled policy instead.

Setting the policy to True turns the on-screen keyboard on at sign-in. Setting the policy to False turns the on-screen keyboard off at sign-in.

If you set the policy, users can temporarily turn the on-screen keyboard on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the on-screen keyboard is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenVirtualKeyboardEnabled overrides this policy if the former is specified.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenDefaultScreenMagnifierType

Set the default screen magnifier type enabled on the login screen
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultScreenMagnifierType
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to None turns screen magnification off at the sign-in screen.

If you set the policy, users can temporarily turn the screen magnifier on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the screen magnifier is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Valid values: • 0 = Off • 1 = On • 2 = Docked magnifier on

Note: DeviceLoginScreenScreenMagnifierType overrides this policy if the former is specified.

  • 0 = Screen magnifier disabled
  • 1 = Full-screen magnifier enabled
  • 2 = Docked magnifier enabled
Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenLargeCursorEnabled

Enable the large cursor on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenLargeCursorEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the large cursor accessibility feature on the login screen.

If this policy is set to true, the large cursor will always be enabled on the login screen.

If this policy is set to false, the large cursor will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the large cursor is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenSpokenFeedbackEnabled

Enable the spoken feedback on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenSpokenFeedbackEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the spoken feedback accessibility feature on the login screen.

If this policy is set to true, the spoken feedback will always be enabled on the login screen.

If this policy is set to false, the spoken feedback will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the spoken feedback is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenHighContrastEnabled

Enable the high contrast on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenHighContrastEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the high contrast accessibility feature on the login screen.

If this policy is set to true, the high contrast will always be enabled on the login screen.

If this policy is set to false, the high contrast will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the high contrast is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenVirtualKeyboardEnabled

Enable the virtual keyboard on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenVirtualKeyboardEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the virtual keyboard accessibility feature on the login screen.

If this policy is set to true, the virtual keyboard will always be enabled on the login screen.

If this policy is set to false, the virtual keyboard will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the virtual keyboard is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenDictationEnabled

Enable the dictation on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenDictationEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the dictation accessibility feature on the login screen.

If this policy is set to true, the dictation will always be enabled on the login screen.

If this policy is set to false, the dictation will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenSelectToSpeakEnabled

Enable the select to speak on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenSelectToSpeakEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the select to speak accessibility feature on the login screen.

If this policy is set to true, the select to speak will always be enabled on the login screen.

If this policy is set to false, the select to speak will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the select to speak is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenCursorHighlightEnabled

Enable the cursor highlight on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenCursorHighlightEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the cursor highlight accessibility feature on the login screen.

If this policy is set to true, the cursor highlight will always be enabled on the login screen.

If this policy is set to false, the cursor highlight will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the cursor highlight is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenCaretHighlightEnabled

Enable the caret highlight on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenCaretHighlightEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the caret highlight accessibility feature on the login screen.

If this policy is set to true, the caret highlight will always be enabled on the login screen.

If this policy is set to false, the caret highlight will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the caret highlight is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenMonoAudioEnabled

Enable the mono audio on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenMonoAudioEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the mono audio accessibility feature on the login screen.

This feature allows to switch the device mode from the default stereo audio to the mono audio.

If this policy is set to true, the mono audio will always be enabled on the login screen.

If this policy is set to false, the mono audio will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the mono audio is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenAutoclickEnabled

Enable the autoclick on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenAutoclickEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the autoclick accessibility feature on the login screen.

This feature allows to automatically click when the mouse cursor stops, without requiring the user to physically press the mouse or touchpad buttons.

If this policy is set to true, the autoclick will always be enabled on the login screen.

If this policy is set to false, the autoclick will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the autoclick is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenStickyKeysEnabled

Enable the sticky keys on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenStickyKeysEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the sticky keys accessibility feature on the login screen.

If this policy is set to true, the sticky keys will always be enabled on the login screen.

If this policy is set to false, the sticky keys will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the sticky keys is disabled on the login screen initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenKeyboardFocusHighlightEnabled

Enable the keyboard focus highlighting accessibility feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenKeyboardFocusHighlightEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Enable the keyboard focus highlighting accessibility feature on the login screen.

This feature is responsible for highlighting the object that is focused by the keyboard.

If this policy is set to enabled, the keyboard focus highlighting will always be enabled.

If this policy is set to disabled, the keyboard focus highlighting will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenScreenMagnifierType

Set the screen magnifier type on the login screen
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenScreenMagnifierType
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

If this policy is set, it controls the type of screen magnifier that is enabled.

If this policy is set to "Full-screen", the screen magnifier will always be enabled in full-screen magnifier mode on the login screen.

If this policy is set to "Docked", the screen magnifier will always be enabled in docked magnifier mode on the login screen.

If this policy is set to "None", the screen magnifier will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.

  • 0 = Screen magnifier disabled
  • 1 = Full-screen magnifier enabled
  • 2 = Docked magnifier enabled
Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenShowOptionsInSystemTrayMenu

Show accessibility options in system tray menu in the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenShowOptionsInSystemTrayMenu
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenAccessibilityShortcutsEnabled

Enable accessibility features shortcuts on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenAccessibilityShortcutsEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Enable accessibility features shortcuts on the login screen.

If this policy is set to true, accessibility features shortcuts will always be enabled on the login screen.

If this policy is set to false, accessibility features shortcuts will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, accessibility features shortcuts will be enabled by default on the login screen.

Example value:
0x00000001 (Windows)
Back to top

FloatingAccessibilityMenuEnabled

Enables the floating accessibility menu
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FloatingAccessibilityMenuEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

In kiosk mode, controls whether the floating accessibility menu is being shown.

If this policy is set to enabled, the floating accessibility menu will be always shown.

If this policy is set to disabled or left unset, the floating accessibility menu will never be shown.

Example value:
0x00000001 (Windows)
Back to top

EnhancedNetworkVoicesInSelectToSpeakAllowed

Allow the enhanced network text-to-speech voices in Select-to-speak
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EnhancedNetworkVoicesInSelectToSpeakAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allow the enhanced network text-to-speech voices in Select-to-speak accessibility feature. These voices send text to Google's servers to synthesize natural-sounding speech.

If this policy is set to false, the enhanced network text-to-speech voices feature in Select-to-speak will always be disabled.

If this policy is set to true or unset, the enhanced network text-to-speech voices feature in Select-to-speak can be enabled or disabled by the user.

Example value:
0x00000001 (Windows)
Back to top

Allow or deny screen capture

Configure policies to control the level of screen-share APIs (e.g., getDisplayMedia() or the Desktop Capture extension API) that a site may capture (e.g. tab, window or desktop capture).
Back to top

ScreenCaptureAllowed

Allow or deny screen capture
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ScreenCaptureAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ScreenCapture\ScreenCaptureAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenCaptureAllowed
Mac/Linux preference name:
ScreenCaptureAllowed
Supported on:
  • Google Chrome (Linux) since version 81
  • Google Chrome (Mac) since version 81
  • Google Chrome (Windows) since version 81
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If enabled or not configured (default), a Web page can use screen-share APIs (e.g., getDisplayMedia() or the Desktop Capture extension API) to prompt the user to select a tab, window or desktop to capture.

When this policy is disabled, any calls to screen-share APIs will fail with an error; however this policy is not considered (and a site will be allowed to use screen-share APIs) if the site matches an origin pattern in any of the following policies: ScreenCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins, TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : ScreenCaptureSettings
Back to top

ScreenCaptureAllowedByOrigins

Allow Desktop, Window, and Tab capture by these origins
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ScreenCaptureAllowedByOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ScreenCapture\ScreenCaptureAllowedByOrigins
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenCaptureAllowedByOrigins
Mac/Linux preference name:
ScreenCaptureAllowedByOrigins
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
  • Google Chrome (Linux) since version 95
  • Google Chrome (Mac) since version 95
  • Google Chrome (Windows) since version 95
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that can use Desktop, Window, and Tab Capture.

Leaving the policy unset means that sites will not be considered for an override at this level of Capture.

This policy is not considered if a site matches a URL pattern in any of the following policies: WindowCaptureAllowedByOrigins, TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.

If a site matches a URL pattern in this policy, the ScreenCaptureAllowed will not be considered.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ScreenCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\Chrome\ScreenCaptureAllowedByOrigins\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ScreenCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\ScreenCaptureAllowedByOrigins\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="ScreenCaptureAllowedByOriginsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

WindowCaptureAllowedByOrigins

Allow Window and Tab capture by these origins
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WindowCaptureAllowedByOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ScreenCapture\WindowCaptureAllowedByOrigins
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WindowCaptureAllowedByOrigins
Mac/Linux preference name:
WindowCaptureAllowedByOrigins
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
  • Google Chrome (Linux) since version 95
  • Google Chrome (Mac) since version 95
  • Google Chrome (Windows) since version 95
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that can use Window and Tab Capture.

Leaving the policy unset means that sites will not be considered for an override at this level of Capture.

This policy is not considered if a site matches a URL pattern in any of the following policies: TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.

If a site matches a URL pattern in this policy, the following policies will not be considered: ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WindowCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\Chrome\WindowCaptureAllowedByOrigins\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WindowCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WindowCaptureAllowedByOrigins\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="WindowCaptureAllowedByOriginsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

TabCaptureAllowedByOrigins

Allow Tab capture by these origins
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\TabCaptureAllowedByOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ScreenCapture\TabCaptureAllowedByOrigins
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\TabCaptureAllowedByOrigins
Mac/Linux preference name:
TabCaptureAllowedByOrigins
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
  • Google Chrome (Linux) since version 95
  • Google Chrome (Mac) since version 95
  • Google Chrome (Windows) since version 95
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that can use Tab Capture.

Leaving the policy unset means that sites will not be considered for an override at this level of capture.

Note that windowed Chrome Apps will still be allowed to be captured.

This policy is not considered if a site matches a URL pattern in the SameOriginTabCaptureAllowedByOrigins policy.

If a site matches a URL pattern in this policy, the following policies will not be considered: WindowCaptureAllowedByOrigins, ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\TabCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\Chrome\TabCaptureAllowedByOrigins\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\TabCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\TabCaptureAllowedByOrigins\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="TabCaptureAllowedByOriginsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

SameOriginTabCaptureAllowedByOrigins

Allow Same Origin Tab capture by these origins
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SameOriginTabCaptureAllowedByOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ScreenCapture\SameOriginTabCaptureAllowedByOrigins
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SameOriginTabCaptureAllowedByOrigins
Mac/Linux preference name:
SameOriginTabCaptureAllowedByOrigins
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
  • Google Chrome (Linux) since version 95
  • Google Chrome (Mac) since version 95
  • Google Chrome (Windows) since version 95
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that can capture tabs with their same Origin.

Leaving the policy unset means that sites will not be considered for an override at this level of capture.

Note that windowed Chrome Apps with the same origin as this site will still be allowed to be captured.

If a site matches a URL pattern in this policy, the following policies will not be considered: TabCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins, ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SameOriginTabCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\Chrome\SameOriginTabCaptureAllowedByOrigins\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SameOriginTabCaptureAllowedByOrigins\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\SameOriginTabCaptureAllowedByOrigins\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="SameOriginTabCaptureAllowedByOriginsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

Android settings

Controls settings for the Android container (ARC) and Android apps.
Back to top

ArcEnabled

Enable ARC
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ArcEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 50
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Unless Ephemeral mode or multiple sign-in is on during the user's session, setting ArcEnabled to True turns ARC on for the user. Setting the policy to False or leaving it unset means enterprise users can't use ARC.

Example value:
0x00000000 (Windows)
Back to top

UnaffiliatedArcAllowed

Allow unaffiliated users to use ARC
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UnaffiliatedArcAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 64
Supported features:
Dynamic Policy Refresh: No
Description:

Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets users use ARC. Setting the policy to False means unaffiliated users may not use ARC.

Changes to the policy only apply while ARC isn't running, for example, while starting ChromeOS.

Example value:
0x00000000 (Windows)
Back to top

ArcPolicy

Configure ARC
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ArcPolicy
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 50
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies a set of policies to hand over to the ARC runtime. Admins can use it to select the Android apps that autoinstall. Enter value in valid JSON format.

To pin apps to the launcher, see PinnedLauncherApps.

Schema:
{ "properties": { "applications": { "items": { "properties": { "defaultPermissionPolicy": { "description": "Policy for granting permission requests to apps. PERMISSION_POLICY_UNSPECIFIED: Policy not specified. If no policy is specified for a permission at any level, then the `PROMPT` behavior is used by default. PROMPT: Prompt the user to grant a permission. GRANT: Automatically grant a permission. DENY: Automatically deny a permission.", "enum": [ "PERMISSION_POLICY_UNSPECIFIED", "PROMPT", "GRANT", "DENY" ], "type": "string" }, "installType": { "description": "Specifies how an app is installed. OPTIONAL: The app is not installed automatically, but the user can install it. This is the default if this policy is not specified. PRELOAD: The app is installed automatically, but the user can uninstall it. FORCE_INSTALLED: The app is installed automatically and the user cannot uninstall it. BLOCKED: The app is blocked and cannot be installed. If the app was installed under a previous policy it will be uninstalled.", "enum": [ "OPTIONAL", "PRELOAD", "FORCE_INSTALLED", "BLOCKED" ], "type": "string" }, "managedConfiguration": { "description": "App-specific JSON configuration object with a set of key-value pairs, e.g. '\"managedConfiguration\": { \"key1\": value1, \"key2\": value2 }'. The keys are defined in the app manifest.", "type": "object" }, "packageName": { "description": "Android app identifier, e.g. \"com.google.android.gm\" for Gmail", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }
Example value:
"{"applications":[{"packageName":"com.google.android.gm","installType":"FORCE_INSTALLED","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}},{"packageName":"com.google.android.apps.docs","installType":"PRELOAD","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}}]}"
Back to top

ArcAppInstallEventLoggingEnabled

Log events for Android app installs
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 67
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True sends reports of key, policy-triggered Android app installation events to Google. Setting the policy to False means no events are captured.

Back to top

ArcBackupRestoreServiceEnabled

Control Android backup and restore service
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ArcBackupRestoreServiceEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 68
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to BackupAndRestoreEnabled means Android backup and restore is initially on. Setting the policy to BackupAndRestoreDisabled or leaving it unset keeps backup and restore off during setup.

Setting the policy to BackupAndRestoreUnderUserControl means users see prompts to use backup and restore. If they turn on backup and restore, Android app data is uploaded to Android backup servers and restored during reinstallations of compatible apps.

After initial setup, users can turn backup and restore on or off.

  • 0 = Backup and restore disabled
  • 1 = User decides whether to enable backup and restore
  • 2 = Backup and restore enabled
Example value:
0x00000001 (Windows)
Back to top

ArcGoogleLocationServicesEnabled

Control Android Google location services
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ArcGoogleLocationServicesEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 68
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Unless the DefaultGeolocationSetting policy is set to BlockGeolocation, then setting GoogleLocationServicesEnabled turns Google location services on during initial setup. Setting the policy to GoogleLocationServicesDisabled or leaving it unset keeps location services off during setup.

Setting policy to BackupAndRestoreUnderUserControl prompts users about whether or not to use Google location services. If they turn it on, Android apps use the services to search the device location and send anonymous location data to Google.

After initial setup, users can turn Google location services on or off.

  • 0 = Google location services disabled
  • 1 = User decides whether to enable Google location services
  • 2 = Google location services enabled
Example value:
0x00000001 (Windows)
Back to top

ArcCertificatesSyncMode

Set certificate availability for ARC-apps
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ArcCertificatesSyncMode
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 52
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to CopyCaCerts makes all ONC-installed CA certificates with Web TrustBit available for ARC-apps.

Setting to None or leaving it unset makes Google Chrome OS certificates unavailable for ARC-apps.

  • 0 = Disable usage of Google Chrome OS certificates to ARC-apps
  • 1 = Enable Google Chrome OS CA certificates to ARC-apps
Example value:
0x00000000 (Windows)
Back to top

AppRecommendationZeroStateEnabled

Enable App Recommendations in Zero State of Search Box
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AppRecommendationZeroStateEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting this policy to Enabled will cause recommendations for apps previously installed by the user on other devices. These recommendations will appear in the launcher after the local app recomendations, if no search text has been entered.

Setting this policy as Disabled or leaving it unset means these recommendations do not appear.

If this policy is set, users cannot change it.

Example value:
0x00000001 (Windows)
Back to top

DeviceArcDataSnapshotHours

Intervals when ARC data snapshot update process can be started for Managed Guest Sessions
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceArcDataSnapshotHours
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes
Description:

If "DeviceArcDataSnapshotHours" policy is set, then the ARC data snapshotting mechanism is turned on. And the ARC data snapshot update can be started automatically during the defined time intervals. When an interval starts, ARC data snapshot update is required and no user is logged-in, the ARC data snapshot update process is started without user notification. If the user session is active, the UI notification is shown and have to be accepted in order to reboot a device and start ARC data snapshot update process. Note: a device is blocked for usage during the ARC data snapshot update process.

Schema:
{ "properties": { "intervals": { "items": { "$ref": "WeeklyTimeIntervals" }, "type": "array" }, "timezone": { "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceArcDataSnapshotHours = { "intervals": [ { "end": { "day_of_week": "MONDAY", "time": 21720000 }, "start": { "day_of_week": "MONDAY", "time": 12840000 } }, { "end": { "day_of_week": "FRIDAY", "time": 57600000 }, "start": { "day_of_week": "FRIDAY", "time": 38640000 } } ], "timezone": "GMT" }
Back to top

ArcAppToWebAppSharingEnabled

Enable sharing from Android apps to Web apps
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ArcAppToWebAppSharingEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True enables sharing text/files from Android apps to supported Web Apps, using the built-in Android sharing system. When enabled, this will send metadata for installed Web Apps to Google to generate and install a shim Android app. Setting the policy to False disables this functionality.

Example value:
0x00000001 (Windows)
Back to top

Borealis

Controls policies related to the Borealis subsystem.
Back to top

DeviceBorealisAllowed

Allow devices to use Borealis on Google Chrome OS
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceBorealisAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: Yes
Description:

Controls the availability of Borealis for this device.

If the policy is set to false, Borealis will be unavailable for all users of the device. Otherwise (when the policy is unset, or true) Borealis will be available if and only if no other policy or setting disables it.

Example value:
0x00000001 (Windows)
Back to top

UserBorealisAllowed

Allow users to use Borealis on Google Chrome OS
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserBorealisAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls the availability of Borealis for this user.

If the policy is set to false, Borealis will be unavailable. Otherwise (when the policy is unset, or true) Borealis will be available if and only if no other policy or setting disables it.

Example value:
0x00000001 (Windows)
Back to top

Certificate management settings

Controls user and device policies for certificate management.
Back to top

RequiredClientCertificateForDevice

Required device-wide Client Certificates
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RequiredClientCertificateForDevice
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Can Be Mandatory: Yes, Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Specifies device-wide client certificates that should be enrolled using the device management protocol.

Schema:
{ "items": { "properties": { "cert_profile_id": { "description": "The identifier for this client certificate.", "type": "string" }, "enable_remote_attestation_check": { "description": "Enable an additional security check based on remote attestation (optional, default: True).", "type": "boolean" }, "key_algorithm": { "description": "The algorithm for key pair generation.", "enum": [ "rsa" ], "type": "string" }, "name": { "description": "The name of the certificate profile.", "type": "string" }, "policy_version": { "description": "The client should not interpret this data and should forward it verbatim. The DMServer uses policy_version to verify that the policy view of DMServer matches the view of ChromeOS device.", "type": "string" }, "renewal_period_seconds": { "description": "Number of seconds before expiration of a certificate when renewal should be triggered", "type": "integer" } }, "required": [ "cert_profile_id", "key_algorithm" ], "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\RequiredClientCertificateForDevice = [ { "cert_profile_id": "cert_profile_id_1", "enable_remote_attestation_check": true, "key_algorithm": "rsa", "name": "Certificate Profile 1", "policy_version": "some_hash", "renewal_period_seconds": 2592000 } ]
Back to top

RequiredClientCertificateForUser

Required Client Certificates
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RequiredClientCertificateForUser
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Can Be Mandatory: Yes, Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Specifies client certificates that should be enrolled using the device management protocol.

Schema:
{ "items": { "properties": { "cert_profile_id": { "description": "The identifier for this client certificate.", "type": "string" }, "enable_remote_attestation_check": { "description": "Enable an additional security check based on remote attestation (optional, default: True).", "type": "boolean" }, "key_algorithm": { "description": "The algorithm for key pair generation.", "enum": [ "rsa" ], "type": "string" }, "name": { "description": "The name of the certificate profile.", "type": "string" }, "policy_version": { "description": "The client should not interpret this data and should forward it verbatim. The DMServer uses policy_version to verify that the policy view of DMServer matches the view of ChromeOS device.", "type": "string" }, "renewal_period_seconds": { "description": "Number of seconds before expiration of a certificate when renewal should be triggered", "type": "integer" } }, "required": [ "cert_profile_id", "key_algorithm" ], "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\RequiredClientCertificateForUser = [ { "cert_profile_id": "cert_profile_id_1", "enable_remote_attestation_check": true, "key_algorithm": "rsa", "name": "Certificate Profile 1", "policy_version": "some_hash", "renewal_period_seconds": 2592000 } ]
Back to top

Content settings

Content settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.
Back to top

DefaultClipboardSetting

Default clipboard setting
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultClipboardSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultClipboardSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultClipboardSetting
Mac/Linux preference name:
DefaultClipboardSetting
Supported on:
  • Google Chrome (Linux) since version 103
  • Google Chrome (Mac) since version 103
  • Google Chrome (Windows) since version 103
  • Google ChromeOS (Google ChromeOS) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 2 blocks sites from using the clipboard site permission. Setting the policy to 3 or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use one.

This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.

This policy only affects clipboard operations controlled by the clipboard site permission, and does not affect sanitized clipboard writes or trusted copy and paste operations.

  • 2 = Do not allow any site to use the clipboard site permission
  • 3 = Allow sites to ask the user to grant the clipboard site permission
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultClipboardSetting" value="2"/>
Back to top

DefaultCookiesSetting

Default cookies setting
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultCookiesSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultCookiesSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultCookiesSetting
Mac/Linux preference name:
DefaultCookiesSetting
Android restriction name:
DefaultCookiesSetting
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.

Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.

While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.

  • 1 = Allow all sites to set local data
  • 2 = Do not allow any site to set local data
  • 4 = Keep cookies for the duration of the session
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultCookiesSetting" value="1"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : CookiesSettings
Back to top

DefaultFileSystemReadGuardSetting

Control use of the File System API for reading
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultFileSystemReadGuardSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultFileSystemReadGuardSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultFileSystemReadGuardSetting
Mac/Linux preference name:
DefaultFileSystemReadGuardSetting
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 3 lets websites ask for read access to files and directories in the host operating system's file system via the File System API. Setting the policy to 2 denies access.

Leaving it unset lets websites ask for access, but users can change this setting.

  • 2 = Do not allow any site to request read access to files and directories via the File System API
  • 3 = Allow sites to ask the user to grant read access to files and directories via the File System API
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultFileSystemReadGuardSetting" value="2"/>
Back to top

DefaultFileSystemWriteGuardSetting

Control use of the File System API for writing
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultFileSystemWriteGuardSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultFileSystemWriteGuardSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultFileSystemWriteGuardSetting
Mac/Linux preference name:
DefaultFileSystemWriteGuardSetting
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.

Leaving it unset lets websites ask for access, but users can change this setting.

  • 2 = Do not allow any site to request write access to files and directories
  • 3 = Allow sites to ask the user to grant write access to files and directories
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultFileSystemWriteGuardSetting" value="2"/>
Back to top

DefaultImagesSetting

Default images setting
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultImagesSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultImagesSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultImagesSetting
Mac/Linux preference name:
DefaultImagesSetting
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 1 lets all websites display images. Setting the policy to 2 denies image display.

Leaving it unset allows images, but users can change this setting.

  • 1 = Allow all sites to show all images
  • 2 = Do not allow any site to show images
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultImagesSetting" value="1"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : ImageSettings
Back to top

DefaultInsecureContentSetting

Control use of insecure content exceptions
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultInsecureContentSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultInsecureContentSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultInsecureContentSetting
Mac/Linux preference name:
DefaultInsecureContentSetting
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set whether users can add exceptions to allow mixed content for specific sites.

This policy can be overridden for specific URL patterns using the 'InsecureContentAllowedForUrls' and 'InsecureContentBlockedForUrls' policies.

If this policy is left not set, users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.

  • 2 = Do not allow any site to load mixed content
  • 3 = Allow users to add exceptions to allow mixed content
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultInsecureContentSetting" value="2"/>
Back to top

DefaultJavaScriptSetting

Default JavaScript setting
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultJavaScriptSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultJavaScriptSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultJavaScriptSetting
Mac/Linux preference name:
DefaultJavaScriptSetting
Android restriction name:
DefaultJavaScriptSetting
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 1 lets websites run JavaScript. Setting the policy to 2 denies JavaScript.

Leaving it unset allows JavaScript, but users can change this setting.

  • 1 = Allow all sites to run JavaScript
  • 2 = Do not allow any site to run JavaScript
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultJavaScriptSetting" value="1"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : JavascriptSettings
Back to top

DefaultJavaScriptJitSetting

Control use of JavaScript JIT
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultJavaScriptJitSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultJavaScriptJitSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultJavaScriptJitSetting
Mac/Linux preference name:
DefaultJavaScriptJitSetting
Android restriction name:
DefaultJavaScriptJitSetting
Supported on:
  • Google Chrome (Linux) since version 93
  • Google Chrome (Mac) since version 93
  • Google Chrome (Windows) since version 93
  • Google ChromeOS (Google ChromeOS) since version 93
  • Google Chrome (Android) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set whether Google Chrome will run the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.

Disabling the JavaScript JIT will mean that Google Chrome may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Google Chrome to render web content in a more secure configuration.

This policy can be overridden for specific URL patterns using the JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.

If this policy is left not set, JavaScript JIT is enabled.

  • 1 = Allow any site to run JavaScript JIT
  • 2 = Do not allow any site to run JavaScript JIT
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultJavaScriptJitSetting" value="1"/>
Back to top

DefaultLocalFontsSetting

Default Local Fonts permission setting
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultLocalFontsSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultLocalFontsSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultLocalFontsSetting
Mac/Linux preference name:
DefaultLocalFontsSetting
Supported on:
  • Google Chrome (Linux) since version 103
  • Google Chrome (Mac) since version 103
  • Google Chrome (Windows) since version 103
  • Google ChromeOS (Google ChromeOS) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to BlockLocalFonts (value 2) automatically denies the local fonts permission to sites by default. This will limit the ability of sites to see information about local fonts.

Setting the policy to AskLocalFonts (value 3) will prompt the user when the local fonts permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about local fonts.

Leaving the policy unset means the default behavior applies which is to prompt the user, but users can change this setting

  • 2 = Denies the Local Fonts permission on all sites by default
  • 3 = Ask every time a site wants obtain the Local Fonts permission
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultLocalFontsSetting" value="2"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : LocalFontsSettings
Back to top

DefaultPopupsSetting

Default pop-ups setting
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultPopupsSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultPopupsSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultPopupsSetting
Mac/Linux preference name:
DefaultPopupsSetting
Android restriction name:
DefaultPopupsSetting
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 33
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 1 lets websites display pop-ups. Setting the policy to 2 denies pop-ups.

Leaving it unset means BlockPopups applies, but users can change this setting.

  • 1 = Allow all sites to show pop-ups
  • 2 = Do not allow any site to show pop-ups
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultPopupsSetting" value="1"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PopupsSettings
Back to top

DefaultNotificationsSetting

Default notification setting
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultNotificationsSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultNotificationsSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultNotificationsSetting
Mac/Linux preference name:
DefaultNotificationsSetting
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 1 lets websites display desktop notifications. Setting the policy to 2 denies desktop notifications.

Leaving it unset means AskNotifications applies, but users can change this setting.

  • 1 = Allow sites to show desktop notifications
  • 2 = Do not allow any site to show desktop notifications
  • 3 = Ask every time a site wants to show desktop notifications
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultNotificationsSetting" value="2"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : NotificationsSettings
Back to top

DefaultGeolocationSetting

Default geolocation setting
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultGeolocationSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultGeolocationSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultGeolocationSetting
Mac/Linux preference name:
DefaultGeolocationSetting
Android restriction name:
DefaultGeolocationSetting
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 1 lets sites track the users' physical location as the default state. Setting the policy to 2 denies this tracking by default. You can set the policy to ask whenever a site wants to track the users' physical location.

Leaving the policy unset means the AskGeolocation policy applies, but users can change this setting.

  • 1 = Allow sites to track the users' physical location
  • 2 = Do not allow any site to track the users' physical location
  • 3 = Ask whenever a site wants to track the users' physical location
Note for Google Chrome OS devices supporting Android apps:

If this policy is set to BlockGeolocation, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.

Example value:
0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultGeolocationSetting" value="1"/>
Back to top

DefaultMediaStreamSetting (Deprecated)

Default mediastream setting
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultMediaStreamSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultMediaStreamSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultMediaStreamSetting
Mac/Linux preference name:
DefaultMediaStreamSetting
Supported on:
  • Google Chrome (Linux) since version 22
  • Google Chrome (Mac) since version 22
  • Google Chrome (Windows) since version 22
  • Google ChromeOS (Google ChromeOS) since version 22
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.

If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.

  • 2 = Do not allow any site to access the camera and microphone
  • 3 = Ask every time a site wants to access the camera and/or microphone
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultMediaStreamSetting" value="2"/>
Back to top

DefaultSensorsSetting

Default sensors setting
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSensorsSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultSensorsSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSensorsSetting
Mac/Linux preference name:
DefaultSensorsSetting
Android restriction name:
DefaultSensorsSetting
Supported on:
  • Google Chrome (Linux) since version 88
  • Google Chrome (Mac) since version 88
  • Google Chrome (Windows) since version 88
  • Google ChromeOS (Google ChromeOS) since version 88
  • Google Chrome (Android) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 1 lets websites access and use sensors such as motion and light. Setting the policy to 2 denies acess to sensors.

Leaving it unset means AllowSensors applies, but users can change this setting.

  • 1 = Allow sites to access sensors
  • 2 = Do not allow any site to access sensors
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultSensorsSetting" value="2"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : SensorsSettings
Back to top

DefaultWebBluetoothGuardSetting

Control use of the Web Bluetooth API
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultWebBluetoothGuardSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultWebBluetoothGuardSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultWebBluetoothGuardSetting
Mac/Linux preference name:
DefaultWebBluetoothGuardSetting
Android restriction name:
DefaultWebBluetoothGuardSetting
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 50
  • Google Chrome (Android) since version 50
  • Google Chrome (Linux) since version 50
  • Google Chrome (Mac) since version 50
  • Google Chrome (Windows) since version 50
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.

Leaving the policy unset lets sites ask for access, but users can change this setting.

  • 2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
  • 3 = Allow sites to ask the user to grant access to a nearby Bluetooth device
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultWebBluetoothGuardSetting" value="2"/>
Back to top

DefaultWebUsbGuardSetting

Control use of the WebUSB API
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultWebUsbGuardSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultWebUsbGuardSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultWebUsbGuardSetting
Mac/Linux preference name:
DefaultWebUsbGuardSetting
Android restriction name:
DefaultWebUsbGuardSetting
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 67
  • Google Chrome (Android) since version 67
  • Google Chrome (Linux) since version 67
  • Google Chrome (Mac) since version 67
  • Google Chrome (Windows) since version 67
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 3 lets websites ask for access to connected USB devices. Setting the policy to 2 denies access to connected USB devices.

Leaving it unset lets websites ask for access, but users can change this setting.

  • 2 = Do not allow any site to request access to USB devices via the WebUSB API
  • 3 = Allow sites to ask the user to grant access to a connected USB device
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultWebUsbGuardSetting" value="2"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : WebUsbSettings
Back to top

DefaultSerialGuardSetting

Control use of the Serial API
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSerialGuardSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultSerialGuardSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSerialGuardSetting
Mac/Linux preference name:
DefaultSerialGuardSetting
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.

Leaving it unset lets websites ask for access, but users can change this setting.

  • 2 = Do not allow any site to request access to serial ports via the Serial API
  • 3 = Allow sites to ask the user to grant access to a serial port
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultSerialGuardSetting" value="2"/>
Back to top

DefaultWebHidGuardSetting

Control use of the WebHID API
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultWebHidGuardSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultWebHidGuardSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultWebHidGuardSetting
Mac/Linux preference name:
DefaultWebHidGuardSetting
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 3 lets websites ask for access to HID devices. Setting the policy to 2 denies access to HID devices.

Leaving it unset lets websites ask for access, but users can change this setting.

This policy can be overridden for specific url patterns using the WebHidAskForUrls and WebHidBlockedForUrls policies.

  • 2 = Do not allow any site to request access to HID devices via the WebHID API
  • 3 = Allow sites to ask the user to grant access to a HID device
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultWebHidGuardSetting" value="2"/>
Back to top

DefaultWindowPlacementSetting

Default Window Placement permission setting
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultWindowPlacementSetting
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\DefaultWindowPlacementSetting
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultWindowPlacementSetting
Mac/Linux preference name:
DefaultWindowPlacementSetting
Supported on:
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to BlockWindowPlacement (value 2) automatically denies the window placement permission to sites by default. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

Setting the policy to AskWindowPlacement (value 3) will prompt the user when the window placement permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

Leaving the policy unset means the AskWindowPlacement policy applies, but users can change this setting.

  • 2 = Denies the Window Placement permission on all sites by default
  • 3 = Ask every time a site wants obtain the Window Placement permission
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DefaultWindowPlacementSetting" value="2"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : WindowPlacementSettings
Back to top

ClipboardAllowedForUrls

Allow clipboard on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ClipboardAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\ClipboardAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ClipboardAllowedForUrls
Mac/Linux preference name:
ClipboardAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 103
  • Google Chrome (Mac) since version 103
  • Google Chrome (Windows) since version 103
  • Google ChromeOS (Google ChromeOS) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify sites that can use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.

Leaving the policy unset means DefaultClipboardSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ClipboardAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\ClipboardAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ClipboardAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\ClipboardAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="ClipboardAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

ClipboardBlockedForUrls

Block clipboard on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ClipboardBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\ClipboardBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ClipboardBlockedForUrls
Mac/Linux preference name:
ClipboardBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 103
  • Google Chrome (Mac) since version 103
  • Google Chrome (Windows) since version 103
  • Google ChromeOS (Google ChromeOS) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify sites that can't use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.

Leaving the policy unset means DefaultClipboardSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ClipboardBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\ClipboardBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ClipboardBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\ClipboardBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="ClipboardBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

AutoSelectCertificateForUrls

Automatically select client certificates for these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutoSelectCertificateForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\AutoSelectCertificateForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutoSelectCertificateForUrls
Mac/Linux preference name:
AutoSelectCertificateForUrls
Supported on:
  • Google Chrome (Linux) since version 15
  • Google Chrome (Mac) since version 15
  • Google Chrome (Windows) since version 15
  • Google ChromeOS (Google ChromeOS) since version 15
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you make a list of URL patterns that specify sites for which Chrome can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.

Examples for the usage of the $FILTER section:

* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.

* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.

* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.

* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.

* When $FILTER is set to {}, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.

Leaving the policy unset means there's no autoselection for any site.

Schema:
{ "items": { "properties": { "filter": { "properties": { "ISSUER": { "id": "CertPrincipalFields", "properties": { "CN": { "type": "string" }, "L": { "type": "string" }, "O": { "type": "string" }, "OU": { "type": "string" } }, "type": "object" }, "SUBJECT": { "$ref": "CertPrincipalFields" } }, "type": "object" }, "pattern": { "type": "string" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"
Android/Linux:
[ "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" ]
Mac:
<array> <string>{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}</string> </array>
Windows (Intune):
<enabled/>
<data id="AutoSelectCertificateForUrlsDesc" value="1&#xF000;{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"/>
Back to top

CookiesAllowedForUrls

Allow cookies on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CookiesAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\CookiesAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CookiesAllowedForUrls
Mac/Linux preference name:
CookiesAllowedForUrls
Android restriction name:
CookiesAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of url patterns that specify sites which are allowed to set cookies.

If this policy is left not set the global default value will be used for all sites either from the DefaultCookiesSetting policy if it is set, or the user's personal configuration otherwise.

See also policies CookiesBlockedForUrls and CookiesSessionOnlyForUrls. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\CookiesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\CookiesAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\CookiesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\CookiesAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="CookiesAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

CookiesBlockedForUrls

Block cookies on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CookiesBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\CookiesBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CookiesBlockedForUrls
Mac/Linux preference name:
CookiesBlockedForUrls
Android restriction name:
CookiesBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you make a list of URL patterns that specify sites that can't set cookies.

Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies.

While no specific policy takes precedence, see CookiesAllowedForUrls and CookiesSessionOnlyForUrls. URL patterns among these 3 policies must not conflict.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\CookiesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\CookiesBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\CookiesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\CookiesBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="CookiesBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

CookiesSessionOnlyForUrls

Limit cookies from matching URLs to the current session
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\CookiesSessionOnlyForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CookiesSessionOnlyForUrls
Mac/Linux preference name:
CookiesSessionOnlyForUrls
Android restriction name:
CookiesSessionOnlyForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.

Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.

While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\CookiesSessionOnlyForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\CookiesSessionOnlyForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="CookiesSessionOnlyForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

FileSystemReadAskForUrls

Allow read access via the File System API on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\FileSystemReadAskForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\FileSystemReadAskForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FileSystemReadAskForUrls
Mac/Linux preference name:
FileSystemReadAskForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.

Leaving the policy unset means DefaultFileSystemReadGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

URL patterns must not conflict with FileSystemReadBlockedForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\FileSystemReadAskForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\FileSystemReadAskForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\FileSystemReadAskForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\FileSystemReadAskForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="FileSystemReadAskForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

FileSystemReadBlockedForUrls

Block read access via the File System API on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\FileSystemReadBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\FileSystemReadBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FileSystemReadBlockedForUrls
Mac/Linux preference name:
FileSystemReadBlockedForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them read access to files or directories in the host operating system's file system via the File System API.

Leaving the policy unset means DefaultFileSystemReadGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

URL patterns can't conflict with FileSystemReadAskForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\FileSystemReadBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\FileSystemReadBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\FileSystemReadBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\FileSystemReadBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="FileSystemReadBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

FileSystemWriteAskForUrls

Allow write access to files and directories on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\FileSystemWriteAskForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\FileSystemWriteAskForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FileSystemWriteAskForUrls
Mac/Linux preference name:
FileSystemWriteAskForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them write access to files or directories in the host operating system's file system.

Leaving the policy unset means DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

URL patterns must not conflict with FileSystemWriteBlockedForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\FileSystemWriteAskForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\FileSystemWriteAskForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\FileSystemWriteAskForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\FileSystemWriteAskForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="FileSystemWriteAskForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

FileSystemWriteBlockedForUrls

Block write access to files and directories on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\FileSystemWriteBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\FileSystemWriteBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FileSystemWriteBlockedForUrls
Mac/Linux preference name:
FileSystemWriteBlockedForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them write access to files or directories in the host operating system's file system.

Leaving the policy unset means DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

URL patterns can't conflict with FileSystemWriteAskForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\FileSystemWriteBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\FileSystemWriteBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\FileSystemWriteBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\FileSystemWriteBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="FileSystemWriteBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

ImagesAllowedForUrls

Allow images on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImagesAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\ImagesAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ImagesAllowedForUrls
Mac/Linux preference name:
ImagesAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify sites that may display images.

Leaving the policy unset means DefaultImagesSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ImagesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\ImagesAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ImagesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\ImagesAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="ImagesAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

ImagesBlockedForUrls

Block images on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImagesBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\ImagesBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ImagesBlockedForUrls
Mac/Linux preference name:
ImagesBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify sites that can't display images.

Leaving the policy unset means DefaultImagesSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ImagesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\ImagesBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ImagesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\ImagesBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="ImagesBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

InsecureContentAllowedForUrls

Allow insecure content on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\InsecureContentAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\InsecureContentAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\InsecureContentAllowedForUrls
Mac/Linux preference name:
InsecureContentAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of url patterns that specify sites which are allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites) and for which optionally blockable mixed content upgrades will be disabled.

If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, and users will be allowed to set exceptions to allow it for specific sites.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\InsecureContentAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\InsecureContentAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\InsecureContentAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\InsecureContentAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="InsecureContentAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

InsecureContentBlockedForUrls

Block insecure content on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\InsecureContentBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\InsecureContentBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\InsecureContentBlockedForUrls
Mac/Linux preference name:
InsecureContentBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of url patterns that specify sites which are not allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites), and for which optionally blockable (i.e. passive) mixed content will be upgraded.

If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, but users will be allowed to set exceptions to allow it for specific sites.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\InsecureContentBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\InsecureContentBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\InsecureContentBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\InsecureContentBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="InsecureContentBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

JavaScriptAllowedForUrls

Allow JavaScript on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\JavaScriptAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\JavaScriptAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\JavaScriptAllowedForUrls
Mac/Linux preference name:
JavaScriptAllowedForUrls
Android restriction name:
JavaScriptAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can run JavaScript.

Leaving the policy unset means DefaultJavaScriptSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\JavaScriptAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\JavaScriptAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\JavaScriptAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\JavaScriptAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="JavaScriptAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

JavaScriptBlockedForUrls

Block JavaScript on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\JavaScriptBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\JavaScriptBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\JavaScriptBlockedForUrls
Mac/Linux preference name:
JavaScriptBlockedForUrls
Android restriction name:
JavaScriptBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can't run JavaScript.

Leaving the policy unset means DefaultJavaScriptSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\JavaScriptBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\JavaScriptBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\JavaScriptBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\JavaScriptBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="JavaScriptBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

JavaScriptJitAllowedForSites

Allow JavaScript to use JIT on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\JavaScriptJitAllowedForSites
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\JavaScriptJitAllowedForSites
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\JavaScriptJitAllowedForSites
Mac/Linux preference name:
JavaScriptJitAllowedForSites
Android restriction name:
JavaScriptJitAllowedForSites
Supported on:
  • Google Chrome (Linux) since version 93
  • Google Chrome (Mac) since version 93
  • Google Chrome (Windows) since version 93
  • Google ChromeOS (Google ChromeOS) since version 93
  • Google Chrome (Android) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of site url patterns that specify sites which are allowed to run JavaScript with JIT (Just In Time) compiler enabled.

For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.

This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the JavaScriptJitAllowedForSites policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT enabled, but site-two.com will use the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.

If this policy is not set for a site then the policy from DefaultJavaScriptJitSetting applies to the site, if set, otherwise Javascript JIT is enabled for the site.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\JavaScriptJitAllowedForSites\1 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\JavaScriptJitAllowedForSites\1 = "[*.]example.edu"
Android/Linux:
[ "[*.]example.edu" ]
Mac:
<array> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="JavaScriptJitAllowedForSitesDesc" value="1&#xF000;[*.]example.edu"/>
Back to top

JavaScriptJitBlockedForSites

Block JavaScript from using JIT on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\JavaScriptJitBlockedForSites
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\JavaScriptJitBlockedForSites
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\JavaScriptJitBlockedForSites
Mac/Linux preference name:
JavaScriptJitBlockedForSites
Android restriction name:
JavaScriptJitBlockedForSites
Supported on:
  • Google Chrome (Linux) since version 93
  • Google Chrome (Mac) since version 93
  • Google Chrome (Windows) since version 93
  • Google ChromeOS (Google ChromeOS) since version 93
  • Google Chrome (Android) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of site url patterns that specify sites which are not allowed to run JavaScript JIT (Just In Time) compiler enabled.

Disabling the JavaScript JIT will mean that Google Chrome may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Google Chrome to render web content in a more secure configuration.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.

This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the JavaScriptJitBlockedForSites policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT disabled, but site-two.com will use the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.

If this policy is not set for a site then the policy from DefaultJavaScriptJitSetting applies to the site, if set, otherwise JavaScript JIT is enabled for the site.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\JavaScriptJitBlockedForSites\1 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\JavaScriptJitBlockedForSites\1 = "[*.]example.edu"
Android/Linux:
[ "[*.]example.edu" ]
Mac:
<array> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="JavaScriptJitBlockedForSitesDesc" value="1&#xF000;[*.]example.edu"/>
Back to top

LegacySameSiteCookieBehaviorEnabledForDomainList

Revert to legacy SameSite behavior for cookies on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\LegacySameSiteCookieBehaviorEnabledForDomainList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\LegacySameSiteCookieBehaviorEnabledForDomainList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LegacySameSiteCookieBehaviorEnabledForDomainList
Mac/Linux preference name:
LegacySameSiteCookieBehaviorEnabledForDomainList
Android restriction name:
LegacySameSiteCookieBehaviorEnabledForDomainList
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
  • Google Chrome (Android) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Cookies set for domains matching these patterns will revert to legacy SameSite behavior. Reverting to legacy behavior causes cookies that don't specify a SameSite attribute to be treated as if they were "SameSite=None", removes the requirement for "SameSite=None" cookies to carry the "Secure" attribute, and skips the scheme comparison when evaluating if two sites are same-site. See https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies for full description.

For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be the user's personal configuration.

For detailed information on valid patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.

Note that patterns you list here are treated as domains, not URLs, so you should not specify a scheme or port.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\LegacySameSiteCookieBehaviorEnabledForDomainList\1 = "www.example.com" Software\Policies\Google\Chrome\LegacySameSiteCookieBehaviorEnabledForDomainList\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\LegacySameSiteCookieBehaviorEnabledForDomainList\1 = "www.example.com" Software\Policies\Google\ChromeOS\LegacySameSiteCookieBehaviorEnabledForDomainList\2 = "[*.]example.edu"
Android/Linux:
[ "www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="LegacySameSiteCookieBehaviorEnabledForDomainListDesc" value="1&#xF000;www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

LocalFontsAllowedForUrls

Allow Local Fonts permission on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\LocalFontsAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\LocalFontsAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LocalFontsAllowedForUrls
Mac/Linux preference name:
LocalFontsAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 103
  • Google Chrome (Mac) since version 103
  • Google Chrome (Windows) since version 103
  • Google ChromeOS (Google ChromeOS) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Sets a list of site url patterns that specify sites which will automatically grant the local fonts permission. This will extend the ability of sites to see information about local fonts.

For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.

If this policy is not set for a site then the policy from DefaultLocalFontsSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\LocalFontsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\LocalFontsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\LocalFontsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\LocalFontsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="LocalFontsAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

LocalFontsBlockedForUrls

Block Local Fonts permission on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\LocalFontsBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\LocalFontsBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LocalFontsBlockedForUrls
Mac/Linux preference name:
LocalFontsBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 103
  • Google Chrome (Mac) since version 103
  • Google Chrome (Windows) since version 103
  • Google ChromeOS (Google ChromeOS) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Sets a list of site url patterns that specify sites which will automatically deny the local fonts permission. This will limit the ability of sites to see information about local fonts.

For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.

If this policy is not set for a site then the policy from DefaultLocalFontsSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\LocalFontsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\LocalFontsBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\LocalFontsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\LocalFontsBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="LocalFontsBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

PopupsAllowedForUrls

Allow pop-ups on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PopupsAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\PopupsAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PopupsAllowedForUrls
Mac/Linux preference name:
PopupsAllowedForUrls
Android restriction name:
PopupsAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 34
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can open pop-ups.

Leaving the policy unset means DefaultPopupsSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\PopupsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\PopupsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PopupsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\PopupsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="PopupsAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

RegisteredProtocolHandlers

Register protocol handlers
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\Recommended\RegisteredProtocolHandlers
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\RegisteredProtocolHandlers
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\Recommended\RegisteredProtocolHandlers
Mac/Linux preference name:
RegisteredProtocolHandlers
Supported on:
  • Google Chrome (Linux) since version 37
  • Google Chrome (Mac) since version 37
  • Google Chrome (Windows) since version 37
  • Google ChromeOS (Google ChromeOS) since version 37
Supported features:
Can Be Mandatory: No, Can Be Recommended: Yes, Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy (as recommended only) lets you register a list of protocol handlers, which merge with the ones that the user registers, putting both sets in use. Set the property "protocol" to the scheme, such as "mailto", and set the property "URL" to the URL pattern of the application that handles the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.

Users can't remove a protocol handler registered by policy. However, by installing a new default handler, they can change the protocol handlers installed by policy.

Note for Google Chrome OS devices supporting Android apps:

The protocol handlers set via this policy are not used when handling Android intents.

Schema:
{ "items": { "properties": { "default": { "description": "A boolean flag indicating if the protocol handler should be set as the default.", "type": "boolean" }, "protocol": { "description": "The protocol for the protocol handler.", "type": "string" }, "url": { "description": "The URL of the protocol handler.", "type": "string" } }, "required": [ "protocol", "url" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\Recommended\RegisteredProtocolHandlers = [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\Recommended\RegisteredProtocolHandlers = [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]
Android/Linux:
RegisteredProtocolHandlers: [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]
Mac:
<key>RegisteredProtocolHandlers</key> <array> <dict> <key>default</key> <true/> <key>protocol</key> <string>mailto</string> <key>url</key> <string>https://mail.google.com/mail/?extsrc=mailto&amp;url=%s</string> </dict> </array>
Windows (Intune):
<enabled/>
<data id="RegisteredProtocolHandlers" value="{"protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s", "default": true}"/>
Back to top

PopupsBlockedForUrls

Block pop-ups on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PopupsBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\PopupsBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PopupsBlockedForUrls
Mac/Linux preference name:
PopupsBlockedForUrls
Android restriction name:
PopupsBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 34
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can't open pop-ups.

Leaving the policy unset means DefaultPopupsSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\PopupsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\PopupsBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PopupsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\PopupsBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="PopupsBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

NotificationsAllowedForUrls

Allow notifications on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NotificationsAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\NotificationsAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NotificationsAllowedForUrls
Mac/Linux preference name:
NotificationsAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 16
  • Google Chrome (Mac) since version 16
  • Google Chrome (Windows) since version 16
  • Google ChromeOS (Google ChromeOS) since version 16
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can display notifications.

Leaving the policy unset means DefaultNotificationsSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\NotificationsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\NotificationsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\NotificationsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\NotificationsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="NotificationsAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

NotificationsBlockedForUrls

Block notifications on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NotificationsBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\NotificationsBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NotificationsBlockedForUrls
Mac/Linux preference name:
NotificationsBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 16
  • Google Chrome (Mac) since version 16
  • Google Chrome (Windows) since version 16
  • Google ChromeOS (Google ChromeOS) since version 16
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can't display notifications.

Leaving the policy unset means DefaultNotificationsSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\NotificationsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\NotificationsBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\NotificationsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\NotificationsBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="NotificationsBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

SensorsAllowedForUrls

Allow access to sensors on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SensorsAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\SensorsAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SensorsAllowedForUrls
Mac/Linux preference name:
SensorsAllowedForUrls
Android restriction name:
SensorsAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 88
  • Google Chrome (Mac) since version 88
  • Google Chrome (Windows) since version 88
  • Google ChromeOS (Google ChromeOS) since version 88
  • Google Chrome (Android) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can access sensors like motion and light sensors.

Leaving the policy unset means DefaultSensorsSetting applies for all sites, if it's set. If not, the user's personal setting applies.

If the same URL pattern exists in both this policy and the SensorsBlockedForUrls policy, the latter is prioritized and access to motion or light sensors will be blocked.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SensorsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\SensorsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SensorsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\SensorsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="SensorsAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

SensorsBlockedForUrls

Block access to sensors on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SensorsBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\SensorsBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SensorsBlockedForUrls
Mac/Linux preference name:
SensorsBlockedForUrls
Android restriction name:
SensorsBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 88
  • Google Chrome (Mac) since version 88
  • Google Chrome (Windows) since version 88
  • Google ChromeOS (Google ChromeOS) since version 88
  • Google Chrome (Android) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you set a list of URL patterns that specify the sites that can't access sensors like motion and light sensors.

Leaving the policy unset means DefaultSensorsSetting applies for all sites, if it's set. If not, the user's personal setting applies.

If the same URL pattern exists in both this policy and the SensorsAllowedForUrls policy, this policy is prioritized and access to motion or light sensors will be blocked.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SensorsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\SensorsBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SensorsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\SensorsBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="SensorsBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

WebUsbAllowDevicesForUrls

Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
Data type:
Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebUsbAllowDevicesForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebUsbAllowDevicesForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebUsbAllowDevicesForUrls
Mac/Linux preference name:
WebUsbAllowDevicesForUrls
Android restriction name:
WebUsbAllowDevicesForUrls
Supported on:
  • Google Chrome (Android) since version 75
  • Google ChromeOS (Google ChromeOS) since version 74
  • Google Chrome (Linux) since version 74
  • Google Chrome (Mac) since version 74
  • Google Chrome (Windows) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the policy to be valid. Each item in the devices field can have a vendor_id and product_id field. Omitting the vendor_id field will create a policy matching any device. Omitting the product_id field will create a policy matching any device with the given vendor ID. A policy which has a product_id field without a vendor_id field is invalid.

The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' feature-policy header should be used to grant access. The URL must be valid, otherwise the policy is ignored.

Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatiblity in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requsting URL will be ignored entirely.

This policy overrides DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls and the user's preferences.

This policy only affects access to USB devices through the WebUSB API. To grant access to USB devices through the Web Serial API see the SerialAllowUsbDevicesForUrls policy.

Schema:
{ "items": { "properties": { "devices": { "items": { "properties": { "product_id": { "maximum": 65535, "minimum": 0, "type": "integer" }, "vendor_id": { "maximum": 65535, "minimum": 0, "type": "integer" } }, "type": "object" }, "type": "array" }, "urls": { "items": { "type": "string" }, "type": "array" } }, "required": [ "devices", "urls" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com" ] } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com" ] } ]
Android/Linux:
WebUsbAllowDevicesForUrls: [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com" ] } ]
Mac:
<key>WebUsbAllowDevicesForUrls</key> <array> <dict> <key>devices</key> <array> <dict> <key>product_id</key> <integer>5678</integer> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://google.com</string> </array> </dict> </array>
Windows (Intune):
<enabled/>
<data id="WebUsbAllowDevicesForUrls" value="{"devices": [{"vendor_id": 1234, "product_id": 5678}], "urls": ["https://google.com"]}"/>
Back to top

WebUsbAskForUrls

Allow WebUSB on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebUsbAskForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebUsbAskForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebUsbAskForUrls
Mac/Linux preference name:
WebUsbAskForUrls
Android restriction name:
WebUsbAskForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 68
  • Google Chrome (Android) since version 68
  • Google Chrome (Linux) since version 68
  • Google Chrome (Mac) since version 68
  • Google Chrome (Windows) since version 68
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a USB device.

Leaving the policy unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

URL patterns must not conflict with WebUsbAskForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebUsbAskForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\WebUsbAskForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebUsbAskForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WebUsbAskForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="WebUsbAskForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

WebUsbBlockedForUrls

Block WebUSB on these sites
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebUsbBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebUsbBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebUsbBlockedForUrls
Mac/Linux preference name:
WebUsbBlockedForUrls
Android restriction name:
WebUsbBlockedForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 68
  • Google Chrome (Android) since version 68
  • Google Chrome (Linux) since version 68
  • Google Chrome (Mac) since version 68
  • Google Chrome (Windows) since version 68
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a USB device.

Leaving the policy unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. If not, the user's personal setting applies.

URL patterns can't conflict with WebUsbAskForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebUsbBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\WebUsbBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebUsbBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WebUsbBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="WebUsbBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

SerialAskForUrls

Allow the Serial API on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SerialAskForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\SerialAskForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SerialAskForUrls
Mac/Linux preference name:
SerialAskForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a serial port.

Leaving the policy unset means DefaultSerialGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

For URL patterns which do not match the policy SerialBlockedForUrls (if there is a match), DefaultSerialGuardSetting (if set), or the users' personal settings take precedence, in that order.

URL patterns must not conflict with SerialBlockedForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SerialAskForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\SerialAskForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SerialAskForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\SerialAskForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="SerialAskForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

SerialBlockedForUrls

Block the Serial API on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SerialBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\SerialBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SerialBlockedForUrls
Mac/Linux preference name:
SerialBlockedForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a serial port.

Leaving the policy unset means DefaultSerialGuardSetting applies for all sites, if it's set. If not, the user's personal setting applies.

For URL patterns which do not match the policy SerialAskForUrls (if there is a match), DefaultSerialGuardSetting (if set), or the users' personal settings take precedence, in that order.

URL patterns can't conflict with SerialAskForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SerialBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\SerialBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SerialBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\SerialBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="SerialBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

SerialAllowAllPortsForUrls

Automatically grant permission to sites to connect all serial ports.
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SerialAllowAllPortsForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\SerialAllowAllPortsForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SerialAllowAllPortsForUrls
Mac/Linux preference name:
SerialAllowAllPortsForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
  • Google Chrome (Linux) since version 94
  • Google Chrome (Mac) since version 94
  • Google Chrome (Windows) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy allows you to list sites which are automatically granted permission to access all available serial ports.

The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.

On Google Chrome OS, this policy only applies to affiliated users.

This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SerialAllowAllPortsForUrls\1 = "https://www.example.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SerialAllowAllPortsForUrls\1 = "https://www.example.com"
Android/Linux:
[ "https://www.example.com" ]
Mac:
<array> <string>https://www.example.com</string> </array>
Windows (Intune):
<enabled/>
<data id="SerialAllowAllPortsForUrlsDesc" value="1&#xF000;https://www.example.com"/>
Back to top

SerialAllowUsbDevicesForUrls

Automatically grant permission to sites to connect to USB serial devices.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SerialAllowUsbDevicesForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\SerialAllowUsbDevicesForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SerialAllowUsbDevicesForUrls
Mac/Linux preference name:
SerialAllowUsbDevicesForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
  • Google Chrome (Linux) since version 94
  • Google Chrome (Mac) since version 94
  • Google Chrome (Windows) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy allows you to list sites which are automatically granted permission to access USB serial devices with vendor and product IDs matching the vendor_id and product_id fields. Omitting the product_id field allows the given sites permission to access devices with a vendor ID matching the vendor_id field and any product ID.

The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.

On ChromeOS, this policy only applies to affiliated users.

This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.

This policy only affects access to USB devices through the Web Serial API. To grant access to USB devices through the WebUSB API see the WebUsbAllowDevicesForUrls policy.

Schema:
{ "items": { "properties": { "devices": { "items": { "properties": { "product_id": { "maximum": 65535, "minimum": 0, "type": "integer" }, "vendor_id": { "maximum": 65535, "minimum": 0, "type": "integer" } }, "required": [ "vendor_id" ], "type": "object" }, "type": "array" }, "urls": { "items": { "type": "string" }, "type": "array" } }, "required": [ "devices", "urls" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SerialAllowUsbDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://specific-device.example.com" ] }, { "devices": [ { "vendor_id": 1234 } ], "urls": [ "https://all-vendor-devices.example.com" ] } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SerialAllowUsbDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://specific-device.example.com" ] }, { "devices": [ { "vendor_id": 1234 } ], "urls": [ "https://all-vendor-devices.example.com" ] } ]
Android/Linux:
SerialAllowUsbDevicesForUrls: [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://specific-device.example.com" ] }, { "devices": [ { "vendor_id": 1234 } ], "urls": [ "https://all-vendor-devices.example.com" ] } ]
Mac:
<key>SerialAllowUsbDevicesForUrls</key> <array> <dict> <key>devices</key> <array> <dict> <key>product_id</key> <integer>5678</integer> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://specific-device.example.com</string> </array> </dict> <dict> <key>devices</key> <array> <dict> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://all-vendor-devices.example.com</string> </array> </dict> </array>
Windows (Intune):
<enabled/>
<data id="SerialAllowUsbDevicesForUrls" value="{"devices": [{"vendor_id": 1234, "product_id": 5678}], "urls": ["https://specific-device.example.com"]}, {"devices": [{"vendor_id": 1234}], "urls": ["https://all-vendor-devices.example.com"]}"/>
Back to top

WebHidAskForUrls

Allow the WebHID API on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebHidAskForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebHidAskForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebHidAskForUrls
Mac/Linux preference name:
WebHidAskForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a HID device.

Leaving the policy unset means DefaultWebHidGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

For URL patterns which do not match the policy, the following take precedence, in this order:

* WebHidBlockedForUrls (if there is a match),

* DefaultWebHidGuardSetting (if set), or

* Users' personal settings.

URL patterns must not conflict with WebHidBlockedForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebHidAskForUrls\1 = "https://google.com" Software\Policies\Google\Chrome\WebHidAskForUrls\2 = "https://chromium.org"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebHidAskForUrls\1 = "https://google.com" Software\Policies\Google\ChromeOS\WebHidAskForUrls\2 = "https://chromium.org"
Android/Linux:
[ "https://google.com", "https://chromium.org" ]
Mac:
<array> <string>https://google.com</string> <string>https://chromium.org</string> </array>
Windows (Intune):
<enabled/>
<data id="WebHidAskForUrlsDesc" value="1&#xF000;https://google.com&#xF000;2&#xF000;https://chromium.org"/>
Back to top

WebHidBlockedForUrls

Block the WebHID API on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebHidBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebHidBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebHidBlockedForUrls
Mac/Linux preference name:
WebHidBlockedForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a HID device.

Leaving the policy unset means DefaultWebHidGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.

For URL patterns which do not match the policy, the following take precedence, in this order:

* WebHidAskForUrls (if there is a match),

* DefaultWebHidGuardSetting (if set), or

* Users' personal settings.

URL patterns can't conflict with WebHidAskForUrls. Neither policy takes precedence if a URL matches with both.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebHidBlockedForUrls\1 = "https://google.com" Software\Policies\Google\Chrome\WebHidBlockedForUrls\2 = "https://chromium.org"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebHidBlockedForUrls\1 = "https://google.com" Software\Policies\Google\ChromeOS\WebHidBlockedForUrls\2 = "https://chromium.org"
Android/Linux:
[ "https://google.com", "https://chromium.org" ]
Mac:
<array> <string>https://google.com</string> <string>https://chromium.org</string> </array>
Windows (Intune):
<enabled/>
<data id="WebHidBlockedForUrlsDesc" value="1&#xF000;https://google.com&#xF000;2&#xF000;https://chromium.org"/>
Back to top

WebHidAllowAllDevicesForUrls

Automatically grant permission to sites to connect to any HID device.
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebHidAllowAllDevicesForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebHidAllowAllDevicesForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebHidAllowAllDevicesForUrls
Mac/Linux preference name:
WebHidAllowAllDevicesForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy allows you to list sites which are automatically granted permission to access all available devices.

The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.

On ChromeOS, this policy only applies to affiliated users.

This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls and the user's preferences.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebHidAllowAllDevicesForUrls\1 = "https://google.com" Software\Policies\Google\Chrome\WebHidAllowAllDevicesForUrls\2 = "https://chromium.org"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebHidAllowAllDevicesForUrls\1 = "https://google.com" Software\Policies\Google\ChromeOS\WebHidAllowAllDevicesForUrls\2 = "https://chromium.org"
Android/Linux:
[ "https://google.com", "https://chromium.org" ]
Mac:
<array> <string>https://google.com</string> <string>https://chromium.org</string> </array>
Windows (Intune):
<enabled/>
<data id="WebHidAllowAllDevicesForUrlsDesc" value="1&#xF000;https://google.com&#xF000;2&#xF000;https://chromium.org"/>
Back to top

WebHidAllowDevicesForUrls

Automatically grant permission to these sites to connect to HID devices with the given vendor and product IDs.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebHidAllowDevicesForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebHidAllowDevicesForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebHidAllowDevicesForUrls
Mac/Linux preference name:
WebHidAllowDevicesForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the item to be valid, otherwise the item is ignored. Each item in the devices field must have a vendor_id and may have a product_id field. Omitting the product_id field will create a policy matching any device with the specified vendor ID. An item which has a product_id field without a vendor_id field is invalid and is ignored.

Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.

URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

Schema:
{ "items": { "properties": { "devices": { "items": { "properties": { "product_id": { "maximum": 65535, "minimum": 0, "type": "integer" }, "vendor_id": { "maximum": 65535, "minimum": 0, "type": "integer" } }, "required": [ "vendor_id" ], "type": "object" }, "type": "array" }, "urls": { "items": { "type": "string" }, "type": "array" } }, "required": [ "devices", "urls" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebHidAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://chromium.org" ] } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebHidAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://chromium.org" ] } ]
Android/Linux:
WebHidAllowDevicesForUrls: [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://chromium.org" ] } ]
Mac:
<key>WebHidAllowDevicesForUrls</key> <array> <dict> <key>devices</key> <array> <dict> <key>product_id</key> <integer>5678</integer> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://google.com</string> <string>https://chromium.org</string> </array> </dict> </array>
Windows (Intune):
<enabled/>
<data id="WebHidAllowDevicesForUrls" value="{"devices": [{"vendor_id": 1234, "product_id": 5678}], "urls": ["https://google.com", "https://chromium.org"]}"/>
Back to top

WebHidAllowDevicesWithHidUsagesForUrls

Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebHidAllowDevicesWithHidUsagesForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WebHidAllowDevicesWithHidUsagesForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebHidAllowDevicesWithHidUsagesForUrls
Mac/Linux preference name:
WebHidAllowDevicesWithHidUsagesForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device containing a top-level collection with the given HID usage. Each item in the list requires both usages and urls fields for the policy to be valid. Each item in the usages field must have a usage_page and may have a usage field. Omitting the usage field will create a policy matching any device containing a top-level collection with a usage from the specified usage page. An item which has a usage field without a usage_page field is invalid and is ignored.

Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.

URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

Schema:
{ "items": { "properties": { "urls": { "items": { "type": "string" }, "type": "array" }, "usages": { "items": { "properties": { "usage": { "maximum": 65535, "minimum": 0, "type": "integer" }, "usage_page": { "maximum": 65535, "minimum": 0, "type": "integer" } }, "required": [ "usage_page" ], "type": "object" }, "type": "array" } }, "required": [ "usages", "urls" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebHidAllowDevicesWithHidUsagesForUrls = [ { "urls": [ "https://google.com", "https://chromium.org" ], "usages": [ { "usage": 5678, "usage_page": 1234 } ] } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebHidAllowDevicesWithHidUsagesForUrls = [ { "urls": [ "https://google.com", "https://chromium.org" ], "usages": [ { "usage": 5678, "usage_page": 1234 } ] } ]
Android/Linux:
WebHidAllowDevicesWithHidUsagesForUrls: [ { "urls": [ "https://google.com", "https://chromium.org" ], "usages": [ { "usage": 5678, "usage_page": 1234 } ] } ]
Mac:
<key>WebHidAllowDevicesWithHidUsagesForUrls</key> <array> <dict> <key>urls</key> <array> <string>https://google.com</string> <string>https://chromium.org</string> </array> <key>usages</key> <array> <dict> <key>usage</key> <integer>5678</integer> <key>usage_page</key> <integer>1234</integer> </dict> </array> </dict> </array>
Windows (Intune):
<enabled/>
<data id="WebHidAllowDevicesWithHidUsagesForUrls" value="{"usages": [{"usage_page": 1234, "usage": 5678}], "urls": ["https://google.com", "https://chromium.org"]}"/>
Back to top

WindowPlacementAllowedForUrls

Allow Window Placement permission on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WindowPlacementAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WindowPlacementAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WindowPlacementAllowedForUrls
Mac/Linux preference name:
WindowPlacementAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of site url patterns that specify sites which will automatically grant the window placement permission. This will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.

If this policy is not set for a site then the policy from DefaultWindowPlacementSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WindowPlacementAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\WindowPlacementAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WindowPlacementAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WindowPlacementAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="WindowPlacementAllowedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

WindowPlacementBlockedForUrls

Block Window Placement permission on these sites
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WindowPlacementBlockedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~ContentSettings\WindowPlacementBlockedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WindowPlacementBlockedForUrls
Mac/Linux preference name:
WindowPlacementBlockedForUrls
Supported on:
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of site url patterns that specify sites which will automatically deny the window placement permission. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.

If this policy is not set for a site then the policy from DefaultWindowPlacementSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WindowPlacementBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\WindowPlacementBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WindowPlacementBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WindowPlacementBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="WindowPlacementBlockedForUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

Date and time

Controls clock and time zone settings.
Back to top

SystemTimezone

Timezone
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SystemTimezone
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 22
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy specifies a device's time zone and turns off location-based automatic time zone adjustment while overriding the SystemTimezoneAutomaticDetection policy. Users can't change the time zone.

New devices start with the time zone set to US Pacific. Value format follows the names in the IANA Time Zone Database ( https://en.wikipedia.org/wiki/Tz_database ). Entering an invalid value activates the policy using GMT.

If not set or if you enter an empty string, the device uses the currently active time zone, but users can change it.

Example value:
"America/Los_Angeles"
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : DateAndTime
Back to top

SystemTimezoneAutomaticDetection

Configure the automatic timezone detection method
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SystemTimezoneAutomaticDetection
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 53
Supported features:
Dynamic Policy Refresh: Yes
Description:

Unless the SystemTimezone policy turns off automatic time zone detection, then setting the policy outlines the automatic time zone detection method, which users can't change.

Setting the policy to: * TimezoneAutomaticDetectionDisabled keeps automatic time zone detection off. * TimezoneAutomaticDetectionIPOnly keeps automatic time zone detection on, using the IP-only method. * TimezoneAutomaticDetectionSendWiFiAccessPoints keeps automatic time zone detection on, continually sending the list of visible Wi-Fi access-points to the Geolocation API server for finer-grained time zone detection. * TimezoneAutomaticDetectionSendAllLocationInfo keeps automatic time zone detection on, continually sending location information (such as Wi-Fi access points, reachable cell towers, GPS) to a server for the most fine-grained time zone detection.

If not set, set to Let users decide, or set to None, then users control automatic time zone detection using normal controls in chrome://settings.

  • 0 = Let users decide
  • 1 = Never auto-detect timezone
  • 2 = Always use coarse timezone detection
  • 3 = Always send WiFi access-points to server while resolving timezone
  • 4 = Always send any available location signals to the server while resolving timezone
Example value:
0x00000000 (Windows)
Back to top

SystemUse24HourClock

Use 24 hour clock by default
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SystemUse24HourClock
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 30
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to True gives a device's sign-in screen a 24-hour clock format.

Setting the policy to False gives a device's sign-in screen a 12-hour clock format.

Leaving the policy unset makes a device use the format from the current locale.

User sessions also default to the device format, but users can change an account's clock format.

Example value:
0x00000001 (Windows)
Back to top

Default search provider

Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.
Back to top

DefaultSearchProviderEnabled

Enable the default search provider
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderEnabled
Mac/Linux preference name:
DefaultSearchProviderEnabled
Android restriction name:
DefaultSearchProviderEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar.

If you set the policy, users can't change it in Google Chrome. If not set, the default search provider is on, and users can set the search provider list.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : DefaultSearchProvider
Back to top

DefaultSearchProviderName

Default search provider name
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderName
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderName
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderName
Mac/Linux preference name:
DefaultSearchProviderName
Android restriction name:
DefaultSearchProviderName
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderName specifies the default search provider's name.

Leaving DefaultSearchProviderName unset means the hostname specified by the search URL is used.

Example value:
"My Intranet Search"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderName" value="My Intranet Search"/>
Back to top

DefaultSearchProviderKeyword

Default search provider keyword
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderKeyword
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderKeyword
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderKeyword
Mac/Linux preference name:
DefaultSearchProviderKeyword
Android restriction name:
DefaultSearchProviderKeyword
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderKeyword specifies the keyword or shortcut used in the address bar to trigger the search for this provider.

Leaving DefaultSearchProviderKeyword unset means no keyword activates the search provider.

Example value:
"mis"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderKeyword" value="mis"/>
Back to top

DefaultSearchProviderSearchURL

Default search provider search URL
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderSearchURL
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderSearchURL
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderSearchURL
Mac/Linux preference name:
DefaultSearchProviderSearchURL
Android restriction name:
DefaultSearchProviderSearchURL
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSearchURL specifies the URL of the search engine used during a default search. The URL should include the string '{searchTerms}', replaced in the query by the user's search terms.

You can specify Google's search URL as: '{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'.

Example value:
"https://search.my.company/search?q={searchTerms}"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderSearchURL" value="https://search.my.company/search?q={searchTerms}"/>
Back to top

DefaultSearchProviderSuggestURL

Default search provider suggest URL
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderSuggestURL
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderSuggestURL
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderSuggestURL
Mac/Linux preference name:
DefaultSearchProviderSuggestURL
Android restriction name:
DefaultSearchProviderSuggestURL
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSuggestURL specifies the URL of the search engine to provide search suggestions. The URL should include the string '{searchTerms}', replaced in the query by the user's search terms.

You can specify Google's search URL as: '{google:baseURL}complete/search?output=chrome&q={searchTerms}'.

Example value:
"https://search.my.company/suggest?q={searchTerms}"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderSuggestURL" value="https://search.my.company/suggest?q={searchTerms}"/>
Back to top

DefaultSearchProviderIconURL

Default search provider icon
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderIconURL
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderIconURL
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderIconURL
Mac/Linux preference name:
DefaultSearchProviderIconURL
Android restriction name:
DefaultSearchProviderIconURL
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderIconURL specifies the default search provider's favorite icon URL.

Leaving DefaultSearchProviderIconURL unset means there's no icon for the search provider.

Example value:
"https://search.my.company/favicon.ico"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderIconURL" value="https://search.my.company/favicon.ico"/>
Back to top

DefaultSearchProviderEncodings

Default search provider encodings
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderEncodings
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderEncodings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings
Mac/Linux preference name:
DefaultSearchProviderEncodings
Android restriction name:
DefaultSearchProviderEncodings
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, setting DefaultSearchProviderEncodings specifies the character encodings supported by the search provider. Encodings are code page names such as UTF-8, GB2312, and ISO-8859-1. They're tried in the order provided.

Leaving DefaultSearchProviderEncodings unset puts UTF-8 in use.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\1 = "UTF-8" Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\2 = "UTF-16" Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\3 = "GB2312" Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\4 = "ISO-8859-1"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\1 = "UTF-8" Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\2 = "UTF-16" Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\3 = "GB2312" Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\4 = "ISO-8859-1"
Android/Linux:
[ "UTF-8", "UTF-16", "GB2312", "ISO-8859-1" ]
Mac:
<array> <string>UTF-8</string> <string>UTF-16</string> <string>GB2312</string> <string>ISO-8859-1</string> </array>
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderEncodingsDesc" value="1&#xF000;UTF-8&#xF000;2&#xF000;UTF-16&#xF000;3&#xF000;GB2312&#xF000;4&#xF000;ISO-8859-1"/>
Back to top

DefaultSearchProviderAlternateURLs

List of alternate URLs for the default search provider
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderAlternateURLs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderAlternateURLs
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderAlternateURLs
Mac/Linux preference name:
DefaultSearchProviderAlternateURLs
Android restriction name:
DefaultSearchProviderAlternateURLs
Supported on:
  • Google Chrome (Linux) since version 24
  • Google Chrome (Mac) since version 24
  • Google Chrome (Windows) since version 24
  • Google ChromeOS (Google ChromeOS) since version 24
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderAlternateURLs specifies a list of alternate URLs for extracting search terms from the search engine. The URLs should include the string '{searchTerms}'.

Leaving DefaultSearchProviderAlternateURLs unset means no alternate URLs are used to extract search terms.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\DefaultSearchProviderAlternateURLs\1 = "https://search.my.company/suggest#q={searchTerms}" Software\Policies\Google\Chrome\DefaultSearchProviderAlternateURLs\2 = "https://search.my.company/suggest/search#q={searchTerms}"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DefaultSearchProviderAlternateURLs\1 = "https://search.my.company/suggest#q={searchTerms}" Software\Policies\Google\ChromeOS\DefaultSearchProviderAlternateURLs\2 = "https://search.my.company/suggest/search#q={searchTerms}"
Android/Linux:
[ "https://search.my.company/suggest#q={searchTerms}", "https://search.my.company/suggest/search#q={searchTerms}" ]
Mac:
<array> <string>https://search.my.company/suggest#q={searchTerms}</string> <string>https://search.my.company/suggest/search#q={searchTerms}</string> </array>
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderAlternateURLsDesc" value="1&#xF000;https://search.my.company/suggest#q={searchTerms}&#xF000;2&#xF000;https://search.my.company/suggest/search#q={searchTerms}"/>
Back to top

DefaultSearchProviderImageURL

Parameter providing search-by-image feature for the default search provider
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderImageURL
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderImageURL
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderImageURL
Mac/Linux preference name:
DefaultSearchProviderImageURL
Android restriction name:
DefaultSearchProviderImageURL
Supported on:
  • Google Chrome (Linux) since version 29
  • Google Chrome (Mac) since version 29
  • Google Chrome (Windows) since version 29
  • Google ChromeOS (Google ChromeOS) since version 29
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderImageURL specifies the URL of the search engine used for image search. (If DefaultSearchProviderImageURLPostParams is set, then image search requests use the POST method instead.)

Leaving DefaultSearchProviderImageURL unset means no image search is used.

Example value:
"https://search.my.company/searchbyimage/upload"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderImageURL" value="https://search.my.company/searchbyimage/upload"/>
Back to top

DefaultSearchProviderNewTabURL

Default search provider new tab page URL
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderNewTabURL
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderNewTabURL
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderNewTabURL
Mac/Linux preference name:
DefaultSearchProviderNewTabURL
Android restriction name:
DefaultSearchProviderNewTabURL
Supported on:
  • Google Chrome (Linux) since version 30
  • Google Chrome (Mac) since version 30
  • Google Chrome (Windows) since version 30
  • Google ChromeOS (Google ChromeOS) since version 30
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderNewTabURL specifies the URL of the search engine used to provide a New Tab page.

Leaving DefaultSearchProviderNewTabURL unset means no new tab page is provided.

Example value:
"https://search.my.company/newtab"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderNewTabURL" value="https://search.my.company/newtab"/>
Back to top

DefaultSearchProviderSearchURLPostParams

Parameters for search URL which uses POST
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderSearchURLPostParams
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderSearchURLPostParams
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderSearchURLPostParams
Mac/Linux preference name:
DefaultSearchProviderSearchURLPostParams
Android restriction name:
DefaultSearchProviderSearchURLPostParams
Supported on:
  • Google Chrome (Linux) since version 29
  • Google Chrome (Mac) since version 29
  • Google Chrome (Windows) since version 29
  • Google ChromeOS (Google ChromeOS) since version 29
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSearchURLPostParams specifies the parameters when searching a URL with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as '{searchTerms}', real search terms data replaces it.

Leaving DefaultSearchProviderSearchURLPostParams unset means search requests are sent using the GET method.

Example value:
"q={searchTerms},ie=utf-8,oe=utf-8"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderSearchURLPostParams" value="q={searchTerms},ie=utf-8,oe=utf-8"/>
Back to top

DefaultSearchProviderSuggestURLPostParams

Parameters for suggest URL which uses POST
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderSuggestURLPostParams
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderSuggestURLPostParams
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderSuggestURLPostParams
Mac/Linux preference name:
DefaultSearchProviderSuggestURLPostParams
Android restriction name:
DefaultSearchProviderSuggestURLPostParams
Supported on:
  • Google Chrome (Linux) since version 29
  • Google Chrome (Mac) since version 29
  • Google Chrome (Windows) since version 29
  • Google ChromeOS (Google ChromeOS) since version 29
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSuggestURLPostParams specifies the parameters during suggestion search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as '{searchTerms}', real search terms data replaces it.

Leaving DefaultSearchProviderSuggestURLPostParams unset unset means suggest search requests are sent using the GET method.

Example value:
"q={searchTerms},ie=utf-8,oe=utf-8"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderSuggestURLPostParams" value="q={searchTerms},ie=utf-8,oe=utf-8"/>
Back to top

DefaultSearchProviderImageURLPostParams

Parameters for image URL which uses POST
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderImageURLPostParams
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~DefaultSearchProvider\DefaultSearchProviderImageURLPostParams
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderImageURLPostParams
Mac/Linux preference name:
DefaultSearchProviderImageURLPostParams
Android restriction name:
DefaultSearchProviderImageURLPostParams
Supported on:
  • Google Chrome (Linux) since version 29
  • Google Chrome (Mac) since version 29
  • Google Chrome (Windows) since version 29
  • Google ChromeOS (Google ChromeOS) since version 29
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderImageURLPostParams specifies the parameters during image search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as {imageThumbnail}, real image thumbnail data replaces it.

Leaving DefaultSearchProviderImageURLPostParams unset means image search request is sent using the GET method.

Example value:
"content={imageThumbnail},url={imageURL},sbisrc={SearchSource}"
Windows (Intune):
<enabled/>
<data id="DefaultSearchProviderImageURLPostParams" value="content={imageThumbnail},url={imageURL},sbisrc={SearchSource}"/>
Back to top

Device update settings

Controls how and when Google Chrome OS updates are applied.
Back to top

ChromeOsReleaseChannel

Release channel
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ChromeOsReleaseChannel
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specifies the release channel that this device should be locked to.

Setting ChromeOsReleaseChannel only has an effect if ChromeOsReleaseChannelDelegated is set to False.

  • "stable-channel" = Stable channel
  • "beta-channel" = Beta channel
  • "dev-channel" = Dev channel (may be unstable)
Example value:
"stable-channel"
Back to top

ChromeOsReleaseChannelDelegated

Users may configure the Google Chrome OS release channel
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ChromeOsReleaseChannelDelegated
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 19
Supported features:
Dynamic Policy Refresh: Yes
Description:

Users are only allowed to change the release channel of the device if this policy is set to True. If this policy is False or not set, users are not allowed to change the channel.

Setting ChromeOsReleaseChannel only has an effect if ChromeOsReleaseChannelDelegated is set to False.

Example value:
0x00000000 (Windows)
Back to top

DeviceAutoUpdateDisabled

Disable Auto Update
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAutoUpdateDisabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 19
Supported features:
Dynamic Policy Refresh: Yes
Description:

Disables automatic updates when set to True.

Google Chrome OS devices automatically check for updates when this setting is not configured or set to False.

Warning: It is recommended to keep auto-updates enabled so that users receive software updates and critical security fixes. Turning off auto-updates might leave users at risk.

Example value:
0x00000001 (Windows)
Back to top

DeviceAutoUpdateP2PEnabled

Auto update P2P enabled
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAutoUpdateP2PEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 31
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specifies whether P2P is to be used for OS update payloads. If set to True, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device will fall back to downloading from an update server. If set to False, P2P will not be used.

NOTE: The default behavior for consumer and enterprise devices differs: on managed devices P2P will be enabled, while on non-managed devices it will not be enabled.

Example value:
0x00000000 (Windows)
Back to top

DeviceAutoUpdateTimeRestrictions

Update Time Restrictions
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAutoUpdateTimeRestrictions
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy controls the time frames during which the Google Chrome OS device is not allowed to check for updates automatically. When this policy is set to a non-empty list of time intervals: Devices will not be able to check for updates automatically during the specified time intervals. Devices that require an enterprise rollback or are below the minimum Google Chrome OS version will not be affected by this policy due to potential security issues. Furthermore, this policy will not block update checks requested by users or administrators. Starting from M88, this policy cancels an ongoing update when a restricted time interval is reached. The next auto update after the restricted time interval ends will automatically resume the update. Devices updating to a Quick Fix Build will not be affected by this policy. When this policy is unset or contains no time intervals: No automatic update checks will be blocked by this policy, but they may be blocked by other policies. Till M88, this feature is only enabled on Google Chrome OS devices configured as auto-launch kiosks. Other devices will not be restricted by this policy. However starting from M89, this policy is enabled on all Google Chrome OS devices.

Schema:
{ "items": { "description": "Time interval that spans at most one week. If the start time is later than the end time, then the interval will wrap around.", "properties": { "end": { "$ref": "DisallowedTimeInterval", "description": "End of the interval, exclusive." }, "start": { "description": "Start time of the interval, inclusive.", "id": "DisallowedTimeInterval", "properties": { "day_of_week": { "description": "Day of the week for the interval.", "enum": [ "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday" ], "type": "string" }, "hours": { "description": "Hours elapsed since the start of the day in (24 hour format).", "maximum": 23, "minimum": 0, "type": "integer" }, "minutes": { "description": "Minutes elapsed in the current hour.", "maximum": 59, "minimum": 0, "type": "integer" } }, "required": [ "day_of_week", "minutes", "hours" ], "type": "object" } }, "required": [ "start", "end" ], "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceAutoUpdateTimeRestrictions = [ { "end": { "day_of_week": "Thursday", "hours": 2, "minutes": 30 }, "start": { "day_of_week": "Monday", "hours": 3, "minutes": 50 } }, { "end": { "day_of_week": "Sunday", "hours": 15, "minutes": 10 }, "start": { "day_of_week": "Thursday", "hours": 3, "minutes": 30 } } ]
Back to top

DeviceTargetVersionPrefix

Target Auto Update Version
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceTargetVersionPrefix
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 19
Supported features:
Dynamic Policy Refresh: Yes
Description:

Sets a target version for Auto Updates.

Specifies the prefix of a target version Google Chrome OS should update to. If the device is running a version that's before the specified prefix, it will update to the latest version with the given prefix. If the device is already on a later version, effects depend on the value of DeviceRollbackToTargetVersion. The prefix format works component-wise as is demonstrated in the following example:

"" (or not configured): update to latest version available. "1412.": update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2) "1412.2.": update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2) "1412.24.34": update to this specific version only

Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version prefix might leave users at risk.

Example value:
"1412."
Back to top

DeviceTargetVersionSelector

Allow devices to select a specific version to update to
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceTargetVersionSelector
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 95
Supported features:
Dynamic Policy Refresh: Yes
Description:

This setting allows devices to select a specific target version of Google Chrome OS they will update to.

If not set, devices will update according to other settings or to the latest available version.

If set, devices will update up to a selected version.

The exact format of this policy value is an implementation detail of the update service and may change. The policy value is not processed on the device.

If used together with DeviceTargetVersionPrefix, this policy will be checked first by update service. Unlike DeviceTargetVersionPrefix (which may allow minor updates), devices will stay on the selected version until the value of this policy is changed.

If used together with DeviceRollbackToTargetVersion, device version can be reverted to a specific previous version.

Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version might leave users at risk.

Example value:
"0,1626155736-"
Back to top

DeviceUpdateStagingSchedule

The staging schedule for applying a new update
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUpdateStagingSchedule
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy defines a list of percentages that will define the fraction of Google Chrome OS devices in the OU to update per day starting from the day the update is first discovered. The discovery time is later than the update published time, since it could be a while after the update publishing until the device checks for updates.

Each (day, percentage) pair contains which percentage of the fleet has to be updated by the given number of days since the update has been discovered. For example, if we have the pairs [(4, 40), (10, 70), (15, 100)], then 40% of the fleet should have been updated 4 days after seeing the update. 70% should be updated after 10 days, and so on.

If there is a value defined for this policy, updates will ignore the DeviceUpdateScatterFactor policy and follow this policy instead.

If this list is empty, there will be no staging and updates will be applied according to other device policies.

This policy does not apply for channel switches.

Schema:
{ "items": { "description": "Contains the number of days and the percentage of the fleet that should be updated after those days have passed.", "id": "DayPercentagePair", "properties": { "days": { "description": "Days from update discovery.", "maximum": 28, "minimum": 1, "type": "integer" }, "percentage": { "description": "Percentage of the fleet that should be updated after the given days.", "maximum": 100, "minimum": 0, "type": "integer" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceUpdateStagingSchedule = [ { "days": 7, "percentage": 50 }, { "days": 10, "percentage": 100 } ]
Back to top

DeviceUpdateScatterFactor

Auto update scatter factor
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUpdateScatterFactor
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 20
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specifies the number of seconds up to which a device may randomly delay its download of an update from the time the update was first pushed out to the server. The device may wait a portion of this time in terms of wall-clock-time and the remaining portion in terms of the number of update checks. In any case, the scatter is upper bounded to a constant amount of time so that a device does not ever get stuck waiting to download an update forever.

Example value:
0x00001c20 (Windows)
Back to top

DeviceUpdateAllowedConnectionTypes

Connection types allowed for updates
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUpdateAllowedConnectionTypes
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 21
Supported features:
Dynamic Policy Refresh: Yes
Description:

The types of connections that are allowed to use for OS updates. OS updates potentially put heavy strain on the connection due to their size and may incur additional cost. Therefore, they are by default not enabled for connection types that are considered expensive (currently only "cellular").

The recognized connection type identifiers are "ethernet", "wifi", and "cellular".

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceUpdateAllowedConnectionTypes\1 = "ethernet"
Back to top

DeviceUpdateHttpDownloadsEnabled

Allow autoupdate downloads via HTTP
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUpdateHttpDownloadsEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

Auto-update payloads on Google Chrome OS can be downloaded via HTTP instead of HTTPS. This allows transparent HTTP caching of HTTP downloads.

If this policy is set to true, Google Chrome OS will attempt to download auto-update payloads via HTTP. If the policy is set to false or not set, HTTPS will be used for downloading auto-update payloads.

Example value:
0x00000001 (Windows)
Back to top

RebootAfterUpdate

Automatically reboot after update
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RebootAfterUpdate
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

Schedule an automatic reboot after a Google Chrome OS update has been applied.

When this policy is set to true, an automatic reboot is scheduled when a Google Chrome OS update has been applied and a reboot is required to complete the update process. The reboot is scheduled immediately but may be delayed on the device by up to 24 hours if a user is currently using the device.

When this policy is set to false, no automatic reboot is scheduled after applying a Google Chrome OS update. The update process is completed when the user next reboots the device.

If you set this policy, users cannot change or override it.

Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.

Example value:
0x00000001 (Windows)
Back to top

DeviceRollbackToTargetVersion

Rollback to target version
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceRollbackToTargetVersion
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 67
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specifies whether the device should roll back to the version set by DeviceTargetVersionPrefix if it's already running a later version.

Default is RollbackDisabled.

  • 1 = Do not roll back to target version if OS version is newer than target. Updates are also disabled.
  • 2 = Roll back and stay on target version if OS version is newer than target. Do a powerwash during the process.
  • 3 = Roll back and stay on target version if OS version is newer than target. Try to carry over device-level configuration (including network credentials) through the rollback process, if possible, but do the rollback with full powerwash even if restoring the data is not possible (because the target version doesn't support restoring data or because of a backward-incompatible change). Supported on Google Chrome OS version 75 and higher. For older clients, this value means that rollback is disabled.
Example value:
0x00000001 (Windows)
Back to top

DeviceRollbackAllowedMilestones

Number of milestones rollback is allowed
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceRollbackAllowedMilestones
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 67
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specifies the minimum number of Google Chrome OS milestones rollback should be allowed starting from the stable version at any time.

Default is 0 for consumer, 4 (approx. half a year) for enterprise enrolled devices.

Setting this policy prevents rollback protection to apply for at least this number of milestones.

Setting this policy to a lower value has a permanent effect: the device MAY not be able to roll back to earlier versions even after the policy is reset to a larger value.

Actual rollback possibilities may also depend on the board and critical vulnerability patches.

Restrictions:
  • Minimum:0
  • Maximum:4
Example value:
0x00000004 (Windows)
Back to top

DeviceQuickFixBuildToken

Provide users with Quick Fix Build
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceQuickFixBuildToken
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy controls whether or not the device should be updated to a Quick Fix Build.

If policy value is set to a token that maps to a Quick Fix Build, the device will be updated to the corresponding Quick Fix Build if the update is not blocked by another policy.

If this policy is not set, or if its value does not map to a Quick Fix Build, then the device won't be updated to a Quick Fix Build. If the device is already running a Quick Fix Build and the policy is not set anymore or its value does not map to a Quick Fix Build anymore, then the device will be updated to a regular build if the update is not blocked by another policy.

Example value:
"sometoken"
Back to top

DeviceMinimumVersion

Configure minimum allowed Google Chrome OS version for the device.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceMinimumVersion
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Configures the requirement of the minimum allowed version of Google Chrome OS.

When this policy is set to a non-empty list: If none of the entries has a chromeos_version greater than the current version of the device, then no restrictions are applied and the already existing restrictions are revoked. If at least one of the entries has a chromeos_version greater than the current version, the entry whose version is greater and closest to the current version is chosen. In case of conflict, preference is given to the entry with lower warning_period or aue_warning_period and the policy is applied using that entry.

If the current version becomes obsolete during user session and the current network limits auto updates, an on-screen notification is shown to update the device within the warning_period shown in the notification. No notifications are shown if the current network allows auto updates and the device must be updated within the warning_period. The warning_period starts from the time the policy is applied. If the device is not updated till the expiry of the warning_period, the user is signed out of the session. If the current version is found to be obsolete at the time of login with expired warning_period, the user is required to update the device before signing in.

If the current version becomes obsolete during user session and the device has reached auto update expiration, an on-screen notification is shown to return the device within aue_warning_period. If the device is found to have reached auto update expiration at the time of login with expired aue_warning_period, the device is blocked for any user to sign in.

Unmanaged user sessions do not receive notifications and force log out if unmanaged_user_restricted is unset or set to False.

If this policy is not set or set to empty, no restrictions are applied, already existing restrictions are revoked and user can sign in regardless of Google Chrome OS version.

Here chromeos_version can be either an exact version like '13305.0.0' or a version prefix, like '13305'. The warning_period and aue_warning_period are optional values specified in number of days. Default value for them is 0 days, which means that there is no warning period. The unmanaged_user_restricted is an optional property with default value as False.

Schema:
{ "properties": { "requirements": { "items": { "properties": { "aue_warning_period": { "description": "Time in days after auto update expiration post which the user will be signed out if Google Chrome OS version is less than the specified chromeos_version", "minimum": 0, "type": "integer" }, "chromeos_version": { "description": "Minimum allowed Google Chrome OS version", "type": "string" }, "warning_period": { "description": "Time in days after which the user will be signed out if Google Chrome OS version is less than the specified chromeos_version", "minimum": 0, "type": "integer" } }, "required": [ "chromeos_version" ], "type": "object" }, "type": "array" }, "unmanaged_user_restricted": { "description": "A boolean flag indicating whether unmanaged user sessions should receive notifications and force log out if update is required as per this policy.", "type": "boolean" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceMinimumVersion = { "requirements": [ { "aue_warning_period": 14, "chromeos_version": "12215", "warning_period": 0 }, { "aue_warning_period": 21, "chromeos_version": "13315.60.12", "warning_period": 10 } ], "unmanaged_user_restricted": true }
Back to top

DeviceMinimumVersionAueMessage

Configure auto update expiration message for DeviceMinimumVersion policy
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceMinimumVersionAueMessage
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy is only effective when the device has reached auto update expiration and does not meet the minimum allowed version of Google Chrome OS set through DeviceMinimumVersion policy.

When this policy is set to a non-empty string : If the warning time mentioned in DeviceMinimumVersion policy has expired, this message is shown at the login screen when the device is blocked for any user to sign in. If the warning time mentioned in DeviceMinimumVersion policy has not expired, this message is shown on the Chrome management page after user sign in.

If this policy is not set or set to empty, the default auto update expiration message is shown to the user in both of the above cases. The auto update expiration message must be plain text without any formatting. No markup is allowed.

Example value:
"This device has reached auto update expiration. Kindly return it."
Back to top

Display

Controls display settings.
Back to top

DeviceDisplayResolution

Set display resolution and scale factor
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceDisplayResolution
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy sets the resolution and scale factor for each display. External display settings apply to connected displays. (The policy doesn't apply if a display doesn't support the specified resolution or scale.)

Setting external_use_native to True means the policy ignores external_width and external_height and sets external displays to their native resolution. Setting external_use_native to False or leaving it and external_width or external_height unset means the policy doesn't affect external displays.

Setting the recommended flag to True lets users change resolution and scale factor of any display through the settings page, but their settings change back at the next reboot. Setting the recommended flag to False or leaving it unset means users can't change the display settings.

Note: Set external_width and external_height in pixels and external_scale_percentage and internal_scale_percentage in percents.

Schema:
{ "properties": { "external_height": { "minimum": 1, "type": "integer" }, "external_scale_percentage": { "minimum": 1, "type": "integer" }, "external_use_native": { "type": "boolean" }, "external_width": { "minimum": 1, "type": "integer" }, "internal_scale_percentage": { "minimum": 1, "type": "integer" }, "recommended": { "type": "boolean" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceDisplayResolution = { "external_height": 1080, "external_scale_percentage": 100, "external_use_native": false, "external_width": 1920, "internal_scale_percentage": 150, "recommended": true }
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Display
Back to top

DisplayRotationDefault

Set default display rotation, reapplied on every reboot
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DisplayRotationDefault
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 48
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy has each display rotate to the specified orientation on every reboot and the first time it's connected after the policy value changes. Users may change the display rotation through the settings page after signing in, but it changes back at the next reboot. This policy applies to primary and secondary displays.

If not set, the default value is 0 degrees and users are free to change it. In this case, the default value isn't reapplied at restart.

  • 0 = Rotate screen by 0 degrees
  • 1 = Rotate screen clockwise by 90 degrees
  • 2 = Rotate screen by 180 degrees
  • 3 = Rotate screen clockwise by 270 degrees
Example value:
0x00000001 (Windows)
Back to top

Extensions

Configures extension-related policies. The user is not allowed to install blocked extensions unless they are whitelisted. You can also force Google Chrome to automatically install extensions by specifying them in ExtensionInstallForcelist. Force-installed extensions are installed regardless whether they are present in the blocklist.
Back to top

ExtensionInstallAllowlist

Configure extension installation allow list
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExtensionInstallAllowlist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Extensions\ExtensionInstallAllowlist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExtensionInstallAllowlist
Mac/Linux preference name:
ExtensionInstallAllowlist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies which extensions are not subject to the blocklist.

A blocklist value of * means all extensions are blocked and users can only install extensions listed in the allow list.

By default, all extensions are allowed. But, if you prohibited extensions by policy, use the list of allowed extensions to change that policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExtensionInstallAllowlist\1 = "extension_id1" Software\Policies\Google\Chrome\ExtensionInstallAllowlist\2 = "extension_id2"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExtensionInstallAllowlist\1 = "extension_id1" Software\Policies\Google\ChromeOS\ExtensionInstallAllowlist\2 = "extension_id2"
Android/Linux:
[ "extension_id1", "extension_id2" ]
Mac:
<array> <string>extension_id1</string> <string>extension_id2</string> </array>
Windows (Intune):
<enabled/>
<data id="ExtensionInstallAllowlistDesc" value="1&#xF000;extension_id1&#xF000;2&#xF000;extension_id2"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Extensions
Back to top

ExtensionInstallBlocklist

Configure extension installation blocklist
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExtensionInstallBlocklist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Extensions\ExtensionInstallBlocklist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExtensionInstallBlocklist
Mac/Linux preference name:
ExtensionInstallBlocklist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blocked, without a way for the user to enable them. Once an extension disabled due to the blocklist is removed from it, it will automatically get re-enabled.

A blocklist value of '*' means all extensions are blocked unless they are explicitly listed in the allowlist.

If this policy is left not set the user can install any extension in Google Chrome.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExtensionInstallBlocklist\1 = "extension_id1" Software\Policies\Google\Chrome\ExtensionInstallBlocklist\2 = "extension_id2"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExtensionInstallBlocklist\1 = "extension_id1" Software\Policies\Google\ChromeOS\ExtensionInstallBlocklist\2 = "extension_id2"
Android/Linux:
[ "extension_id1", "extension_id2" ]
Mac:
<array> <string>extension_id1</string> <string>extension_id2</string> </array>
Windows (Intune):
<enabled/>
<data id="ExtensionInstallBlocklistDesc" value="1&#xF000;extension_id1&#xF000;2&#xF000;extension_id2"/>
Back to top

ExtensionInstallForcelist

Configure the list of force-installed apps and extensions
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExtensionInstallForcelist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Extensions\ExtensionInstallForcelist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExtensionInstallForcelist
Mac/Linux preference name:
ExtensionInstallForcelist
Supported on:
  • Google Chrome (Linux) since version 9
  • Google Chrome (Mac) since version 9
  • Google Chrome (Windows) since version 9
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies a list of apps and extensions that install silently, without user interaction, and which users can't uninstall or turn off. Permissions are granted implicitly, including for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These 2 APIs aren't available to apps and extensions that aren't force-installed.)

Leaving the policy unset means no apps or extensions are autoinstalled, and users can uninstall any app or extension in Google Chrome.

This policy superseeds ExtensionInstallBlocklist policy. If a previously force-installed app or extension is removed from this list, Google Chrome automatically uninstalls it.

On Microsoft® Windows® instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.

On macOS instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, or joined to a domain via MCX.

The source code of any extension may be altered by users through developer tools, potentially rendering the extension dysfunctional. If this is a concern, set the DeveloperToolsDisabled policy.

Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on chrome://extensions when in Developer mode. If specified, the "update" URL should point to an Update Manifest XML document ( https://developer.chrome.com/extensions/autoupdate ). By default, the Chrome Web Store's update URL is used. The "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest.

Note: This policy doesn't apply to Incognito mode. Read about hosting extensions ( https://developer.chrome.com/extensions/hosting ).

Note for Google Chrome OS devices supporting Android apps:

Android apps can be force-installed from the Google Admin console using Google Play. They do not use this policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExtensionInstallForcelist\1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx" Software\Policies\Google\Chrome\ExtensionInstallForcelist\2 = "abcdefghijklmnopabcdefghijklmnop"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExtensionInstallForcelist\1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx" Software\Policies\Google\ChromeOS\ExtensionInstallForcelist\2 = "abcdefghijklmnopabcdefghijklmnop"
Android/Linux:
[ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx", "abcdefghijklmnopabcdefghijklmnop" ]
Mac:
<array> <string>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx</string> <string>abcdefghijklmnopabcdefghijklmnop</string> </array>
Windows (Intune):
<enabled/>
<data id="ExtensionInstallForcelistDesc" value="1&#xF000;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;abcdefghijklmnopabcdefghijklmnop"/>
Back to top

ExtensionInstallSources

Configure extension, app, and user script install sources
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExtensionInstallSources
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Extensions\ExtensionInstallSources
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExtensionInstallSources
Mac/Linux preference name:
ExtensionInstallSources
Supported on:
  • Google Chrome (Linux) since version 21
  • Google Chrome (Mac) since version 21
  • Google Chrome (Windows) since version 21
  • Google ChromeOS (Google ChromeOS) since version 21
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies which URLs may install extensions, apps, and themes. Before Google Chrome 21, users could click on a link to a *.crx file, and Google Chrome would offer to install the file after a few warnings. Afterwards, such files must be downloaded and dragged to the Google Chrome settings page. This setting allows specific URLs to have the old, easier installation flow.

Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users can easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (the referrer) must be allowed by these patterns.

ExtensionInstallBlocklist takes precedence over this policy. That is, an extension on the blocklist won't be installed, even if it happens from a site on this list.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExtensionInstallSources\1 = "https://corp.mycompany.com/*"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExtensionInstallSources\1 = "https://corp.mycompany.com/*"
Android/Linux:
[ "https://corp.mycompany.com/*" ]
Mac:
<array> <string>https://corp.mycompany.com/*</string> </array>
Windows (Intune):
<enabled/>
<data id="ExtensionInstallSourcesDesc" value="1&#xF000;https://corp.mycompany.com/*"/>
Back to top

ExtensionAllowedTypes

Configure allowed app/extension types
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExtensionAllowedTypes
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Extensions\ExtensionAllowedTypes
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExtensionAllowedTypes
Mac/Linux preference name:
ExtensionAllowedTypes
Supported on:
  • Google Chrome (Linux) since version 25
  • Google Chrome (Mac) since version 25
  • Google Chrome (Windows) since version 25
  • Google ChromeOS (Google ChromeOS) since version 25
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy controls which apps and extensions may be installed in Google Chrome, which hosts they can interact with, and limits runtime access.

Leaving the policy unset results in no restrictions on the acceptable extension and app types.

Extensions and apps which have a type that's not on the list won't be installed. Each value should be one of these strings:

* "extension"

* "theme"

* "user_script"

* "hosted_app"

* "legacy_packaged_app"

* "platform_app"

See the Google Chrome extensions documentation for more information on these types.

Versions earlier than 75 that use multiple comma separated extension IDs aren't supported and are skipped. The rest of the policy applies.

Note: This policy also affects extensions and apps to be force-installed using ExtensionInstallForcelist.

  • "extension" = Extension
  • "theme" = Theme
  • "user_script" = User script
  • "hosted_app" = Hosted app
  • "legacy_packaged_app" = Legacy packaged app
  • "platform_app" = Platform app
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExtensionAllowedTypes\1 = "hosted_app"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExtensionAllowedTypes\1 = "hosted_app"
Android/Linux:
[ "hosted_app" ]
Mac:
<array> <string>hosted_app</string> </array>
Windows (Intune):
<enabled/>
<data id="ExtensionAllowedTypes" value=""hosted_app""/>
Back to top

ExtensionSettings

Extension management settings
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExtensionSettings
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Extensions\ExtensionSettings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExtensionSettings
Mac/Linux preference name:
ExtensionSettings
Supported on:
  • Google Chrome (Linux) since version 62
  • Google Chrome (Mac) since version 62
  • Google Chrome (Windows) since version 62
  • Google ChromeOS (Google ChromeOS) since version 62
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy controls extension management settings for Google Chrome, including any controlled by existing extension-related policies. The policy supersedes any legacy policies that might be set.

This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID "*", which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest ( http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy ). If the 'override_update_url' flag is set to true, the extension is installed and updated using the "update" URL specified in the ExtensionInstallForcelist policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is a Chrome Web Store url.

Note: For Microsoft® Windows® instances not joined to a Microsoft® Active Directory® domain and macOS instances not managed via MDM or joined to a domain via MCX, forced installation is limited to apps and extensions listed in the Chrome Web Store.

Schema:
{ "patternProperties": { "^[a-p]{32}(?:,[a-p]{32})*,?$": { "properties": { "allowed_permissions": { "$ref": "ListOfPermissions" }, "blocked_install_message": { "description": "text that will be displayed to the user in the chrome webstore if installation is blocked.", "type": "string" }, "blocked_permissions": { "id": "ListOfPermissions", "items": { "pattern": "^[a-z][a-zA-Z0-9.]*$", "type": "string" }, "type": "array" }, "installation_mode": { "enum": [ "blocked", "allowed", "force_installed", "normal_installed", "removed" ], "type": "string" }, "minimum_version_required": { "pattern": "^[0-9]+([.][0-9]+)*$", "type": "string" }, "override_update_url": { "type": "boolean" }, "runtime_allowed_hosts": { "$ref": "ListOfUrlPatterns" }, "runtime_blocked_hosts": { "id": "ListOfUrlPatterns", "items": { "type": "string" }, "type": "array" }, "toolbar_pin": { "enum": [ "force_pinned", "default_unpinned" ], "type": "string" }, "update_url": { "type": "string" } }, "type": "object" }, "^update_url:": { "properties": { "allowed_permissions": { "$ref": "ListOfPermissions" }, "blocked_permissions": { "$ref": "ListOfPermissions" }, "installation_mode": { "enum": [ "blocked", "allowed", "removed" ], "type": "string" } }, "type": "object" } }, "properties": { "*": { "properties": { "allowed_types": { "$ref": "ExtensionAllowedTypes" }, "blocked_install_message": { "type": "string" }, "blocked_permissions": { "$ref": "ListOfPermissions" }, "install_sources": { "$ref": "ExtensionInstallSources" }, "installation_mode": { "enum": [ "blocked", "allowed", "removed" ], "type": "string" }, "runtime_allowed_hosts": { "$ref": "ListOfUrlPatterns" }, "runtime_blocked_hosts": { "$ref": "ListOfUrlPatterns" } }, "type": "object" } }, "type": "object" }
Expanded schema description:
https://www.chromium.org/administrators/policy-list-3/extension-settings-full
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExtensionSettings = { "*": { "allowed_types": [ "hosted_app" ], "blocked_install_message": "Custom error message.", "blocked_permissions": [ "downloads", "bookmarks" ], "install_sources": [ "https://company-intranet/chromeapps" ], "installation_mode": "blocked", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ] }, "abcdefghijklmnopabcdefghijklmnop": { "blocked_permissions": [ "history" ], "installation_mode": "allowed", "minimum_version_required": "1.0.1", "toolbar_pin": "force_pinned" }, "bcdefghijklmnopabcdefghijklmnopa": { "allowed_permissions": [ "downloads" ], "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ], "update_url": "https://example.com/update_url" }, "cdefghijklmnopabcdefghijklmnopab": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "fghijklmnopabcdefghijklmnopabcde": { "blocked_install_message": "Custom removal message.", "installation_mode": "removed" }, "ghijklmnopabcdefghijklmnopabcdef": { "installation_mode": "force_installed", "override_update_url": true, "update_url": "https://example.com/update_url" }, "update_url:https://www.example.com/update.xml": { "allowed_permissions": [ "downloads" ], "blocked_permissions": [ "wallpaper" ], "installation_mode": "allowed" } }
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExtensionSettings = { "*": { "allowed_types": [ "hosted_app" ], "blocked_install_message": "Custom error message.", "blocked_permissions": [ "downloads", "bookmarks" ], "install_sources": [ "https://company-intranet/chromeapps" ], "installation_mode": "blocked", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ] }, "abcdefghijklmnopabcdefghijklmnop": { "blocked_permissions": [ "history" ], "installation_mode": "allowed", "minimum_version_required": "1.0.1", "toolbar_pin": "force_pinned" }, "bcdefghijklmnopabcdefghijklmnopa": { "allowed_permissions": [ "downloads" ], "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ], "update_url": "https://example.com/update_url" }, "cdefghijklmnopabcdefghijklmnopab": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "fghijklmnopabcdefghijklmnopabcde": { "blocked_install_message": "Custom removal message.", "installation_mode": "removed" }, "ghijklmnopabcdefghijklmnopabcdef": { "installation_mode": "force_installed", "override_update_url": true, "update_url": "https://example.com/update_url" }, "update_url:https://www.example.com/update.xml": { "allowed_permissions": [ "downloads" ], "blocked_permissions": [ "wallpaper" ], "installation_mode": "allowed" } }
Android/Linux:
ExtensionSettings: { "*": { "allowed_types": [ "hosted_app" ], "blocked_install_message": "Custom error message.", "blocked_permissions": [ "downloads", "bookmarks" ], "install_sources": [ "https://company-intranet/chromeapps" ], "installation_mode": "blocked", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ] }, "abcdefghijklmnopabcdefghijklmnop": { "blocked_permissions": [ "history" ], "installation_mode": "allowed", "minimum_version_required": "1.0.1", "toolbar_pin": "force_pinned" }, "bcdefghijklmnopabcdefghijklmnopa": { "allowed_permissions": [ "downloads" ], "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ], "update_url": "https://example.com/update_url" }, "cdefghijklmnopabcdefghijklmnopab": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "fghijklmnopabcdefghijklmnopabcde": { "blocked_install_message": "Custom removal message.", "installation_mode": "removed" }, "ghijklmnopabcdefghijklmnopabcdef": { "installation_mode": "force_installed", "override_update_url": true, "update_url": "https://example.com/update_url" }, "update_url:https://www.example.com/update.xml": { "allowed_permissions": [ "downloads" ], "blocked_permissions": [ "wallpaper" ], "installation_mode": "allowed" } }
Mac:
<key>ExtensionSettings</key> <dict> <key>*</key> <dict> <key>allowed_types</key> <array> <string>hosted_app</string> </array> <key>blocked_install_message</key> <string>Custom error message.</string> <key>blocked_permissions</key> <array> <string>downloads</string> <string>bookmarks</string> </array> <key>install_sources</key> <array> <string>https://company-intranet/chromeapps</string> </array> <key>installation_mode</key> <string>blocked</string> <key>runtime_allowed_hosts</key> <array> <string>*://good.example.com</string> </array> <key>runtime_blocked_hosts</key> <array> <string>*://*.example.com</string> </array> </dict> <key>abcdefghijklmnopabcdefghijklmnop</key> <dict> <key>blocked_permissions</key> <array> <string>history</string> </array> <key>installation_mode</key> <string>allowed</string> <key>minimum_version_required</key> <string>1.0.1</string> <key>toolbar_pin</key> <string>force_pinned</string> </dict> <key>bcdefghijklmnopabcdefghijklmnopa</key> <dict> <key>allowed_permissions</key> <array> <string>downloads</string> </array> <key>installation_mode</key> <string>force_installed</string> <key>runtime_allowed_hosts</key> <array> <string>*://good.example.com</string> </array> <key>runtime_blocked_hosts</key> <array> <string>*://*.example.com</string> </array> <key>update_url</key> <string>https://example.com/update_url</string> </dict> <key>cdefghijklmnopabcdefghijklmnopab</key> <dict> <key>blocked_install_message</key> <string>Custom error message.</string> <key>installation_mode</key> <string>blocked</string> </dict> <key>defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd</key> <dict> <key>blocked_install_message</key> <string>Custom error message.</string> <key>installation_mode</key> <string>blocked</string> </dict> <key>fghijklmnopabcdefghijklmnopabcde</key> <dict> <key>blocked_install_message</key> <string>Custom removal message.</string> <key>installation_mode</key> <string>removed</string> </dict> <key>ghijklmnopabcdefghijklmnopabcdef</key> <dict> <key>installation_mode</key> <string>force_installed</string> <key>override_update_url</key> <true/> <key>update_url</key> <string>https://example.com/update_url</string> </dict> <key>update_url:https://www.example.com/update.xml</key> <dict> <key>allowed_permissions</key> <array> <string>downloads</string> </array> <key>blocked_permissions</key> <array> <string>wallpaper</string> </array> <key>installation_mode</key> <string>allowed</string> </dict> </dict>
Windows (Intune):
<enabled/>
<data id="ExtensionSettings" value=""abcdefghijklmnopabcdefghijklmnop": {"installation_mode": "allowed", "blocked_permissions": ["history"], "minimum_version_required": "1.0.1", "toolbar_pin": "force_pinned"}, "bcdefghijklmnopabcdefghijklmnopa": {"installation_mode": "force_installed", "update_url": "https://example.com/update_url", "allowed_permissions": ["downloads"], "runtime_blocked_hosts": ["*://*.example.com"], "runtime_allowed_hosts": ["*://good.example.com"]}, "cdefghijklmnopabcdefghijklmnopab": {"installation_mode": "blocked", "blocked_install_message": "Custom error message."}, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": {"installation_mode": "blocked", "blocked_install_message": "Custom error message."}, "update_url:https://www.example.com/update.xml": {"blocked_permissions": ["wallpaper"], "allowed_permissions": ["downloads"], "installation_mode": "allowed"}, "fghijklmnopabcdefghijklmnopabcde": {"installation_mode": "removed", "blocked_install_message": "Custom removal message."}, "ghijklmnopabcdefghijklmnopabcdef": {"installation_mode": "force_installed", "update_url": "https://example.com/update_url", "override_update_url": true}, "*": {"installation_mode": "blocked", "blocked_permissions": ["downloads", "bookmarks"], "install_sources": ["https://company-intranet/chromeapps"], "allowed_types": ["hosted_app"], "runtime_blocked_hosts": ["*://*.example.com"], "runtime_allowed_hosts": ["*://good.example.com"], "blocked_install_message": "Custom error message."}"/>
Back to top

BlockExternalExtensions

Blocks external extensions from being installed
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BlockExternalExtensions
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Extensions\BlockExternalExtensions
Mac/Linux preference name:
BlockExternalExtensions
Supported on:
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Controls external extensions installation.

Enabling this setting blocks external extensions from being installed.

Disabling this setting or leaving it unset allows external extensions to be installed.

External extensions and their installation are documented at https://developer.chrome.com/apps/external_extensions.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

Gaia user identity management settings

Controls settings for users authenticated againts Gaia without SAML.
Back to top

GaiaOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via GAIA without SAML can log in offline
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\GaiaOfflineSigninTimeLimitDays
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

During login, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).

When this policy is set to a value of -1, this policy will not enforce online authentication and will allow the user to use offline authentication until a different reason than this policy enforces an online login. If the policy is set to a value of 0, online login will always be required. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again in the next sign-in.

Leaving this policy not set will make Google Chrome OS use offline login.

This policy affects only users who authenticated using GAIA without SAML.

The policy value should be specified in days.

Restrictions:
  • Minimum:-1
  • Maximum:365
Example value:
0x00000020 (Windows)
Back to top

Google Assistant

Controls settings for Google Assistant.
Back to top

VoiceInteractionContextEnabled

Allow Google Assistant to access screen context
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VoiceInteractionContextEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled lets Google Assistant access screen context and send that data to a server. Setting the policy to Disabled keeps Google Assistant from screen context.

Leaving the policy unset lets users decide to turn this feature on or off.

Example value:
0x00000001 (Windows)
Back to top

VoiceInteractionHotwordEnabled

Allow Google Assistant to listen for the voice activation phrase
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VoiceInteractionHotwordEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled lets Google Assistant listen for the voice activation phrase. Setting the policy to Disabled keeps Google Assistant from listening for the phrase.

Leaving the policy unset lets users decide to turn this feature on or off.

Example value:
0x00000001 (Windows)
Back to top

AssistantVoiceMatchEnabledDuringOobe

Enable Google Assistant voice match flow
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AssistantVoiceMatchEnabledDuringOobe
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled lets show Google Assistant voice match flow during initial setup. Setting the policy to Disabled keeps Google Assistant from showing voice match flow during initial setup.

Leaving the policy unset means it is Enabled.

Example value:
0x00000001 (Windows)
Back to top

Google Cast

Configure policies for Google Cast, a feature that allows users to send the contents of tabs, sites or the desktop from the browser to remote displays and sound systems.
Back to top

EnableMediaRouter

Enable Google Cast
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\EnableMediaRouter
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~GoogleCast\EnableMediaRouter
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EnableMediaRouter
Mac/Linux preference name:
EnableMediaRouter
Android restriction name:
EnableMediaRouter
Supported on:
  • Google Chrome (Linux) since version 52
  • Google Chrome (Mac) since version 52
  • Google Chrome (Windows) since version 52
  • Google ChromeOS (Google ChromeOS) since version 52
  • Google Chrome (Android) since version 52
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset turns on Google Cast, which users can launch from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.

Setting the policy to Disabled turns off Google Cast.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ShowCastIconInToolbar

Show the Google Cast toolbar icon
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ShowCastIconInToolbar
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~GoogleCast\ShowCastIconInToolbar
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ShowCastIconInToolbar
Mac/Linux preference name:
ShowCastIconInToolbar
Supported on:
  • Google Chrome (Linux) since version 58
  • Google Chrome (Mac) since version 58
  • Google Chrome (Windows) since version 58
  • Google ChromeOS (Google ChromeOS) since version 58
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to Enabled displays the Cast toolbar icon on the toolbar or the overflow menu, and users can't remove it.

Setting the policy to Disabled or leaving it unset lets users pin or remove the icon through its contextual menu.

If the policy EnableMediaRouter is set to Disabled, then this policy's value has no effect, and the toolbar icon doesn't appear.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

Google Drive

Configure Google Drive in Google Chrome OS.
Back to top

DriveDisabled

Disable Drive in the Google Chrome OS Files app
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DriveDisabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 19
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled turns off Google Drive syncing in the Google Chrome OS Files app. No data is uploaded to Drive.

Setting the policy to Disabled or leaving it unset lets users transfer files to Drive.

Note for Google Chrome OS devices supporting Android apps:

This policy does not prevent the user from using the Android Google Drive app. If you want to prevent access to Google Drive, you should disallow installation of the Android Google Drive app as well.

Example value:
0x00000001 (Windows)
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Drive
Back to top

DriveDisabledOverCellular

Disable Google Drive over cellular connections in the Google Chrome OS Files app
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DriveDisabledOverCellular
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 19
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled turns off Google Drive syncing in the Google Chrome OS Files app when on a cellular connection. Data is only synced to Drive when connected through Wi-Fi or Ethernet.

Setting the policy to Disabled or leaving it unset lets users transfer files to Drive on cellular connections.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android Google Drive app. If you want to prevent use of Google Drive over cellular connections, you should disallow installation of the Android Google Drive app.

Example value:
0x00000001 (Windows)
Back to top

HTTP authentication

Policies related to integrated HTTP authentication.
Back to top

AuthSchemes

Supported authentication schemes
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AuthSchemes
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\AuthSchemes
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AuthSchemes
Mac/Linux preference name:
AuthSchemes
Android restriction name:
AuthSchemes
Supported on:
  • Google Chrome (Linux) since version 9
  • Google Chrome (Mac) since version 9
  • Google Chrome (Windows) since version 9
  • Google Chrome (Android) since version 46
  • Google ChromeOS (Google ChromeOS) since version 62
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies which HTTP authentication schemes Google Chrome supports.

Leaving the policy unset employs all 4 schemes.

Valid values:

* basic

* digest

* ntlm

* negotiate

Note: Separate multiple values with commas.

Example value:
"basic,digest,ntlm,negotiate"
Windows (Intune):
<enabled/>
<data id="AuthSchemes" value="basic,digest,ntlm,negotiate"/>
Back to top

AllHttpAuthSchemesAllowedForOrigins

List of origins allowing all HTTP authentication
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AllHttpAuthSchemesAllowedForOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\AllHttpAuthSchemesAllowedForOrigins
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllHttpAuthSchemesAllowedForOrigins
Mac/Linux preference name:
AllHttpAuthSchemesAllowedForOrigins
Android restriction name:
AllHttpAuthSchemesAllowedForOrigins
Supported on:
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
  • Google Chrome (Android) since version 100
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies for which origins to allow all the HTTP authentication schemes Google Chrome supports regardless of the AuthSchemes policy.

Format the origin pattern according to this format (https://www.chromium.org/administrators/url-blocklist-filter-format). Up to 1,000 exceptions can be defined in AllHttpAuthSchemesAllowedForOrigins. Wildcards are allowed for the whole origin or parts of the origin, either the scheme, host, port.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AllHttpAuthSchemesAllowedForOrigins\1 = "*.example.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AllHttpAuthSchemesAllowedForOrigins\1 = "*.example.com"
Android/Linux:
[ "*.example.com" ]
Mac:
<array> <string>*.example.com</string> </array>
Windows (Intune):
<enabled/>
<data id="AllHttpAuthSchemesAllowedForOriginsDesc" value="1&#xF000;*.example.com"/>
Back to top

DisableAuthNegotiateCnameLookup

Disable CNAME lookup when negotiating Kerberos authentication
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DisableAuthNegotiateCnameLookup
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\DisableAuthNegotiateCnameLookup
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DisableAuthNegotiateCnameLookup
Mac/Linux preference name:
DisableAuthNegotiateCnameLookup
Android restriction name:
DisableAuthNegotiateCnameLookup
Supported on:
  • Google Chrome (Linux) since version 9
  • Google Chrome (Mac) since version 9
  • Google Chrome (Windows) since version 9
  • Google Chrome (Android) since version 46
  • Google ChromeOS (Google ChromeOS) since version 62
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled skips CNAME lookup. The server name is used as entered when generating the Kerberos SPN.

Setting the policy to Disabled or leaving it unset means CNAME lookup determines the canonical name of the server when generating the Kerberos SPN.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

EnableAuthNegotiatePort

Include non-standard port in Kerberos SPN
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\EnableAuthNegotiatePort
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\EnableAuthNegotiatePort
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EnableAuthNegotiatePort
Mac/Linux preference name:
EnableAuthNegotiatePort
Supported on:
  • Google Chrome (Linux) since version 9
  • Google Chrome (Mac) since version 9
  • Google Chrome (Windows) since version 9
  • Google ChromeOS (Google ChromeOS) since version 62
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled and entering a nonstandard port (in other words, a port other than 80 or 443) includes it in the generated Kerberos SPN.

Setting the policy to Disabled or leaving it unset means the generated Kerberos SPN won't include a port.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

BasicAuthOverHttpEnabled

Allow Basic authentication for HTTP
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BasicAuthOverHttpEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\BasicAuthOverHttpEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BasicAuthOverHttpEnabled
Mac/Linux preference name:
BasicAuthOverHttpEnabled
Supported on:
  • Google Chrome (Linux) since version 88
  • Google Chrome (Mac) since version 88
  • Google Chrome (Windows) since version 88
  • Google ChromeOS (Google ChromeOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset will allow Basic authentication challenges received over non-secure HTTP.

Setting the policy to Disabled forbids non-secure HTTP requests from using the Basic authentication scheme; only secure HTTPS is allowed.

This policy setting is ignored (and Basic is always forbidden) if the AuthSchemes policy is set and does not include Basic.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

AuthServerAllowlist

Authentication server allowlist
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AuthServerAllowlist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\AuthServerAllowlist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AuthServerAllowlist
Mac/Linux preference name:
AuthServerAllowlist
Android restriction name:
AuthServerAllowlist
Android WebView restriction name:
com.android.browser:AuthServerAllowlist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google Chrome (Android) since version 86
  • Android System WebView (Android) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies which servers should be allowed for integrated authentication. Integrated authentication is only on when Google Chrome gets an authentication challenge from a proxy or from a server in this permitted list.

Leaving the policy unset means Google Chrome tries to detect if a server is on the intranet. Only then will it respond to IWA requests. If a server is detected as internet, then Google Chrome ignores IWA requests from it.

Note: Separate multiple server names with commas. Wildcards, *, are allowed.

Example value:
"*.example.com,example.com"
Windows (Intune):
<enabled/>
<data id="AuthServerAllowlist" value="*.example.com,example.com"/>
Back to top

AuthNegotiateDelegateAllowlist

Kerberos delegation server allowlist
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AuthNegotiateDelegateAllowlist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\AuthNegotiateDelegateAllowlist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AuthNegotiateDelegateAllowlist
Mac/Linux preference name:
AuthNegotiateDelegateAllowlist
Android restriction name:
AuthNegotiateDelegateAllowlist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google Chrome (Android) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy assigns servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards, *, are allowed.

Leaving the policy unset means Google Chrome won't delegate user credentials, even if a server is detected as intranet.

Example value:
"foobar.example.com"
Windows (Intune):
<enabled/>
<data id="AuthNegotiateDelegateAllowlist" value="foobar.example.com"/>
Back to top

AuthNegotiateDelegateByKdcPolicy

Use KDC policy to delegate credentials.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AuthNegotiateDelegateByKdcPolicy
Mac/Linux preference name:
AuthNegotiateDelegateByKdcPolicy
Supported on:
  • Google Chrome (Linux) since version 74
  • Google Chrome (Mac) since version 74
  • Google ChromeOS (Google ChromeOS) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled means HTTP authentication respects approval by KDC policy. In other words, Google Chrome delegates user credentials to the service being accessed if the KDC sets OK-AS-DELEGATE on the service ticket. See RFC 5896 ( https://tools.ietf.org/html/rfc5896.html ). The service should also be allowed by AuthNegotiateDelegateAllowlist.

Setting the policy to Disabled or leaving it unset means KDC policy is ignored on supported platforms and only AuthNegotiateDelegateAllowlist is respected.

On Microsoft® Windows®, KDC policy is always respected.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Back to top

GSSAPILibraryName

GSSAPI library name
Data type:
String
Mac/Linux preference name:
GSSAPILibraryName
Supported on:
  • Google Chrome (Linux) since version 9
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy specifies which GSSAPI library to use for HTTP authentication. Set the policy to either a library name or a full path.

Leaving the policy unset means Google Chrome uses a default library name.

Example value:
"libgssapi_krb5.so.2"
Back to top

AuthAndroidNegotiateAccountType

Account type for HTTP Negotiate authentication
Data type:
String
Android restriction name:
AuthAndroidNegotiateAccountType
Android WebView restriction name:
com.android.browser:AuthAndroidNegotiateAccountType
Supported on:
  • Google Chrome (Android) since version 46
  • Android System WebView (Android) since version 49
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy specifies the type of accounts provided by the Android authentication app that supports HTTP Negotiate authentication (such as Kerberos authentication). This information should be available from the supplier of the authentication app. For details, see The Chromium Projects ( https://goo.gl/hajyfN )

Leaving the policy unset turns off HTTP Negotiate authentication on Android.

Example value:
"com.example.spnego"
Back to top

AllowCrossOriginAuthPrompt

Cross-origin HTTP Authentication prompts
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AllowCrossOriginAuthPrompt
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~HTTPAuthentication\AllowCrossOriginAuthPrompt
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowCrossOriginAuthPrompt
Mac/Linux preference name:
AllowCrossOriginAuthPrompt
Supported on:
  • Google Chrome (Linux) since version 13
  • Google Chrome (Mac) since version 13
  • Google Chrome (Windows) since version 13
  • Google ChromeOS (Google ChromeOS) since version 62
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled allows third-party images on a page to show an authentication prompt.

Setting the policy to Disabled or leaving it unset renders third-party images unable to show an authentication prompt.

Typically, this policy is Disabled as a phishing defense.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

NtlmV2Enabled

Enable NTLMv2 authentication.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NtlmV2Enabled
Mac/Linux preference name:
NtlmV2Enabled
Android restriction name:
NtlmV2Enabled
Android WebView restriction name:
com.android.browser:NtlmV2Enabled
Supported on:
  • Google Chrome (Linux) since version 63
  • Google Chrome (Mac) since version 63
  • Google ChromeOS (Google ChromeOS) since version 63
  • Google Chrome (Android) since version 63
  • Android System WebView (Android) since version 63
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset turns NTLMv2 on.

Setting the policy to Disabled turns NTLMv2 off.

All recent versions of Samba and Microsoft® Windows® servers support NTLMv2. This should only be turned off for backward compatibility as it reduces the security of authentication.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Back to top

Kerberos

Policies related to Kerberos authentication.
Back to top

KerberosEnabled

Enable Kerberos functionality
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls whether the Kerberos functionality is enabled. Kerberos is an authentication protocol that can be used to authenticate to web apps and file shares.

If this policy is enabled, Kerberos functionality is enabled. Kerberos accounts can be added either through the 'Configure Kerberos accounts' policy or through the Kerberos Accounts settings in the Kerberos settings page.

If this policy is disabled or not set, the Kerberos Accounts settings are disabled. No Kerberos accounts can be added and Kerberos authentication cannot be used. All existing Kerberos accounts are deleted, all stored passwords are deleted.

Back to top

KerberosRememberPasswordEnabled

Enable 'Remember password' feature
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls whether the 'Remember password' feature is enabled in the Kerberos authentication dialog. Passwords are stored encryped on disk, only accessible to the Kerberos system daemon and during a user session.

If this policy is enabled or not set, users can decide whether Kerberos passwords are remembered, so that they do not have to be entered again. Kerberos tickets are automatically fetched unless additional authentication is required (two-factor authentication).

If this policy is disabled, passwords are never remembered and all previously stored passwords are removed. Users have to enter their password every time they need to authenticate with the Kerberos system. Depending on server settings, this usually happens between every 8 hours to several months.

Back to top

KerberosAddAccountsAllowed

Users can add Kerberos accounts
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls whether users may add Kerberos accounts.

If this policy is enabled or not set, users may add Kerberos accounts via the Kerberos Accounts settings in the Kerberos settings page. Users have full control over accounts they added and may modify or remove them.

If this policy is disabled, users may not add Kerberos accounts. Accounts can only be added via the 'Configure Kerberos accounts' policy. This is an effective way to lock down accounts.

Back to top

KerberosAccounts

Configure Kerberos accounts
Data type:
Dictionary
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Adds prefilled Kerberos accounts. If the Kerberos credentials match the login credentials, an account can be configured to reuse the login credentials by specifying '${{LOGIN_EMAIL}}' and ${{PASSWORD}}' for principal and password, respectively, so that the Kerberos ticket can be retrieved automatically unless two-factor authentication is configured. Users cannot modify accounts added via this policy.

If this policy is enabled, the list of accounts defined by the policy is added to the Kerberos Accounts settings.

If this policy is disabled or not set, no accounts are added to the Kerberos Accounts settings and all accounts previously added with this policy are removed. Users may still add accounts manually if the 'Users can add Kerberos accounts' policy is enabled.

Schema:
{ "items": { "properties": { "krb5conf": { "description": "Kerberos configuration (one line per array item), see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.", "items": { "type": "string" }, "type": "array" }, "password": { "description": "Kerberos password. The placeholder ${{PASSWORD}} is replaced by the login password.", "sensitiveValue": true, "type": "string" }, "principal": { "description": "User principal 'user@realm'. The placeholder ${{LOGIN_ID}} is replaced by the username 'user'. The placeholder ${{LOGIN_EMAIL}} is replaced by the full principal 'user@realm'.", "pattern": "^(?:[^@]+@[^@]+)|(?:\\${LOGIN_ID})|(?:\\${LOGIN_EMAIL})$", "type": "string" }, "remember_password": { "description": "Whether to remember the Kerberos password. If not set or set to false, the password is not remembered. Ignored if the password is not specified.", "type": "boolean" } }, "required": [ "principal" ], "type": "object" }, "type": "array" }
Back to top

Kiosk settings

Controls public session and kiosk account types.
Back to top

DeviceLocalAccounts

Device-local accounts
Data type:
List of strings
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 25
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy specifies the list of device-local accounts to display on the sign-in screen. Identifiers tell the different device-local accounts apart.

If the policy is unset or an empty list, there are no device-local accounts.

Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Kiosk
Back to top

DeviceLocalAccountAutoLoginId

Device-local account for auto-login
Data type:
String
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy means the specified session is automatically signed if there is no user interaction at the sign-in screen within the time specified in DeviceLocalAccountAutoLoginDelay. The device-local account must already be set up (see DeviceLocalAccounts).

Leaving it unset means there's no automatic sign-in.

Back to top

DeviceLocalAccountAutoLoginDelay

Device-local account auto-login timer
Data type:
Integer
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy determines the amount of time in milliseconds without user activity before automatically signing in to the device-local account specified by the DeviceLocalAccountAutoLoginId policy.

Leaving it unset means 0 milliseconds is used as the timeout.

If the DeviceLocalAccountAutoLoginId policy is unset, this policy has no effect.

Back to top

DeviceLocalAccountAutoLoginBailoutEnabled

Enable bailout keyboard shortcut for auto-login
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 28
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset means a device-local account is set up for zero-delay, automatic sign-in. Google Chrome OS honors the keyboard shortcut Ctrl+Alt+S for bypassing automatic sign-in and showing the sign-in screen.

Setting the policy to Disabled means users can't bypass zero-delay automatic sign-in (if configured).

Back to top

DeviceLocalAccountPromptForNetworkWhenOffline

Enable network configuration prompt when offline
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 33
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset means when a device is offline, if a device-local account is set for zero-delay, automatic sign-in, Google Chrome OS shows a network-configuration prompt.

Setting the policy to Disabled has an error message displayed instead.

Back to top

AllowKioskAppControlChromeVersion

Allow the auto launched with zero delay kiosk app to control Google Chrome OS version
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 51
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled means the value of the required_platform_version manifest key of the zero-delay, autolaunched kiosk app is used as the autoupdate target version prefix.

Setting the policy to Disabled or leaving it unset means the required_platform_version manifest key is ignored and autoupdate proceeds as normal.

Warning: Do not delegate control of the Google Chrome OS version to a kiosk app, because it might prevent the device from getting software updates and critical security fixes. Delegating control of the Google Chrome OS version might leave users at risk.

Note for Google Chrome OS devices supporting Android apps:

If the kiosk app is an Android app, it will have no control over the Google Chrome OS version, even if this policy is set to True.

Back to top

Legacy Browser Support

Configure policies to switch between browsers. Configured websites will automatically open in another browser than Google Chrome.
Back to top

AlternativeBrowserPath

Alternative browser to launch for configured websites.
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AlternativeBrowserPath
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\AlternativeBrowserPath
Mac/Linux preference name:
AlternativeBrowserPath
Supported on:
  • Google Chrome (Linux) since version 71
  • Google Chrome (Mac) since version 71
  • Google Chrome (Windows) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy controls which command to use to open URLs in an alternative browser. The policy can be set to one of ${ie}, ${firefox}, ${safari}, ${opera}, ${edge} or a file path. When this policy is set to a file path, that file is used as an executable file. ${ie} is only available on Microsoft® Windows®. ${safari} and ${edge} are only available on Microsoft® Windows® and macOS.

Leaving the policy unset puts a platform-specific default in use: Internet Explorer® for Microsoft® Windows®, or Safari® for macOS. On Linux®, launching an alternative browser will fail.

Example value:
"${ie}"
Windows (Intune):
<enabled/>
<data id="AlternativeBrowserPath" value="${ie}"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : BrowserSwitcher
Back to top

AlternativeBrowserParameters

Command-line parameters for the alternative browser.
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AlternativeBrowserParameters
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\AlternativeBrowserParameters
Mac/Linux preference name:
AlternativeBrowserParameters
Supported on:
  • Google Chrome (Linux) since version 71
  • Google Chrome (Mac) since version 71
  • Google Chrome (Windows) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to a list of strings means each string is passed to the alternative browser as separate command-line parameters. On Microsoft® Windows®, the parameters are joined with spaces. On macOS and Linux®, a parameter can have spaces and still be treated as a single parameter.

If an parameter contains ${url}, ${url} is replaced with the URL of the page to open. If no parameter contains ${url}, the URL is appended at the end of the command line.

Environment variables are expanded. On Microsoft® Windows®, %ABC% is replaced with the value of the ABC environment variable. On macOS and Linux®, ${ABC} is replaced with the value of the ABC environment variable.

Leaving the policy unset means only the URL is passed as a command-line parameter.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AlternativeBrowserParameters\1 = "-foreground" Software\Policies\Google\Chrome\AlternativeBrowserParameters\2 = "-new-window" Software\Policies\Google\Chrome\AlternativeBrowserParameters\3 = "${url}" Software\Policies\Google\Chrome\AlternativeBrowserParameters\4 = "-profile" Software\Policies\Google\Chrome\AlternativeBrowserParameters\5 = "%HOME%\browser_profile"
Android/Linux:
[ "-foreground", "-new-window", "${url}", "-profile", "%HOME%\browser_profile" ]
Mac:
<array> <string>-foreground</string> <string>-new-window</string> <string>${url}</string> <string>-profile</string> <string>%HOME%\browser_profile</string> </array>
Windows (Intune):
<enabled/>
<data id="AlternativeBrowserParametersDesc" value="1&#xF000;-foreground&#xF000;2&#xF000;-new-window&#xF000;3&#xF000;${url}&#xF000;4&#xF000;-profile&#xF000;5&#xF000;%HOME%\browser_profile"/>
Back to top

BrowserSwitcherChromePath

Path to Chrome for switching from the alternative browser.
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherChromePath
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherChromePath
Supported on:
  • Google Chrome (Windows) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls the command to use to open URLs in Google Chrome when switching from Internet Explorer®. This policy can be set to an executable file path or ${chrome} to autodetect the location of Google Chrome.

Leaving the policy unset means Internet Explorer® autodetects Google Chrome's own executable path when launching Google Chrome from Internet Explorer.

Note: If the Legacy Browser Support add-in for Internet Explorer® isn't installed, this policy has no effect.

Example value:
"${chrome}"
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherChromePath" value="${chrome}"/>
Back to top

BrowserSwitcherChromeParameters

Command-line parameters for switching from the alternative browser.
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherChromeParameters
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherChromeParameters
Supported on:
  • Google Chrome (Windows) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to a list of strings means the strings are joined with spaces and passed from Internet Explorer® to Google Chrome as command-line parameters. If an parameter contains ${url}, ${url} is replaced with the URL of the page to open. If no parameter contains ${url}, the URL is appended at the end of the command line.

Environment variables are expanded. On Microsoft® Windows®, %ABC% is replaced with the value of the ABC environment variable.

Leaving the policy unset means Internet Explorer® only passes the URL to Google Chrome as a command-line parameter.

Note: If the Legacy Browser Support add-in for Internet Explorer® isn't installed, this policy has no effect.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\BrowserSwitcherChromeParameters\1 = "--force-dark-mode"
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherChromeParametersDesc" value="1&#xF000;--force-dark-mode"/>
Back to top

BrowserSwitcherDelay

Delay before launching alternative browser (milliseconds)
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherDelay
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherDelay
Mac/Linux preference name:
BrowserSwitcherDelay
Supported on:
  • Google Chrome (Linux) since version 74
  • Google Chrome (Mac) since version 74
  • Google Chrome (Windows) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to a number has Google Chrome show a message for that number of milliseconds, then it opens an alternative browser.

Leaving the policy unset or set to 0 means navigating to a designated URL immediately opens it in an alternative browser.

Example value:
0x00002710 (Windows), 10000 (Linux), 10000 (Mac)
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherDelay" value="10000"/>
Back to top

BrowserSwitcherEnabled

Enable the Legacy Browser Support feature.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherEnabled
Mac/Linux preference name:
BrowserSwitcherEnabled
Supported on:
  • Google Chrome (Linux) since version 73
  • Google Chrome (Mac) since version 73
  • Google Chrome (Windows) since version 73
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means Google Chrome will try to launch some URLs in an alternate browser, such as Internet Explorer®. This feature is set using the policies in the Legacy Browser support group.

Setting the policy to Disabled or leaving it unset means Google Chrome won't try to launch designated URLs in an alternate browser.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

BrowserSwitcherExternalSitelistUrl

URL of an XML file that contains URLs to load in an alternative browser.
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherExternalSitelistUrl
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherExternalSitelistUrl
Mac/Linux preference name:
BrowserSwitcherExternalSitelistUrl
Supported on:
  • Google Chrome (Linux) since version 72
  • Google Chrome (Mac) since version 72
  • Google Chrome (Windows) since version 72
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to a valid URL has Google Chrome download the site list from that URL and apply the rules as if they were set up with the BrowserSwitcherUrlList policy.

Leaving it unset (or set to a invalid URL) means Google Chrome doesn't use the policy as a source of rules for switching browsers.

Note: This policy points to an XML file in the same format as Internet Explorer®'s SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer®. Read more on Internet Explorer®'s SiteList policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode)

Example value:
"http://example.com/sitelist.xml"
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherExternalSitelistUrl" value="http://example.com/sitelist.xml"/>
Back to top

BrowserSwitcherExternalGreylistUrl

URL of an XML file that contains URLs that should never trigger a browser switch.
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherExternalGreylistUrl
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherExternalGreylistUrl
Mac/Linux preference name:
BrowserSwitcherExternalGreylistUrl
Supported on:
  • Google Chrome (Linux) since version 77
  • Google Chrome (Mac) since version 77
  • Google Chrome (Windows) since version 77
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to a valid URL has Google Chrome download the site list from that URL and apply the rules as if they were set up with the BrowserSwitcherUrlGreylist policy. These policies prevent Google Chrome and the alternative browser from opening one another.

Leaving it unset (or set to a invalid URL) means Google Chrome doesn't use the policy as a source of rules for not switching browsers.

Note: This policy points to an XML file in the same format as Internet Explorer®'s SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer®. Read more on Internet Explorer®'s SiteList policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode )

Example value:
"http://example.com/greylist.xml"
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherExternalGreylistUrl" value="http://example.com/greylist.xml"/>
Back to top

BrowserSwitcherKeepLastChromeTab

Keep last tab open in Chrome.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherKeepLastChromeTab
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherKeepLastChromeTab
Mac/Linux preference name:
BrowserSwitcherKeepLastChromeTab
Supported on:
  • Google Chrome (Linux) since version 74
  • Google Chrome (Mac) since version 74
  • Google Chrome (Windows) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset has Google Chrome keep at least one tab open, after switching to an alternate browser.

Setting the policy to Disabled has Google Chrome close the tab after switching to an alternate browser, even if it was the last tab. This causes Google Chrome to exit completely.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

BrowserSwitcherParsingMode

Sitelist parsing mode
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherParsingMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherParsingMode
Mac/Linux preference name:
BrowserSwitcherParsingMode
Supported on:
  • Google Chrome (Linux) since version 95
  • Google Chrome (Mac) since version 95
  • Google Chrome (Windows) since version 95
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls how Google Chrome interprets sitelist/greylist policies for the Legacy Browser Support feature. It affects the following policies: BrowserSwitcherUrlList, BrowserSwitcherUrlGreylist, BrowserSwitcherUseIeSitelist, BrowserSwitcherExternalSitelistUrl, and BrowserSwitcherExternalGreylistUrl.

If 'Default' (0) or unset, URL matching is less strict. Rules that do not contain "/" look for a substring anywhere in the URL's hostname. Matching the path component of a URL is case-sensitive.

If 'IESiteListMode' (1), URL matching is more strict. Rules that do not contain "/" only match at the end of the hostname. They must also be at a domain name boundary. Matching the path component of a URL is case-insensitive. This is more compatible with Microsoft® Internet Explorer® and Microsoft® Edge®.

For example, with the rules "example.com" and "acme.com/abc":

"http://example.com/", "http://subdomain.example.com/" and "http://acme.com/abc" match regardless of parsing mode.

"http://notexample.com/", "http://example.com.invalid.com/", "http://example.comabc/" only match in 'Default' mode.

"http://acme.com/ABC" only matches in 'IESiteListMode'.

  • 0 = Default behavior for LBS.
  • 1 = More compatible with Microsoft IE/Edge enterprise mode sitelists.
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherParsingMode" value="1"/>
Back to top

BrowserSwitcherUrlList

Websites to open in alternative browser
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherUrlList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherUrlList
Mac/Linux preference name:
BrowserSwitcherUrlList
Supported on:
  • Google Chrome (Linux) since version 71
  • Google Chrome (Mac) since version 71
  • Google Chrome (Windows) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy controls the list of websites to open in an alternative browser. Each item is treated as a rule for something to open in an alternative browser. Google Chrome uses those rules when choosing if a URL should open in an alternative browser. When the Internet Explorer® add-in is on, Internet Explorer® switches back to Google Chrome when the rules don't match. If rules contradict each other, Google Chrome uses the most specific rule.

Leaving the policy unset adds no websites to the list.

Note: Elements can also be added to this list through the BrowserSwitcherUseIeSitelist and BrowserSwitcherExternalSitelistUrl policies.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\BrowserSwitcherUrlList\1 = "ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlList\2 = "!open-in-chrome.ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlList\3 = "foobar.com/ie-only/"
Android/Linux:
[ "ie.com", "!open-in-chrome.ie.com", "foobar.com/ie-only/" ]
Mac:
<array> <string>ie.com</string> <string>!open-in-chrome.ie.com</string> <string>foobar.com/ie-only/</string> </array>
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherUrlListDesc" value="1&#xF000;ie.com&#xF000;2&#xF000;!open-in-chrome.ie.com&#xF000;3&#xF000;foobar.com/ie-only/"/>
Back to top

BrowserSwitcherUrlGreylist

Websites that should never trigger a browser switch.
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherUrlGreylist
Mac/Linux preference name:
BrowserSwitcherUrlGreylist
Supported on:
  • Google Chrome (Linux) since version 71
  • Google Chrome (Mac) since version 71
  • Google Chrome (Windows) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy controls the list of websites that will never cause a browser switch. Each item is treated as a rule. Those rules that match won't open an alternative browser. Unlike the BrowserSwitcherUrlList policy, rules apply to both directions. When the Internet Explorer® add-in is on, it also controls whether Internet Explorer® should open these URLs in Google Chrome.

Leaving the policy unset adds no websites to the list.

Note: Elements can also be added to this list through the BrowserSwitcherExternalGreylistUrl policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist\1 = "ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist\2 = "!open-in-chrome.ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist\3 = "foobar.com/ie-only/"
Android/Linux:
[ "ie.com", "!open-in-chrome.ie.com", "foobar.com/ie-only/" ]
Mac:
<array> <string>ie.com</string> <string>!open-in-chrome.ie.com</string> <string>foobar.com/ie-only/</string> </array>
Windows (Intune):
<enabled/>
<data id="BrowserSwitcherUrlGreylistDesc" value="1&#xF000;ie.com&#xF000;2&#xF000;!open-in-chrome.ie.com&#xF000;3&#xF000;foobar.com/ie-only/"/>
Back to top

BrowserSwitcherUseIeSitelist

Use Internet Explorer's SiteList policy for Legacy Browser Support.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSwitcherUseIeSitelist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~BrowserSwitcher\BrowserSwitcherUseIeSitelist
Supported on:
  • Google Chrome (Windows) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls whether to load rules from Internet Explorer®'s SiteList policy.

When this policy is set to true, Google Chrome reads Internet Explorer®'s SiteList to obtain the site list's URL. Google Chrome then downloads the site list from that URL, and applies the rules as if they had been configured with the BrowserSwitcherUrlList policy.

When this policy is false or unset, Google Chrome does not use Internet Explorer®'s SiteList policy as a source of rules for switching browsers.

For more information on Internet Explorer's SiteList policy: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode

Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
Back to top

Linux container

Controls settings for the Linux container (Crostini).
Back to top

VirtualMachinesAllowed

Allow devices to run virtual machines on ChromeOS
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VirtualMachinesAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 66
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled lets the device run virtual machines on Google Chrome OS. VirtualMachinesAllowed and CrostiniAllowed must be Enabled to use Crostini. Setting the policy to Disabled means the device can't run virtual machines. Changing it to Disabled starts applying the policy to starting new virtual machines, not those already running.

When this policy is not set on a managed device, the device can't run virtual machines. Unmanaged devices can run virtual machines.

Example value:
0x00000001 (Windows)
Back to top

CrostiniAllowed

User is enabled to run Crostini
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CrostiniAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset lets users run Crostini, as long as VirtualMachinesAllowed and CrostiniAllowed are set to Enabled. Setting the policy to Disabled turns Crostini off for the user. Changing it to Disabled starts applying the policy to starting new Crostini containers, not those already running.

Example value:
0x00000000 (Windows)
Back to top

DeviceUnaffiliatedCrostiniAllowed

Allow unaffiliated users to use Crostini
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUnaffiliatedCrostiniAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset lets all users use Crostini as long as all 3 policies, VirtualMachinesAllowed, CrostiniAllowed, and DeviceUnaffiliatedCrostiniAllowed are set to Enabled. Setting the policy to Disabled means unaffiliated users can't use Crostini. Changing it to Disabled starts applying the policy to starting new Crostini containers, not those already running.

Example value:
0x00000000 (Windows)
Back to top

CrostiniExportImportUIAllowed

User is enabled to export / import Crostini containers via the UI
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CrostiniExportImportUIAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset makes the export-import UI available to users. Setting the policy to Disabled renders the export-import UI unavailable to users.

Example value:
0x00000000 (Windows)
Back to top

CrostiniAnsiblePlaybook

Crostini Ansible playbook
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CrostiniAnsiblePlaybook
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Provides an Ansible playbook that should be executed in the default Crostini container.

This policy allows to provide an Ansible playbook to be applied to the default Crostini container if it is available on the given device and allowed by policies.

The size of the data must not exceed 1MB (1000000 bytes) and must be encoded in YAML. The cryptographic hash is used to verify the integrity of the download.

The configuration is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If you set the policy, users can't change it. If not set, users can continue using default Crostini container in its ongoing configuration if Crostini is allowed by policies.

Schema:
{ "properties": { "hash": { "description": "The SHA-256 hash of the Ansible playbook.", "type": "string" }, "url": { "description": "The URL from which the Ansible playbook can be downloaded.", "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\CrostiniAnsiblePlaybook = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", "url": "https://example.com/ansibleplaybook" }
Back to top

CrostiniPortForwardingAllowed

Allow users to [enable/configure] Crostini port forwarding
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CrostiniPortForwardingAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Specifies whether port forwarding into Crostini containers is allowed.

If this policy is set to True or not set, users will be able to configure port forwarding into their Crostini containers.

If this policy is set to False, port forwarding into Crostini containers will be disabled.

Example value:
0x00000000 (Windows)
Back to top

SystemTerminalSshAllowed

Allow SSH outgoing client connections in Terminal System App
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SystemTerminalSshAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this policy doesn't exist (e.g. for unmanaged users), the SSH (Secure SHell) outgoing client connections feature in Terminal System App is enabled (default True). If the user is managed, and the policy is unset or Disabled, the feature is disabled in Terminal. Setting the policy to Enabled allows managed users to create outgoing client SSH connections in Terminal.

Example value:
0x00000001 (Windows)
Back to top

Microsoft® Active Directory® management settings

Controls settings specific to Microsoft® Active Directory® managed Google Chrome OS devices.
Back to top

DeviceMachinePasswordChangeRate

Machine password change rate
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceMachinePasswordChangeRate
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 66
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy specifies in days how often a client changes their machine account password. The password is randomly generated by the client and not visible to the user. Disabling this policy or setting a high number of days can negatively impact security, because it gives potential attackers more time to find and use the machine account password.

Leaving the policy unset means the machine account password is changed every 30 days.

Setting the policy to 0 turns off machine account password change.

Note: Passwords might get older than the specified number of days if the client has been offline for a longer period of time.

Restrictions:
  • Minimum:0
  • Maximum:9999
Example value:
0x00000000 (Windows)
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : ActiveDirectoryManagement
Back to top

DeviceUserPolicyLoopbackProcessingMode

User policy loopback processing mode
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUserPolicyLoopbackProcessingMode
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 66
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy specifies whether and how user policy from computer Group Policy Object (GPO) is processed.

* Default or leaving it unset has user policy read only from user GPOs. Computer GPOs are ignored.

* Merge will merge user policy in user GPOs with that of computer GPOs. Computer GPOs take precedence.

* Replace will replace user policy in user GPOs with that of computer GPOs. User GPOs are ignored.

  • 0 = Default
  • 1 = Merge
  • 2 = Replace
Example value:
0x00000000 (Windows)
Back to top

DeviceKerberosEncryptionTypes

Allowed Kerberos encryption types
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceKerberosEncryptionTypes
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 66
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a Microsoft® Active Directory® server.

Setting the policy to:

* All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types.

* Strong or leaving it unset allows only the AES types.

* Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption.

Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.

  • 0 = All (insecure)
  • 1 = Strong
  • 2 = Legacy (insecure)
Example value:
0x00000001 (Windows)
Back to top

DeviceGpoCacheLifetime

GPO cache lifetime
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceGpoCacheLifetime
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 73
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy specifies in hours the Group Policy Object (GPO) cache lifetime—the maximum duration GPOs can be reused before they're redownloaded. Instead of redownloading them on every policy fetch, the system reuses cached GPOs as long as their version doesn't change.

Setting the policy to 0 turns GPO caching off. Doing this increases server load, because GPOs are redownloaded on every policy fetch, even if they didn't change.

Leaving the policy unset means cached GPOs can be reused for up to 25 hours.

Note: Restarting and signing out clears the cache.

Restrictions:
  • Minimum:0
  • Maximum:9999
Example value:
0x00000000 (Windows)
Back to top

DeviceAuthDataCacheLifetime

Authentication data cache lifetime
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAuthDataCacheLifetime
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 73
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy specifies in hours the authentication data cache lifetime. The cache has data about realms trusted by the machine realm (affiliated realms). So, authentication data caching helps speed up sign-in. User-specific data and data for unaffiliated realms isn't cached.

Setting the policy to 0 turns authentication data caching off. Realm-specific data is fetched on every sign-in, so turning off authentication data caching can significantly slow down user sign-in.

Leaving the policy unset means cached authentication data can be reused for up to 73 hours.

Note: Restarting the device clears the cache. Even ephemeral users' realm data is cached. Turn off the cache to prevent the tracing of an ephemeral user's realm.

Restrictions:
  • Minimum:0
  • Maximum:9999
Example value:
0x00000000 (Windows)
Back to top

ChromadToCloudMigrationEnabled

Enable the migration of Chromad devices into cloud management
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ChromadToCloudMigrationEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 98
Supported features:
Dynamic Policy Refresh: Yes
Description:

Enable the migration of Microsoft® Active Directory® managed devices into cloud management. This policy allows for a remote start of a touchless migration of multiple devices in a company. Additionally, the migration will be as transparent as possible to the end users.

If this policy is enabled and the enrollment ID has already been uploaded to the DMServer, a remote device powerwash will be triggered.

If this policy is disabled or not set, the remote device powerwash is not trigged, independently of the enrollment ID upload status.

This check is triggered whenever the login screen is loaded, then retried every hour (if the device stays on the login screen). This prevents the migration from starting in the middle of a user session, causing potential problems to end users.

Example value:
0x00000000 (Windows)
Back to top

Native Messaging

Configures policies for Native Messaging. Blocked native messaging hosts won't be allowed unless they are whitelisted.
Back to top

NativeMessagingBlocklist

Configure native messaging blocklist
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NativeMessagingBlocklist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~NativeMessaging\NativeMessagingBlocklist
Mac/Linux preference name:
NativeMessagingBlocklist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies which native messaging hosts shouldn't be loaded. A deny list value of * means all native messaging hosts are denied, unless they're explicitly allowed.

Leaving the policy unset means Google Chrome loads all installed native messaging hosts.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\NativeMessagingBlocklist\1 = "com.native.messaging.host.name1" Software\Policies\Google\Chrome\NativeMessagingBlocklist\2 = "com.native.messaging.host.name2"
Android/Linux:
[ "com.native.messaging.host.name1", "com.native.messaging.host.name2" ]
Mac:
<array> <string>com.native.messaging.host.name1</string> <string>com.native.messaging.host.name2</string> </array>
Windows (Intune):
<enabled/>
<data id="NativeMessagingBlocklistDesc" value="1&#xF000;com.native.messaging.host.name1&#xF000;2&#xF000;com.native.messaging.host.name2"/>
Back to top

NativeMessagingAllowlist

Configure native messaging allowlist
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NativeMessagingAllowlist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~NativeMessaging\NativeMessagingAllowlist
Mac/Linux preference name:
NativeMessagingAllowlist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies which native messaging hosts aren't subject to the deny list. A deny list value of * means all native messaging hosts are denied, unless they're explicitly allowed.

All native messaging hosts are allowed by default. But, if all native messaging hosts are denied by policy, the admin can use the allow list to change that policy.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\NativeMessagingAllowlist\1 = "com.native.messaging.host.name1" Software\Policies\Google\Chrome\NativeMessagingAllowlist\2 = "com.native.messaging.host.name2"
Android/Linux:
[ "com.native.messaging.host.name1", "com.native.messaging.host.name2" ]
Mac:
<array> <string>com.native.messaging.host.name1</string> <string>com.native.messaging.host.name2</string> </array>
Windows (Intune):
<enabled/>
<data id="NativeMessagingAllowlistDesc" value="1&#xF000;com.native.messaging.host.name1&#xF000;2&#xF000;com.native.messaging.host.name2"/>
Back to top

NativeMessagingUserLevelHosts

Allow user-level Native Messaging hosts (installed without admin permissions)
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NativeMessagingUserLevelHosts
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~NativeMessaging\NativeMessagingUserLevelHosts
Mac/Linux preference name:
NativeMessagingUserLevelHosts
Supported on:
  • Google Chrome (Linux) since version 34
  • Google Chrome (Mac) since version 34
  • Google Chrome (Windows) since version 34
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset means Google Chrome can use native messaging hosts installed at the user level.

Setting the policy to Disabled means Google Chrome can only use these hosts if installed at the system level.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

Network File Shares settings

Configure Network File Share related policies.
Back to top

NetworkFileSharesAllowed

Controls Network File Shares for ChromeOS availability
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NetworkFileSharesAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to Enabled lets users use Network File Shares for Google Chrome OS. Setting the policy to Disabled means users can't use this feature.

Example value:
0x00000001 (Windows)
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : NetworkFileShares
Back to top

NetBiosShareDiscoveryEnabled

Controls Network File Share discovery via NetBIOS
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NetBiosShareDiscoveryEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means share discovery (the Network File Shares feature for Google Chrome OS) uses the NetBIOS Name Query Request protocol to discover shares on the network. Setting the policy to Disabled means share discovery won't use this protocol to discover shares.

Leaving the policy unset means the behavior defaults to off for managed users and on for other users.

Example value:
0x00000001 (Windows)
Back to top

NTLMShareAuthenticationEnabled

Controls enabling NTLM as an authentication protocol for SMB mounts
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NTLMShareAuthenticationEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 71
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to Enabled means the Network File Shares feature for Google Chrome OS uses NTLM for authentication to SMB shares if necessary. Setting the policy to Disabled turns off NTLM authentication to SMB shares.

Leaving the policy unset means the behavior defaults to off for managed users and on for other users.

Example value:
0x00000001 (Windows)
Back to top

NetworkFileSharesPreconfiguredShares

List of preconfigured network file shares.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NetworkFileSharesPreconfiguredShares
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies a list of preset network file shares. Each item is an object with 2 properties: share_url and mode.

The share URL should be share_url.

For mode, it should be drop_down or pre_mount:

* drop_down indicates that share_url will be added to the share discovery list.

* pre_mount indicates that share_url will be mounted.

Schema:
{ "items": { "properties": { "mode": { "enum": [ "drop_down", "pre_mount" ], "type": "string" }, "share_url": { "type": "string" } }, "required": [ "share_url", "mode" ], "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\NetworkFileSharesPreconfiguredShares = [ { "mode": "drop_down", "share_url": "smb://server/share" }, { "mode": "drop_down", "share_url": "\\\\server\\share" } ]
Back to top

Network settings

Controls device-wide network configuration.
Back to top

DeviceOpenNetworkConfiguration

Device-level network configuration
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceOpenNetworkConfiguration
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 16
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy allows pushing network configuration for all users of a Google Chrome OS device. The network configuration is a JSON-formatted string, as defined by the Open Network Configuration format.

Note for Google Chrome OS devices supporting Android apps:

Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.

Expanded schema description:
https://chromium.googlesource.com/chromium/src/+/HEAD/components/onc/docs/onc_spec.md
Example value:
"{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}", "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false, "Security": "None", "AutoConnect": true } } ] }"
Back to top

DeviceDataRoamingEnabled

Enable data roaming
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceDataRoamingEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 12
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled allows data roaming for the device.

Setting the policy to Disabled or leaving it unset renders data roaming unavailable.

Example value:
0x00000001 (Windows)
Back to top

NetworkThrottlingEnabled

Enable throttling network bandwidth
Data type:
Dictionary
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 56
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy turns network throttling on or off. This means that the system is throttled to achieve the provided upload and download rates (in kbits/s). It applies to all users and interfaces on the device.

Schema:
{ "properties": { "download_rate_kbits": { "description": "Desired download rate in kbits/s.", "type": "integer" }, "enabled": { "description": "A boolean flag indicating if throttling is enabled.", "type": "boolean" }, "upload_rate_kbits": { "description": "Desired upload rate in kbits/s.", "type": "integer" } }, "required": [ "enabled", "upload_rate_kbits", "download_rate_kbits" ], "type": "object" }
Back to top

DeviceHostnameTemplate

Device network hostname template
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceHostnameTemplate
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to a string applies the string as the device hostname during DHCP request. The string can have variables ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}, ${LOCATION} to be replaced with values on the device before using it as a hostname. The resulting substitution should be a valid hostname (per RFC 1035, section 3.1).

Leaving the policy unset or if the value after substitution isn't a valid hostname, no hostname is set in DHCP request.

Example value:
"chromebook-${ASSET_ID}"
Back to top

DeviceHostnameUserConfigurable

Allow user to configure their device hostname
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceHostnameUserConfigurable
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Can Be Mandatory: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Determine whether a user is allowed to configure the device hostname.

If DeviceHostnameTemplate is set, the admininistrator sets hostname and the user cannot choose regardless of what this policy is set to. If this policy is set to True and DeviceHostnameTemplate is not set, the admininistrator does not set hostname and the user can choose one. If this policy is set to False and DeviceHostnameTemplate is not set, the admininistrator does not set hostname and the user cannot choose one, hence the default name is used.

Example value:
0x00000001 (Windows)
Back to top

DeviceWiFiFastTransitionEnabled

Enable 802.11r Fast Transition
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceWiFiFastTransitionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled means that Fast Transition is used when the wireless access point supports it. It applies to all users and interfaces on the device.

Setting the policy to Disabled or leaving it unset means that Fast Transition isn't used.

Example value:
0x00000001 (Windows)
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : WiFi
Back to top

DeviceWiFiAllowed

Enable WiFi
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceWiFiAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Disabled means Google Chrome OS turns off Wi-Fi, and users can't change it.

Setting the policy to Enabled or leaving it unset lets users turn Wi-Fi on or off.

Example value:
0x00000001 (Windows)
Back to top

DeviceDockMacAddressSource

Device MAC address source when docked
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceDockMacAddressSource
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy lets the administrator change the MAC (media access control) address when connecting a device to the dock. When a dock is connected to some device models, by default, the device's designated dock's MAC address helps identify the device on Ethernet.

If 'DeviceDockMacAddress' is selected or the policy is left unset, the device's designated dock MAC address will be used.

If 'DeviceNicMacAddress' is selected, the device's NIC (network interface controller) MAC address will be used.

If 'DockNicMacAddress' is selected, the dock's NIC MAC address will be used.

Users can't change this setting.

  • 1 = Device's designated dock MAC address
  • 2 = Device's built-in NIC MAC address
  • 3 = Dock's built-in NIC MAC address
Example value:
0x00000001 (Windows)
Back to top

Other

Controls miscellaneous settings including USB, bluetooth, policy refresh, developer mode and others.
Back to top

UsbDetachableAllowlist

Allowlist of USB detachable devices
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UsbDetachableAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: No
Description:

Setting the policy defines the list of USB devices users can detach from their kernel driver to use through the chrome.usb API directly inside a web app. Entries are pairs of USB Vendor Identifier and Product Identifier to identify specific hardware.

If not set, the list of a detachable USB devices is empty.

Schema:
{ "items": { "id": "UsbDeviceIdInclusive", "properties": { "product_id": { "type": "integer" }, "vendor_id": { "type": "integer" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\UsbDetachableAllowlist = [ { "product_id": 24577, "vendor_id": 1027 }, { "product_id": 8453, "vendor_id": 16700 } ]
Back to top

DeviceAllowBluetooth

Allow bluetooth on device
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAllowBluetooth
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 52
Supported features:
Dynamic Policy Refresh: No
Description:

Setting the policy to Enabled or leaving it unset lets users turn Bluetooth on or off.

Setting the policy to Disabled means Google Chrome OS turns Bluetooth off, and users can't turn it on.

Note: To turn on Bluetooth, users must sign out and in again.

Example value:
0x00000001 (Windows)
Back to top

TPMFirmwareUpdateSettings

Configure TPM firmware update behavior
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\TPMFirmwareUpdateSettings
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 63
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy configures availability and behavior of TPM firmware updates.

Specify individual settings in JSON properties:

* allow-user-initiated-powerwash: If set to true, users can trigger the powerwash flow to install a TPM firmware update.

* allow-user-initiated-preserve-device-state (available starting in Google Chrome version 68): If set to true, users can invoke the TPM firmware update flow that preserves device-wide state, including enterprise enrollment, but loses user data.

* auto-update-mode (available starting in Google Chrome version 75): Controls how automatic TPM firmware updates are enforced for vulnerable TPM firmware. All flows preserve local device state. If set to:

* 1 or left not set, TPM firmware updates are not enforced.

* 2, TPM firmware updates at the next reboot after user acknowledges the update.

* 3, TPM firmware updates at the next reboot.

* 4, TPM firmware updates after enrollment, before user sign-in.

Leaving the policy unset renders TPM firmware update unavailable.

Schema:
{ "properties": { "allow-user-initiated-powerwash": { "type": "boolean" }, "allow-user-initiated-preserve-device-state": { "type": "boolean" }, "auto-update-mode": { "enum": [ 1, 2, 3, 4 ], "type": "integer" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\TPMFirmwareUpdateSettings = { "allow-user-initiated-powerwash": true, "allow-user-initiated-preserve-device-state": true, "auto-update-mode": 1 }
Back to top

DevicePolicyRefreshRate

Refresh rate for Device Policy
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePolicyRefreshRate
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy specifies the period in milliseconds at which the device management service is queried for device policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.

Leaving the policy unset means Google Chrome OS uses the default value of 3 hours.

Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).

Example value:
0x0036ee80 (Windows)
Back to top

DeviceBlockDevmode

Block developer mode
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 37
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled means Google Chrome OS stops the device from going into Developer mode.

Setting the policy to Disabled or leaving it unset keeps Developer mode available for the device.

Note for Google Chrome OS devices supporting Android apps:

This policy controls Google Chrome OS developer mode only. If you want to prevent access to Android Developer Options, you need to set the DeveloperToolsDisabled policy.

Back to top

DeviceAllowRedeemChromeOsRegistrationOffers

Allow users to redeem offers through Google Chrome OS Registration
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAllowRedeemChromeOsRegistrationOffers
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset lets enterprise device users redeem offers through Google Chrome OS Registration.

Setting the policy to Disabled means users can't redeem these offers.

Example value:
0x00000001 (Windows)
Back to top

DeviceQuirksDownloadEnabled

Enable queries to Quirks Server for hardware profiles
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceQuirksDownloadEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 51
Supported features:
Dynamic Policy Refresh: Yes
Description:

The Quirks Server provides hardware-specific configuration files, like ICC display profiles to adjust monitor calibration.

When this policy is set to false, the device will not attempt to contact the Quirks Server to download configuration files.

If this policy is true or not configured then Google Chrome OS will automatically contact the Quirks Server and download configuration files, if available, and store them on the device. Such files might, for example, be used to improve display quality of attached monitors.

Example value:
0x00000001 (Windows)
Back to top

ExtensionCacheSize

Set Apps and Extensions cache size (in bytes)
Data type:
Integer
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 43
Supported features:
Dynamic Policy Refresh: No
Description:

Setting to lower than 1 MB or leaving it unset means Google Chrome OS uses the default size of 256 MiB for caching apps and extensions for installation by multiple users of a single device, avoiding the need to redownload each one for every user.

Note for Google Chrome OS devices supporting Android apps:

The cache is not used for Android apps. If multiple users install the same Android app, it will be downloaded anew for each user.

Back to top

DeviceOffHours

Off hours intervals when the specified device policies are released
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceOffHours
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 62
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy means the specified device policies are ignored (use these policies' default settings) during the specified intervals. Device policies are reapplied by Google Chrome when the policy period starts or ends. The user is notified and forced to sign out when this period changes and device policy settings change (for example, when a user signs in with a disallowed account).

Schema:
{ "properties": { "ignored_policy_proto_tags": { "items": { "type": "integer" }, "type": "array" }, "intervals": { "items": { "id": "WeeklyTimeIntervals", "properties": { "end": { "$ref": "WeeklyTime" }, "start": { "id": "WeeklyTime", "properties": { "day_of_week": { "enum": [ "MONDAY", "TUESDAY", "WEDNESDAY", "THURSDAY", "FRIDAY", "SATURDAY", "SUNDAY" ], "id": "WeekDay", "type": "string" }, "time": { "type": "integer" } }, "type": "object" } }, "type": "object" }, "type": "array" }, "timezone": { "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceOffHours = { "ignored_policy_proto_tags": [ 3, 8 ], "intervals": [ { "end": { "day_of_week": "MONDAY", "time": 21720000 }, "start": { "day_of_week": "MONDAY", "time": 12840000 } }, { "end": { "day_of_week": "FRIDAY", "time": 57600000 }, "start": { "day_of_week": "FRIDAY", "time": 38640000 } } ], "timezone": "GMT" }
Back to top

SuggestedContentEnabled

Enable Suggested Content
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SuggestedContentEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This feature enables suggestions for new content to explore. Includes apps, webpages, and more. If this policy is set to True, then suggestions for new content to explore will be enabled. If this policy is set to False, then suggestions for new content to explore will be disabled. If this policy is left unset, then suggestions for new content to explore will be disabled for managed users and enabled for other users.

Example value:
0x00000000 (Windows)
Back to top

DeviceShowLowDiskSpaceNotification

Show notification when disk space is low
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceShowLowDiskSpaceNotification
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows enabling or disabling a notification when disk space is low. This applies to all users on the device.

Setting policy to Enabled, an notification will be shown when remaining disk space is low.

Setting policy to Disabled or not set, there won't be any low disk space notification.

This policy is ignored and the notification is always shown if the device is unmanaged or there is only one user.

If there are multiple user accounts on a managed device, the notification will only be shown when this policy is enabled.

Example value:
0x00000001 (Windows)
Back to top

WebXRImmersiveArEnabled

Allow creating WebXR's "immersive-ar" sessions
Data type:
Boolean
Android restriction name:
WebXRImmersiveArEnabled
Supported on:
  • Google Chrome (Android) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Configures whether the sites that the user navigates to are allowed to create immersive Augmented Reality sessions using WebXR Device API.

When this policy is unset or enabled, the WebXR Device API will accept "immersive-ar" during session creation, thus allowing the users to enter Augmented Reality experiences.

When this policy is disabled, the WebXR Device API will reject requests to create sessions with mode set to "immersive-ar". The existing "immersive-ar" sessions (if any) will not be terminated.

For more details about "immersive-ar" sessions, please see WebXR Augmented Reality Module specfication.

Example value:
true (Android)
Back to top

PromptOnMultipleMatchingCertificates

Prompt when multiple certificates match
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PromptOnMultipleMatchingCertificates
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Other\PromptOnMultipleMatchingCertificates
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PromptOnMultipleMatchingCertificates
Mac/Linux preference name:
PromptOnMultipleMatchingCertificates
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
  • Google Chrome (Linux) since version 96
  • Google Chrome (Mac) since version 96
  • Google Chrome (Windows) since version 96
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls whether the user is prompted to select a client certificate when more than one certificate matches AutoSelectCertificateForUrls. If this policy is set to Enabled, the user is prompted to select a client certificate whenever the auto-selection policy matches multiple certificates. If this policy is set to Disabled or not set, the user may only be prompted when no certificate matches the auto-selection.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DeviceKeylockerForStorageEncryptionEnabled

Controls use of AES Keylocker for user storage encryption if supported
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceKeylockerForStorageEncryptionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 99
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy controls whether the AES Keylocker implementation is enabled for user storage encryption for dm-crypt user homes on ChromeOS, if supported.

This policy only applies to user homes which use dm-crypt) for encryption. Legacy user homes (those which do not use dm-crypt) do not support the use of AES Keylocker and will default to using AESNI.

If the policy value changes, existing dm-crypt user homes will be accessed using the encryption implementation configured by the policy because the AES implementations are compatible. If the policy is disabled or not set, user storage encryption for dm-crypt user homes will default to using AESNI.

Example value:
0x00000001 (Windows)
Back to top

Parental supervision settings

Controls parental supervision policies, that are applied to child accounts only. These policies are not set in the admin console, but configured directly by Kids API Server.
Back to top

ParentAccessCodeConfig

Parent Access Code Configuration
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ParentAccessCodeConfig
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 73
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy specifies configuration that is used to generate and verify Parent Access Code.

|current_config| is always used for generating access code and should be used for validating access code only when it cannot be validated with |future_config|. |future_config| is the primary config used for validating access code. |old_configs| should be used for validating access code only when it cannot be validated with |future_config| nor |current_config|.

The expected way of using this policy is to gradually rotate access code configuration. New configuration is always put into |future_config| and at the same time the existing value is moved into |current_config|. |current_config|'s previous values are moved into |old_configs| and removed after rotation cycle is finished.

This policy applies only to child user. When this policy is set Parent Access Code can be verified on child user's device. When this policy is unset it is not possible to verify Parent Access Code on child user's device.

Schema:
{ "properties": { "current_config": { "description": "Configuration used to generate and verify Parent Access Code.", "id": "Config", "properties": { "access_code_ttl": { "description": "Time that access code is valid for (in seconds).", "maximum": 3600, "minimum": 60, "type": "integer" }, "clock_drift_tolerance": { "description": "The allowed difference between the clock on child and parent devices (in seconds).", "maximum": 1800, "minimum": 0, "type": "integer" }, "shared_secret": { "description": "Secret shared between child and parent devices.", "type": "string" } }, "type": "object" }, "future_config": { "$ref": "Config" }, "old_configs": { "items": { "$ref": "Config" }, "type": "array" } }, "sensitiveValue": true, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ParentAccessCodeConfig = { "current_config": { "access_code_ttl": 600, "clock_drift_tolerance": 300, "shared_secret": "oOA9nX02LdhYdOzwMsGof+QA3wUKP4YMNlk9S/W3o+w=" }, "future_config": { "access_code_ttl": 600, "clock_drift_tolerance": 300, "shared_secret": "KMsoIjnpvcWmiU1GHchp2blR96mNyJwS" }, "old_configs": [ { "access_code_ttl": 600, "clock_drift_tolerance": 300, "shared_secret": "sTr6jqMTJGCbLhWI5plFTQb/VsqxwX2Q" } ] }
Back to top

PerAppTimeLimits

Per-App Time Limits
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PerAppTimeLimits
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows to set per-app usage restrictions. Usage restrictions can be applied to the apps installed on Google Chrome OS for the given user. Restrictions should be passed in |app_limits| list. Only one entry per-app is allowed. Apps not included in the list have no restrictions. It is not possible to block apps that are essential for the operating system, the restrictions for such apps will be ignored. App is uniquely identified by |app_id|. Since different types of apps can use different id format |app_type| needs to be specified next to |app_id|. Per-App Time Limits only support |ARC| apps currently. Android package name is used as |app_id|. Support for other types of applications will be added in the future, for now they can be specified in the policy, but the restrictions will take no effect. There are two types of available restrictions: |BLOCK| and |TIME_LIMIT|. |BLOCK| makes app unavailable for the user. If |daily_limit_mins| is specified with |BLOCK| restriction |daily_limit_mins| will be ignored. |TIME_LIMITS| applies daily usage limit and makes app unavailable after the limit is reached on the given day. Usage limit is specified in |daily_limit_mins|. Usage limit is reset daily at the UTC time passed in |reset_at|. This policy is only used for child users. This policy is complementary to 'UsageTimeLimit'. Restrictions specified in 'UsageTimeLimit' like screen time and bedtime will be enforced regardless of 'PerAppTimeLimits'.

Schema:
{ "properties": { "activity_reporting_enabled": { "description": "The value of app activity collection toggle. If set to true user app activity will be reported to the server with purpose of being displayed in child and parent Google Chrome app. If set to false Per-app time limits feature will still work, but no data will be reported to the server and therefore displayed in Google Chrome.", "type": "boolean" }, "app_limits": { "items": { "properties": { "app_info": { "properties": { "app_id": { "type": "string" }, "app_type": { "enum": [ "ARC", "BUILT-IN", "EXTENSION", "WEB", "CROSTINI" ], "type": "string" } }, "type": "object" }, "daily_limit_mins": { "maximum": 1440, "minimum": 0, "type": "integer" }, "last_updated_millis": { "description": "UTC timestamp for the last time this entry was updated. Sent as a string because the timestamp would not fit in an integer", "type": "string" }, "restriction": { "enum": [ "BLOCK", "TIME_LIMIT" ], "type": "string" } }, "type": "object" }, "type": "array" }, "reset_at": { "description": "The time of the day in local time when usage quota is renewed.", "properties": { "hour": { "maximum": 23, "minimum": 0, "type": "integer" }, "minute": { "maximum": 59, "minimum": 0, "type": "integer" } }, "type": "object" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PerAppTimeLimits = { "activity_reporting_enabled": false, "app_limits": [ { "app_info": { "app_id": "com.example.myapp", "app_type": "ARC" }, "daily_limit_mins": 30, "last_updated_millis": "1570223060437", "restriction": "TIME_LIMIT" }, { "app_info": { "app_id": "pjkljhegncpnkpknbcohdijeoejaedia", "app_type": "EXTENSION" }, "daily_limit_mins": 10, "last_updated_millis": "1570223000000", "restriction": "TIME_LIMIT" }, { "app_info": { "app_id": "iniodglblcgmngkgdipeiclkdjjpnlbn", "app_type": "BUILT-IN" }, "last_updated_millis": "1570223000000", "restriction": "BLOCK" } ], "reset_at": { "hour": 6, "minute": 0 } }
Back to top

PerAppTimeLimitsAllowlist

Per-App Time Limits Allowlist
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PerAppTimeLimitsAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy specifies which applications and URLs should be allowed for per-app usage restrictions. The configured allowlist is applied to the apps installed on Google Chrome OS for the given user with per-app time limits. The configured allowlist can only be applied to child user accounts and take effect when PerAppTimeLimits policy is set. The configured allowlist is applied to applications and URLs so that they will not be blocked by per-app time limits. Accessing allowed URLs will not count towards the chrome time limit. Add url regular expressions to |url_list| to allow urls that match any of the regular expressions in the list. Add an application with its |app_id| and |app_type| to |app_list| to allow the application.

Schema:
{ "properties": { "app_list": { "items": { "properties": { "app_id": { "type": "string" }, "app_type": { "enum": [ "ARC", "BUILT-IN", "EXTENSION", "WEB", "CROSTINI" ], "type": "string" } }, "type": "object" }, "type": "array" }, "url_list": { "items": { "type": "string" }, "type": "array" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PerAppTimeLimitsAllowlist = { "app_list": [ { "app_id": "pjkljhegncpnkpknbcohdijeoejaedia", "app_type": "EXTENSION" }, { "app_id": "iniodglblcgmngkgdipeiclkdjjpnlbn", "app_type": "BUILT-IN" } ], "url_list": [ "chrome://*", "file://*", "https://www.support.google.com", "https://www.policies.google.com" ] }
Back to top

UsageTimeLimit

Time Limit
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UsageTimeLimit
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows you to lock the user's session based on the client time or the usage quota of the day.

The |time_window_limit| specifies a daily window in which the user's session should be locked. We only support one rule for each day of the week, therefore the |entries| array may vary from 0-7 in size. |starts_at| and |ends_at| are the beginning and the end of the window limit, when |ends_at| is smaller than |starts_at| it means that the |time_limit_window| ends on the following day. |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.

The |time_usage_limit| specifies a daily screen quota, so when the user reaches it, the user's session is locked. There is a property for each day of the week, and it should be set only if there is an active quota for that day. |usage_quota_mins| is the amount of time that the managed device can be use in a day and |reset_at| is the time when the usage quota is renewed. The default value for |reset_at| is midnight ({'hour': 0, 'minute': 0}). |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.

|overrides| is provided to invalidate temporarily one or more of the previous rules. * If neither time_window_limit nor time_usage_limit is active |LOCK| can be used to lock the device. * |LOCK| temporarily locks a user session until the next time_window_limit or time_usage_limit starts. * |UNLOCK| unlocks a user's session locked by time_window_limit or time_usage_limit. |created_time_millis| is the UTC timestamp for the override creation, it is sent as a String because the timestamp wouldn't fit in an integer It is used to determine whether this override should still be applied. If the current active time limit feature (time usage limit or time window limit) started after the override was created, it should not take action. Also if the override was created before the last change of the active time_window_limit or time_usage_window it should not be applied.

Multiple overrides may be sent, the newest valid entry is the one that is going to be applied.

Schema:
{ "properties": { "overrides": { "items": { "properties": { "action": { "enum": [ "LOCK", "UNLOCK" ], "type": "string" }, "action_specific_data": { "properties": { "duration_mins": { "minimum": 0, "type": "integer" } }, "type": "object" }, "created_at_millis": { "type": "string" } }, "type": "object" }, "type": "array" }, "time_usage_limit": { "properties": { "friday": { "$ref": "TimeUsageLimitEntry" }, "monday": { "id": "TimeUsageLimitEntry", "properties": { "last_updated_millis": { "type": "string" }, "usage_quota_mins": { "minimum": 0, "type": "integer" } }, "type": "object" }, "reset_at": { "$ref": "Time" }, "saturday": { "$ref": "TimeUsageLimitEntry" }, "sunday": { "$ref": "TimeUsageLimitEntry" }, "thursday": { "$ref": "TimeUsageLimitEntry" }, "tuesday": { "$ref": "TimeUsageLimitEntry" }, "wednesday": { "$ref": "TimeUsageLimitEntry" } }, "type": "object" }, "time_window_limit": { "properties": { "entries": { "items": { "properties": { "effective_day": { "$ref": "WeekDay" }, "ends_at": { "$ref": "Time" }, "last_updated_millis": { "type": "string" }, "starts_at": { "$ref": "Time" } }, "type": "object" }, "type": "array" } }, "type": "object" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\UsageTimeLimit = { "overrides": [ { "action": "UNLOCK", "action_specific_data": { "duration_mins": 30 }, "created_at_millis": "1250000" } ], "time_usage_limit": { "friday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "monday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "reset_at": { "hour": 6, "minute": 0 }, "saturday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "sunday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "thursday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "tuesday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "wednesday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 } }, "time_window_limit": { "entries": [ { "effective_day": "WEDNESDAY", "ends_at": { "hour": 7, "minute": 30 }, "last_updated_millis": "1000000", "starts_at": { "hour": 21, "minute": 0 } } ] } }
Back to top

EduCoexistenceToSVersion

The valid version of Edu Coexistence Terms of Service
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EduCoexistenceToSVersion
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy indicates current valid version of Edu Coexistence Terms of Service. It is compared with the version last accepted by the parent and used to prompt parent permission renewal when needed.

When this policy is set Terms of Service version can be validated. When this policy is unset it is not possible to verify validity of Edu Coexistence Terms of Service.

This policy is only used for Family Link users.

Example value:
"333024512"
Back to top

Password manager

Configures the password manager.
Back to top

PasswordManagerEnabled

Enable saving passwords to the password manager
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PasswordManagerEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~PasswordManager\PasswordManagerEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PasswordManagerEnabled
Mac/Linux preference name:
PasswordManagerEnabled
Android restriction name:
PasswordManagerEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means users have Google Chrome remember passwords and provide them the next time they sign in to a site.

Setting the policy to Disabled means users can't save new passwords, but previously saved passwords will still work.

If the policy is set, users can't change it in Google Chrome. If not set, the user can turn off password saving.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PasswordManager
Back to top

PasswordLeakDetectionEnabled

Enable leak detection for entered credentials
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PasswordLeakDetectionEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~PasswordManager\PasswordLeakDetectionEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PasswordLeakDetectionEnabled
Mac/Linux preference name:
PasswordLeakDetectionEnabled
Android restriction name:
PasswordLeakDetectionEnabled
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
  • Google Chrome (Android) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled lets users have Google Chrome check whether usernames and passwords entered were part of a leak.

If the policy is set, users can't change it in Google Chrome. If not set, credential leak checking is allowed, but the user can turn it off.

This behavior will not trigger if Safe Browsing is disabled (either by policy or by the user). In order to force Safe Browsing on, use the SafeBrowsingEnabled policy or the SafeBrowsingProtectionLevel policy.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

PasswordDismissCompromisedAlertEnabled

Enable dismissing compromised password alerts for entered credentials
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PasswordDismissCompromisedAlertEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~PasswordManager\PasswordDismissCompromisedAlertEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PasswordDismissCompromisedAlertEnabled
Mac/Linux preference name:
PasswordDismissCompromisedAlertEnabled
Supported on:
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset gives the user the option to dismiss/restore compromised password alerts.

If you disable this setting, users will not be able to dismiss alerts about compromised passwords. If enabled, users will be able to dismiss alerts about compromised passwords.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

PluginVm

Configure PluginVm related policies.
Back to top

PluginVmAllowed

Allow devices to use a PluginVm on Google Chrome OS
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PluginVmAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled turns on PluginVm for the device, as long as other settings also allow it. PluginVmAllowed and UserPluginVmAllowed must be True, and either PluginVmLicenseKey or PluginVmUserId must be set for PluginVm to run.

Setting the policy to Disabled or leaving it unset means PluginVm isn't on for the device.

Example value:
0x00000001 (Windows)
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PluginVm
Back to top

PluginVmDataCollectionAllowed

Allow PluginVm Product Analytics
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PluginVmDataCollectionAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allow PluginVm to collect PluginVm usage data.

If the policy is set to false or left unset, PluginVm is not allowed to collect data. If set to true, PluginVm might collect PluginVm usage data that is then combined and thoroughly analyzed to improve PluginVm experience.

Example value:
0x00000000 (Windows)
Back to top

PluginVmImage

PluginVm image
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PluginVmImage
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies the PluginVm image for a user. Specify this policy as a JSON format string, with URL stating where to download the image and hash as a SHA-256 hash used to verify the integrity of the download.

Schema:
{ "properties": { "hash": { "description": "The SHA-256 hash of the PluginVm image.", "type": "string" }, "url": { "description": "The URL from which the PluginVm image can be downloaded.", "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PluginVmImage = { "hash": "842841a4c75a55ad050d686f4ea5f77e83ae059877fe9b6946aa63d3d057ed32", "url": "https://example.com/plugin_vm_image" }
Back to top

PluginVmRequiredFreeDiskSpace

Required free disk space for PluginVm
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PluginVmRequiredFreeDiskSpace
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Free disk space (in GB) required to install PluginVm.

If this policy is left unset, PluginVm installation fails if free disk space available on the device is less than 20 GB (default value). If this policy is set, PluginVm installation fails if free disk space available on the device is less than required by policy.

Restrictions:
  • Minimum:0
  • Maximum:1000
Example value:
0x00000014 (Windows)
Back to top

PluginVmUserId

PluginVm user id
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PluginVmUserId
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy specifies the PluginVm licensing user id for this device.

Example value:
"USER_ID"
Back to top

UserPluginVmAllowed

Allow users to use a PluginVm on Google Chrome OS
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserPluginVmAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allow this user to run PluginVm.

If the policy is set to false or left unset, PluginVm is not enabled for the user. If set to true, PluginVm is enabled for the user as long as other settings also allow it. PluginVmAllowed and UserPluginVmAllowed need to be true, and either PluginVmLicenseKey or PluginVmUserId need to be set for PluginVm to be allowed to run.

Example value:
0x00000001 (Windows)
Back to top

Power and shutdown

Controls settings related to power management and rebooting.
Back to top

DeviceLoginScreenPowerManagement

Power management on the login screen
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenPowerManagement
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 30
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy lets you set how Google Chrome OS behaves when there is no user activity for some amount of time while the sign-in screen appears. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session.

The deviations from these policies are:

* The actions to take on idle or lid close cannot be to end the session.

* The default action taken on idle when running on AC power is to shut down.

Leaving the policy or any of its settings unset results in the use of the default values for the various power settings.

Schema:
{ "properties": { "AC": { "description": "Power management settings applicable only when running on AC power", "id": "DeviceLoginScreenPowerSettings", "properties": { "Delays": { "properties": { "Idle": { "description": "The length of time without user input after which the idle action is taken, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenDim": { "description": "The length of time without user input after which the screen is dimmed, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenOff": { "description": "The length of time without user input after which the screen is turned off, in milliseconds", "minimum": 0, "type": "integer" } }, "type": "object" }, "IdleAction": { "description": "Action to take when the idle delay is reached", "enum": [ "Suspend", "Shutdown", "DoNothing" ], "type": "string" } }, "type": "object" }, "Battery": { "$ref": "DeviceLoginScreenPowerSettings", "description": "Power management settings applicable only when running on battery power" }, "LidCloseAction": { "description": "Action to take when the lid is closed", "enum": [ "Suspend", "Shutdown", "DoNothing" ], "type": "string" }, "UserActivityScreenDimDelayScale": { "description": "Percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off", "minimum": 100, "type": "integer" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceLoginScreenPowerManagement = { "AC": { "IdleAction": "DoNothing" }, "Battery": { "Delays": { "Idle": 30000, "ScreenDim": 10000, "ScreenOff": 20000 }, "IdleAction": "DoNothing" }, "LidCloseAction": "Suspend", "UserActivityScreenDimDelayScale": 110 }
Back to top

UptimeLimit

Limit device uptime by automatically rebooting
Data type:
Integer
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy limits the device uptime by scheduling automatic restarts, which you can delay by up to 24 hours if a user is on the device. The policy value should be specified in seconds. Values are clamped to be at least 3,600 (one hour).

If you set the policy, users can't change it. If not set, the device uptime isn't limited.

Note: Automatic restarts are only on while the sign-in screen appears or during a kiosk app session.

Back to top

DeviceRebootOnShutdown

Automatic reboot on device shutdown
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceRebootOnShutdown
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 41
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled means Google Chrome OS triggers a restart when users shut down the device. Google Chrome OS replaces all shutdown buttons in the UI with restart buttons. If the users shut down devices using the power button, they won't automatically restart, even if the policy is on.

Setting the policy to Disabled or leaving it unset means Google Chrome OS lets them shut down the device.

Example value:
0x00000001 (Windows)
Back to top

Power management

Configure power management in Google Chrome OS. These policies let you configure how Google Chrome OS behaves when the user remains idle for some amount of time.
Back to top

ScreenDimDelayAC (Deprecated)

Screen dim delay when running on AC power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenDimDelayAC
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which the screen is dimmed when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS dims the screen.

When this policy is set to zero, Google Chrome OS does not dim the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

Example value:
0x000668a0 (Windows)
Back to top

ScreenOffDelayAC (Deprecated)

Screen off delay when running on AC power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenOffDelayAC
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which the screen is turned off when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS turns off the screen.

When this policy is set to zero, Google Chrome OS does not turn off the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

Example value:
0x00075300 (Windows)
Back to top

ScreenLockDelayAC (Deprecated)

Screen lock delay when running on AC power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenLockDelayAC
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use ScreenLockDelays instead.

Specifies the length of time without user input after which the screen is locked when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.

When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

Example value:
0x000927c0 (Windows)
Back to top

IdleWarningDelayAC (Deprecated)

Idle warning delay when running on AC power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IdleWarningDelayAC
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 27
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which a warning dialog is shown when running on AC power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS shows a warning dialog telling the user that the idle action is about to be taken.

When this policy is unset, no warning dialog is shown.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

The warning message is only shown if the idle action is to logout or shut down.

Example value:
0x000850e8 (Windows)
Back to top

IdleDelayAC (Deprecated)

Idle delay when running on AC power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IdleDelayAC
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which the idle action is taken when running on AC power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS takes the idle action, which can be configured separately.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds.

Example value:
0x001b7740 (Windows)
Back to top

ScreenDimDelayBattery (Deprecated)

Screen dim delay when running on battery power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenDimDelayBattery
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which the screen is dimmed when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS dims the screen.

When this policy is set to zero, Google Chrome OS does not dim the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

Example value:
0x000493e0 (Windows)
Back to top

ScreenOffDelayBattery (Deprecated)

Screen off delay when running on battery power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenOffDelayBattery
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which the screen is turned off when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS turns off the screen.

When this policy is set to zero, Google Chrome OS does not turn off the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

Example value:
0x00057e40 (Windows)
Back to top

ScreenLockDelayBattery (Deprecated)

Screen lock delay when running on battery power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenLockDelayBattery
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use ScreenLockDelays instead.

Specifies the length of time without user input after which the screen is locked when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.

When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

Example value:
0x000927c0 (Windows)
Back to top

IdleWarningDelayBattery (Deprecated)

Idle warning delay when running on battery power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IdleWarningDelayBattery
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 27
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which a warning dialog is shown when running on battery power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS shows a warning dialog telling the user that the idle action is about to be taken.

When this policy is unset, no warning dialog is shown.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

The warning message is only shown if the idle action is to logout or shut down.

Example value:
0x000850e8 (Windows)
Back to top

IdleDelayBattery (Deprecated)

Idle delay when running on battery power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IdleDelayBattery
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which the idle action is taken when running on battery power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS takes the idle action, which can be configured separately.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds.

Example value:
0x000927c0 (Windows)
Back to top

IdleAction (Deprecated)

Action to take when the idle delay is reached
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IdleAction
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

This policy provides a fallback value for the more-specific IdleActionAC and IdleActionBattery policies. If this policy is set, its value gets used if the respective more-specific policy is not set.

When this policy is unset, behavior of the more-specific policies remains unaffected.

  • 0 = Suspend
  • 1 = Log the user out
  • 2 = Shut down
  • 3 = Do nothing
Example value:
0x00000000 (Windows)
Back to top

IdleActionAC (Deprecated)

Action to take when the idle delay is reached while running on AC power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IdleActionAC
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

When this policy is set, it specifies the action that Google Chrome OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Google Chrome OS can separately be configured to either lock or not lock the screen before suspending.

  • 0 = Suspend
  • 1 = Log the user out
  • 2 = Shut down
  • 3 = Do nothing
Example value:
0x00000000 (Windows)
Back to top

IdleActionBattery (Deprecated)

Action to take when the idle delay is reached while running on battery power
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IdleActionBattery
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.

When this policy is set, it specifies the action that Google Chrome OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Google Chrome OS can separately be configured to either lock or not lock the screen before suspending.

  • 0 = Suspend
  • 1 = Log the user out
  • 2 = Shut down
  • 3 = Do nothing
Example value:
0x00000000 (Windows)
Back to top

LidCloseAction

Action to take when the user closes the lid
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LidCloseAction
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies the action that Google Chrome OS takes when the user closes the device's lid.

Leaving the policy unset means the Suspend action is taken.

Note: If the action is Suspend, Google Chrome OS can separately be set up to lock or not lock the screen before suspending.

  • 0 = Suspend
  • 1 = Log the user out
  • 2 = Shut down
  • 3 = Do nothing
Example value:
0x00000000 (Windows)
Back to top

PowerManagementUsesAudioActivity

Specify whether audio activity affects power management
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PowerManagementUsesAudioActivity
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset means the user is not considered idle while audio plays. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off, and screen lock will still occur after their configured timeouts despite audio activity.

Setting the policy to Disabled means the system can consider users idle despite audio activity.

Example value:
0x00000001 (Windows)
Back to top

PowerManagementUsesVideoActivity

Specify whether video activity affects power management
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PowerManagementUsesVideoActivity
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset means the user is not considered idle while video plays. This prevents the idle delay, screen dim delay, screen off delay, and screen lock delay from being reached and the corresponding actions from being taken.

Setting the policy to Disabled means the system can consider users idle despite video activity.

Note for Google Chrome OS devices supporting Android apps:

Video playing in Android apps is not taken into consideration, even if this policy is set to True.

Example value:
0x00000001 (Windows)
Back to top

PresentationScreenDimDelayScale

Percentage by which to scale the screen dim delay in presentation mode
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PresentationScreenDimDelayScale
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If PowerSmartDimEnabled is Disabled, then setting PresentationScreenDimDelayScale specifies the percent that the screen dim delay scales when the device is presenting. When the screen dim delay scales, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.

Leaving the policy unset puts a default scale factor in use.

Note: The scale factor must be 100% or more.

Example value:
0x000000c8 (Windows)
Back to top

AllowWakeLocks

Allow wake locks
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowWakeLocks
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset allows wake locks for power management. Extensions can request wake locks through the power management extension API and ARC apps.

Setting the policy to Disabled means wake lock requests are ignored.

Example value:
0x00000000 (Windows)
Back to top

AllowScreenWakeLocks

Allow screen wake locks
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowScreenWakeLocks
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 28
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Unless AllowWakeLocks is set to Disabled, setting AllowScreenWakeLocks to Enabled or leaving it unset allows screen wake locks for power management. Extensions can request screen wake locks through the power management extension API and ARC apps.

Setting the policy to Disabled demotes screen wake lock requests to system wake lock requests.

Example value:
0x00000000 (Windows)
Back to top

UserActivityScreenDimDelayScale

Percentage by which to scale the screen dim delay if the user becomes active after dimming
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserActivityScreenDimDelayScale
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If PowerSmartDimEnabled is Disabled, then setting UserActivityScreenDimDelayScale specifies the percent that the screen dim delay scales when there's user activity while the screen dims or soon after the screen turns off. When the dim delay scales, the screen off, screen lock and idle delays adjust to maintain the same distances from the screen dim delay as originally set.

Leaving the policy unset puts a default scale factor in use.

Note: The scale factor must be 100% or more.

Example value:
0x000000c8 (Windows)
Back to top

WaitForInitialUserActivity

Wait for initial user activity
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WaitForInitialUserActivity
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 32
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled means that power management delays and session length limits don't start until after the first user activity occurs in a session.

Setting the policy to Disabled or leaving it unset means power management delays and the time limit begin immediately at session start.

Example value:
0x00000001 (Windows)
Back to top

PowerManagementIdleSettings

Power management settings when the user becomes idle
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PowerManagementIdleSettings
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 35
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy controls the power management strategy when the user idles.

There are 4 actions:

* The screen dims if the user is idle for the time specified by ScreenDim.

* The screen turns off if the user is idle for the time specified by ScreenOff.

* A warning dialog appears if the user remains idle for the time specified by IdleWarning. It warns the user that the idle action will be taken and only appears if the idle action is to sign out or shut down.

* The action specified by IdleAction is taken if the user is idle for the time specified by Idle.

For each of the above actions, the delay should be specified in milliseconds and must be set to a value greater than zero to trigger the corresponding action. If the delay is set to zero, Google Chrome OS won't take the corresponding action.

For each of the above delays, when the time is unset, a default value is used.

ScreenDim values will be clamped to be less than or equal to ScreenOff. ScreenOff and IdleWarning will be clamped to be less than or equal to Idle.

IdleAction can be one of 4 actions:

* Suspend

* Logout

* Shutdown

* DoNothing

If the IdleAction is not set, Suspend is taken.

Note: There are separate settings for AC power and battery.

Schema:
{ "properties": { "AC": { "description": "Delays and actions to take when the device is idle and running on AC power", "id": "PowerManagementDelays", "properties": { "Delays": { "properties": { "Idle": { "description": "The length of time without user input after which the idle action is taken, in milliseconds", "minimum": 0, "type": "integer" }, "IdleWarning": { "description": "The length of time without user input after which a warning dialog is shown, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenDim": { "description": "The length of time without user input after which the screen is dimmed, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenOff": { "description": "The length of time without user input after which the screen is turned off, in milliseconds", "minimum": 0, "type": "integer" } }, "type": "object" }, "IdleAction": { "description": "Action to take when the idle delay is reached", "enum": [ "Suspend", "Logout", "Shutdown", "DoNothing" ], "type": "string" } }, "type": "object" }, "Battery": { "$ref": "PowerManagementDelays", "description": "Delays and actions to take when the device is idle and running on battery" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PowerManagementIdleSettings = { "AC": { "IdleAction": "DoNothing" }, "Battery": { "Delays": { "Idle": 30000, "IdleWarning": 5000, "ScreenDim": 10000, "ScreenOff": 20000 }, "IdleAction": "DoNothing" } }
Back to top

ScreenLockDelays

Screen lock delays
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenLockDelays
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 35
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies the length of time in milliseconds without user input after which the screen locks when running on AC power or battery. Values are clamped to be less than the idle delay in PowerManagementIdleSettings.

When set to zero, Google Chrome OS doesn't lock the screen when the user becomes idle. If unset, a default time is used.

Recommendation: Lock the screen on idle by turning on screen locking on suspend and have Google Chrome OS suspend after the idle delay. Only use this policy when screen locking should occur a significant amount of time sooner than suspend or when you don't want suspend on idle.

Schema:
{ "properties": { "AC": { "description": "The length of time without user input after which the screen is locked when running on AC power, in milliseconds", "minimum": 0, "type": "integer" }, "Battery": { "description": "The length of time without user input after which the screen is locked when running on battery, in milliseconds", "minimum": 0, "type": "integer" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ScreenLockDelays = { "AC": 600000, "Battery": 300000 }
Back to top

PowerSmartDimEnabled

Enable smart dim model to extend the time until the screen is dimmed
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PowerSmartDimEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset turns the smart dim model on and can extend the time until the screen dims. If it delays the time, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.

Setting the policy to Disabled means the smart dim model won't influence screen dimming.

Example value:
0x00000000 (Windows)
Back to top

ScreenBrightnessPercent

Screen brightness percent
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScreenBrightnessPercent
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy specifies screen brightness percent, turning autobrightness features off. Initial screen brightness adjusts to the policy value, but users can change it.

Leaving the policy unset doesn't affect user screen controls or autobrightness features.

Note: The policy values should be specified in percents from 0 to 100.

Schema:
{ "properties": { "BrightnessAC": { "description": "Screen brightness percent when running on AC power", "maximum": 100, "minimum": 0, "type": "integer" }, "BrightnessBattery": { "description": "Screen brightness percent when running on battery power", "maximum": 100, "minimum": 0, "type": "integer" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ScreenBrightnessPercent = { "BrightnessAC": 90, "BrightnessBattery": 75 }
Back to top

DevicePowerPeakShiftBatteryThreshold

Set power peak shift battery threshold in percent
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePowerPeakShiftBatteryThreshold
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If DevicePowerPeakShiftEnabled is Enabled, then setting DevicePowerPeakShiftBatteryThreshold sets power peak shift battery threshold in percent.

Leaving the policy unset keeps power peak shift off.

Restrictions:
  • Minimum:15
  • Maximum:100
Example value:
0x00000014 (Windows)
Back to top

DevicePowerPeakShiftDayConfig

Set power peak shift day config
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePowerPeakShiftDayConfig
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If DevicePowerPeakShiftEnabled is Enabled, setting DevicePowerPeakShiftDayConfig sets power peak shift day configuration.

Leaving the policy unset keeps power peak shift off.

Valid values for the minute field in start_time, end_time and charge_start_time are 0, 15, 30, 45.

Schema:
{ "properties": { "entries": { "items": { "properties": { "charge_start_time": { "$ref": "Time", "description": "Time when the device will use alternating current to charge battery, interpreted in the device's local time zone." }, "day": { "$ref": "WeekDay" }, "end_time": { "$ref": "Time", "description": "Time when the device will run from alternating current, interpreted in the device's local time zone." }, "start_time": { "$ref": "Time", "description": "Time when the device will start running from the battery, interpreted in the device's local time zone." } }, "type": "object" }, "type": "array" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DevicePowerPeakShiftDayConfig = { "entries": [ { "charge_start_time": { "hour": 20, "minute": 45 }, "day": "MONDAY", "end_time": { "hour": 15, "minute": 15 }, "start_time": { "hour": 9, "minute": 0 } }, { "charge_start_time": { "hour": 23, "minute": 45 }, "day": "FRIDAY", "end_time": { "hour": 21, "minute": 0 }, "start_time": { "hour": 2, "minute": 30 } } ] }
Back to top

DevicePowerPeakShiftEnabled

Enable peak shift power management
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePowerPeakShiftEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled and setting DevicePowerPeakShiftBatteryThreshold and DevicePowerPeakShiftDayConfig keeps power peak shift on, if supported on the device. Power peak shift power management policy is a power-saving policy that minimizes alternating current usage during peak times. For each weekday, you can set a start and end time to run in power peak shift mode. As long as the battery stays above the threshold specified, during these times, the device runs from the battery (even if the alternating current is attached). After the specified end time, the device runs from alternating current (if attached), but won't charge the battery. The device will again function normally using alternating current and recharging the battery after the specified charge start time.

Setting the policy to Disabled keeps power peak shift off.

If unset, power peak shift is off at first. Users can't change this setting.

Example value:
0x00000000 (Windows)
Back to top

DeviceBootOnAcEnabled

Enable boot on AC (alternating current)
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceBootOnAcEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled keeps boot on AC on, if supported on the device. Boot on AC provides an opportunity for the system to restart from Off or Hibernate after inserting the line power.

Setting the policy to Disabled keeps boot on AC off.

If you set this policy, users can't change it. If not set, boot on AC is off, and users can't turn it on.

Example value:
0x00000000 (Windows)
Back to top

DeviceAdvancedBatteryChargeModeEnabled

Enable advanced battery charge mode
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAdvancedBatteryChargeModeEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If DeviceAdvancedBatteryChargeModeDayConfig is set, setting DeviceAdvancedBatteryChargeModeEnabled to Enabled keeps advanced battery charge mode power management policy on (if supported on the device). Using a standard charging algorithm and other techniques outside work hours, this mode lets users maximize battery health. During work hours, the system uses an express charge, which lets the battery charge faster. Specify the time when the system is used most each day by the start time and the duration.

Setting the policy to Disabled or leaving it unset keeps advanced battery charge mode off.

Users are unable to change this setting.

Example value:
0x00000000 (Windows)
Back to top

DeviceAdvancedBatteryChargeModeDayConfig

Set advanced battery charge mode day config
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAdvancedBatteryChargeModeDayConfig
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If DeviceAdvancedBatteryChargeModeEnabled is set to Enabled, then setting DeviceAdvancedBatteryChargeModeDayConfig lets you set up advanced battery charge mode. The value for charge_start_time must be less than charge_end_time.

Leaving the policy unset keeps advanced battery charge mode off.

Valid values for minute field in charge_start_time and charge_end_time are 0, 15, 30, 45.

Schema:
{ "properties": { "entries": { "items": { "properties": { "charge_end_time": { "$ref": "Time", "description": "Time when the device will stop charging, interpreted in the device's local time zone." }, "charge_start_time": { "$ref": "Time", "description": "Time when the device will start charging, interpreted in the device's local time zone." }, "day": { "$ref": "WeekDay" } }, "type": "object" }, "type": "array" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceAdvancedBatteryChargeModeDayConfig = { "entries": [ { "charge_end_time": { "hour": 23, "minute": 0 }, "charge_start_time": { "hour": 20, "minute": 30 }, "day": "TUESDAY" }, { "charge_end_time": { "hour": 6, "minute": 45 }, "charge_start_time": { "hour": 4, "minute": 15 }, "day": "FRIDAY" } ] }
Back to top

DeviceBatteryChargeMode

Battery charge mode
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceBatteryChargeMode
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Unless DeviceAdvancedBatteryChargeModeEnabled is specified, which overrides DeviceBatteryChargeMode, then setting DeviceBatteryChargeMode specifies battery charge mode power management policy (if supported on the device). To extend battery life, the policy dynamically controls battery charging by minimizing stress and wear-out.

Leaving the policy unset (if supported on the device) applies the standard battery charge mode, and users can't change it.

Note: If Custom battery charge mode is selected, then also specify DeviceBatteryChargeCustomStartCharging and DeviceBatteryChargeCustomStopCharging.

  • 1 = Fully charge battery at a standard rate.
  • 2 = Charge battery using fast charging technology.
  • 3 = Charge battery for devices that are primarily connected to an external power source.
  • 4 = Adaptive charge battery based on battery usage pattern.
  • 5 = Charge battery while it is within a fixed range.
Example value:
0x00000001 (Windows)
Back to top

DeviceBatteryChargeCustomStartCharging

Set battery charge custom start charging in percent
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceBatteryChargeCustomStartCharging
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If DeviceBatteryChargeMode is set to "custom", then setting DeviceBatteryChargeCustomStartCharging customizes when the battery starts charging, based the percentage of battery charge. The value must be at least 5 percentage points below DeviceBatteryChargeCustomStopCharging.

Leaving the policy unset applies the standard battery charge mode.

Restrictions:
  • Minimum:50
  • Maximum:95
Example value:
0x0000003c (Windows)
Back to top

DeviceBatteryChargeCustomStopCharging

Set battery charge custom stop charging in percent
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceBatteryChargeCustomStopCharging
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If DeviceBatteryChargeMode is set to "custom", then setting DeviceBatteryChargeCustomStopCharging customizes when the battery stops charging, based on the percentage of battery charge. DeviceBatteryChargeCustomStartCharging must be at least 5 percentage points below DeviceBatteryChargeCustomStopCharging.

Leaving the policy unset applies the "standard" battery charge mode.

Restrictions:
  • Minimum:55
  • Maximum:100
Example value:
0x0000005a (Windows)
Back to top

DeviceUsbPowerShareEnabled

Enable USB power share
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUsbPowerShareEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled turns on the USB power share power management policy.

Certain devices have a specific USB port with a lightning bolt or battery icon for charging devices using the system battery. This policy affects the charging behavior of this port while the system is in sleep and shut down modes. It doesn't affect the other USB ports and the charging behavior while the system is awake, when the USB port always provides power.

When sleeping, power is supplied to the USB port when the device is plugged in to the wall charger or if the battery level exceeds 50%. When shut down, power is supplied to the USB port when the device is plugged in to the wall charger.

Setting the policy to Disabled means no power is supplied.

Leaving the policy unset means the policy is on, and users can't turn it off.

Example value:
0x00000001 (Windows)
Back to top

DevicePowerAdaptiveChargingEnabled

Enable adaptive charging model to hold charging process to extend battery life
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePowerAdaptiveChargingEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Specifies whether an adaptive charging model is allowed to hold charging process to extend battery life.

When the device is on AC, the adaptive charging model evaluates if charging process should be hold to extend battery life. If the adaptive charging model holds the charging process, it'll keep the battery at a certain level (i.e. 80%) and then charge the device to 100% when the user need it. If this policy is set to True or left not set, the adaptive charging model will be enabled and allowed to hold the charging process to extend battery life. If this policy is set to False, the adaptive charging model will not influence the charging process.

Example value:
0x00000000 (Windows)
Back to top

Printing

Controls printing settings.
Back to top

PrintingEnabled

Enable printing
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintingEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingEnabled
Mac/Linux preference name:
PrintingEnabled
Android restriction name:
PrintingEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 39
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset lets users print in Google Chrome, and users can't change this setting.

Setting the policy to Disabled means users can't print from Google Chrome. Printing is off in the three dots menu, extensions, and JavaScript applications.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

CloudPrintProxyEnabled

Enable Google Cloud Print proxy
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CloudPrintProxyEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\CloudPrintProxyEnabled
Mac/Linux preference name:
CloudPrintProxyEnabled
Supported on:
  • Google Chrome (Linux) since version 17
  • Google Chrome (Mac) since version 17
  • Google Chrome (Windows) since version 17
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset lets Google Chrome act as a proxy between Google Cloud Print and legacy printers connected to the machine. Using their Google Account, users may turn on the cloud print proxy by authentication.

Setting the policy to Disabled means users can't turn on the proxy, and the machine can't share its printers with Google Cloud Print.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

PrintingAllowedColorModes

Restrict printing color mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingAllowedColorModes
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 71
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy sets printing to color only, monochrome only, or no color mode restriction. Leaving the policy unset results in no restriction.

  • "any" = Allow all color modes
  • "color" = Color printing only
  • "monochrome" = Monochrome printing only
Example value:
"monochrome"
Back to top

PrintingAllowedDuplexModes

Restrict printing duplex mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingAllowedDuplexModes
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 71
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy restricts printing duplex mode.

Leaving the policy unset or empty results in no restriction.

  • "any" = Allow all duplex modes
  • "simplex" = Simplex printing only
  • "duplex" = Duplex printing only
Example value:
"duplex"
Back to top

PrintingAllowedPinModes

Restrict PIN printing mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingAllowedPinModes
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Restricts PIN printing mode. Unset policy is treated as no restriction. If the mode is unavailable this policy is ignored. Note that PIN printing feature is enabled only for printers that use one of IPPS, HTTPS, USB or IPP-over-USB protocols.

  • "any" = Allow printing both with and without PIN
  • "pin" = Allow printing only with PIN
  • "no_pin" = Allow printing only without PIN
Example value:
"pin"
Back to top

PrintingAllowedBackgroundGraphicsModes

Restrict background graphics printing mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintingAllowedBackgroundGraphicsModes
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintingAllowedBackgroundGraphicsModes
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingAllowedBackgroundGraphicsModes
Mac/Linux preference name:
PrintingAllowedBackgroundGraphicsModes
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Restricts background graphics printing mode. Unset policy is treated as no restriction.

  • "any" = Allow printing both with and without background graphics
  • "enabled" = Allow printing only with background graphics
  • "disabled" = Allow printing only without background graphics
Example value:
"enabled"
Windows (Intune):
<enabled/>
<data id="PrintingAllowedBackgroundGraphicsModes" value="enabled"/>
Back to top

PrintingColorDefault

Default printing color mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingColorDefault
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy overrides the default printing color mode. If the mode is unavailable, this policy is ignored.

  • "color" = Enable color printing
  • "monochrome" = Enable monochrome printing
Example value:
"monochrome"
Back to top

PrintingDuplexDefault

Default printing duplex mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingDuplexDefault
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy overrides the default printing duplex mode. If the mode is unavailable, this policy is ignored.

  • "simplex" = Enable simplex printing
  • "short-edge" = Enable short edge duplex printing
  • "long-edge" = Enable long edge duplex printing
Example value:
"long-edge"
Back to top

PrintingPinDefault

Default PIN printing mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingPinDefault
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Overrides default PIN printing mode. If the mode is unavailable this policy is ignored.

  • "pin" = Enable PIN printing by default
  • "no_pin" = Disable PIN printing by default
Example value:
"pin"
Back to top

PrintingBackgroundGraphicsDefault

Default background graphics printing mode
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintingBackgroundGraphicsDefault
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintingBackgroundGraphicsDefault
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingBackgroundGraphicsDefault
Mac/Linux preference name:
PrintingBackgroundGraphicsDefault
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Overrides default background graphics printing mode.

  • "enabled" = Enable background graphics printing mode by default
  • "disabled" = Disable background graphics printing mode by default
Example value:
"enabled"
Windows (Intune):
<enabled/>
<data id="PrintingBackgroundGraphicsDefault" value="enabled"/>
Back to top

PrintingPaperSizeDefault

Default printing page size
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintingPaperSizeDefault
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintingPaperSizeDefault
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingPaperSizeDefault
Mac/Linux preference name:
PrintingPaperSizeDefault
Supported on:
  • Google Chrome (Linux) since version 84
  • Google Chrome (Mac) since version 84
  • Google Chrome (Windows) since version 84
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Overrides default printing page size.

name should contain one of the listed formats or 'custom' if required paper size is not in the list. If 'custom' value is provided custom_size property should be specified. It describes the desired height and width in micrometers. Otherwise custom_size property shouldn't be specified. Policy that violates these rules is ignored.

If the page size is unavailable on the printer chosen by the user this policy is ignored.

Schema:
{ "properties": { "custom_size": { "properties": { "height": { "description": "Height of the page in micrometers", "type": "integer" }, "width": { "description": "Width of the page in micrometers", "type": "integer" } }, "required": [ "width", "height" ], "type": "object" }, "name": { "enum": [ "custom", "asme_f_28x40in", "iso_2a0_1189x1682mm", "iso_a0_841x1189mm", "iso_a10_26x37mm", "iso_a1_594x841mm", "iso_a2_420x594mm", "iso_a3_297x420mm", "iso_a4-extra_235.5x322.3mm", "iso_a4-tab_225x297mm", "iso_a4_210x297mm", "iso_a5-extra_174x235mm", "iso_a5_148x210mm", "iso_a6_105x148mm", "iso_a7_74x105mm", "iso_a8_52x74mm", "iso_a9_37x52mm", "iso_b0_1000x1414mm", "iso_b10_31x44mm", "iso_b1_707x1000mm", "iso_b2_500x707mm", "iso_b3_353x500mm", "iso_b4_250x353mm", "iso_b5-extra_201x276mm", "iso_b5_176x250mm", "iso_b6_125x176mm", "iso_b6c4_125x324mm", "iso_b7_88x125mm", "iso_b8_62x88mm", "iso_b9_44x62mm", "iso_c0_917x1297mm", "iso_c10_28x40mm", "iso_c1_648x917mm", "iso_c2_458x648mm", "iso_c3_324x458mm", "iso_c4_229x324mm", "iso_c5_162x229mm", "iso_c6_114x162mm", "iso_c6c5_114x229mm", "iso_c7_81x114mm", "iso_c7c6_81x162mm", "iso_c8_57x81mm", "iso_c9_40x57mm", "iso_dl_110x220mm", "jis_exec_216x330mm", "jpn_chou2_111.1x146mm", "jpn_chou3_120x235mm", "jpn_chou4_90x205mm", "jpn_hagaki_100x148mm", "jpn_kahu_240x322.1mm", "jpn_kaku2_240x332mm", "jpn_oufuku_148x200mm", "jpn_you4_105x235mm", "na_10x11_10x11in", "na_10x13_10x13in", "na_10x14_10x14in", "na_10x15_10x15in", "na_11x12_11x12in", "na_11x15_11x15in", "na_12x19_12x19in", "na_5x7_5x7in", "na_6x9_6x9in", "na_7x9_7x9in", "na_9x11_9x11in", "na_a2_4.375x5.75in", "na_arch-a_9x12in", "na_arch-b_12x18in", "na_arch-c_18x24in", "na_arch-d_24x36in", "na_arch-e_36x48in", "na_b-plus_12x19.17in", "na_c5_6.5x9.5in", "na_c_17x22in", "na_d_22x34in", "na_e_34x44in", "na_edp_11x14in", "na_eur-edp_12x14in", "na_f_44x68in", "na_fanfold-eur_8.5x12in", "na_fanfold-us_11x14.875in", "na_foolscap_8.5x13in", "na_govt-legal_8x13in", "na_govt-letter_8x10in", "na_index-3x5_3x5in", "na_index-4x6-ext_6x8in", "na_index-4x6_4x6in", "na_index-5x8_5x8in", "na_invoice_5.5x8.5in", "na_ledger_11x17in", "na_legal-extra_9.5x15in", "na_legal_8.5x14in", "na_letter-extra_9.5x12in", "na_letter-plus_8.5x12.69in", "na_letter_8.5x11in", "na_number-10_4.125x9.5in", "na_number-11_4.5x10.375in", "na_number-12_4.75x11in", "na_number-14_5x11.5in", "na_personal_3.625x6.5in", "na_super-a_8.94x14in", "na_super-b_13x19in", "na_wide-format_30x42in", "om_dai-pa-kai_275x395mm", "om_folio-sp_215x315mm", "om_invite_220x220mm", "om_italian_110x230mm", "om_juuro-ku-kai_198x275mm", "om_large-photo_200x300", "om_pa-kai_267x389mm", "om_postfix_114x229mm", "om_small-photo_100x150mm", "prc_10_324x458mm", "prc_16k_146x215mm", "prc_1_102x165mm", "prc_2_102x176mm", "prc_32k_97x151mm", "prc_3_125x176mm", "prc_4_110x208mm", "prc_5_110x220mm", "prc_6_120x320mm", "prc_7_160x230mm", "prc_8_120x309mm", "roc_16k_7.75x10.75in", "roc_8k_10.75x15.5in", "jis_b0_1030x1456mm", "jis_b1_728x1030mm", "jis_b2_515x728mm", "jis_b3_364x515mm", "jis_b4_257x364mm", "jis_b5_182x257mm", "jis_b6_128x182mm", "jis_b7_91x128mm", "jis_b8_64x91mm", "jis_b9_45x64mm", "jis_b10_32x45mm" ], "type": "string" } }, "required": [ "name" ], "type": "object" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\PrintingPaperSizeDefault = { "custom_size": { "height": 297000, "width": 210000 }, "name": "custom" }
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PrintingPaperSizeDefault = { "custom_size": { "height": 297000, "width": 210000 }, "name": "custom" }
Android/Linux:
PrintingPaperSizeDefault: { "custom_size": { "height": 297000, "width": 210000 }, "name": "custom" }
Mac:
<key>PrintingPaperSizeDefault</key> <dict> <key>custom_size</key> <dict> <key>height</key> <integer>297000</integer> <key>width</key> <integer>210000</integer> </dict> <key>name</key> <string>custom</string> </dict>
Windows (Intune):
<enabled/>
<data id="PrintingPaperSizeDefault" value=""name": "custom", "custom_size": {"width": 210000, "height": 297000}"/>
Back to top

PrintingSendUsernameAndFilenameEnabled

Send username and filename to native printers
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingSendUsernameAndFilenameEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Send username and filename to native printers server with every print job. The default is not to send.

Setting this policy to true also disables printers that use protocols other than IPPS, USB, or IPP-over-USB since username and filename shouldn't be sent over the network openly.

Example value:
0x00000001 (Windows)
Back to top

PrintingMaxSheetsAllowed

Maximal number of sheets allowed to use for a single print job
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingMaxSheetsAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Specifies the maximal number of sheets user is allowed to print for a single print job.

If not set, no limitations are applied and user can print any documents.

Restrictions:
  • Minimum:1
Example value:
0x0000000a (Windows)
Back to top

PrintJobHistoryExpirationPeriod

Set the time period in days for storing print jobs metadata
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintJobHistoryExpirationPeriod
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls how long print jobs metadata is stored on the device, in days.

When this policy is set to a value of -1, the print jobs metadata is stored indefinitely. When this policy is set to a value of 0, the print jobs metadata is not stored at all. When this policy is set to any other value, it specifies the period of time during which the metadata of completed print jobs is stored on the device.

If not set, the default period of 90 days is used for Google Chrome OS devices.

The policy value should be specified in days.

Restrictions:
  • Minimum:-1
Example value:
0x0000005a (Windows)
Back to top

PrintingAPIExtensionsAllowlist

Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintingAPIExtensionsAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy specifies the allowed extensions to skip print job confirmation dialog when they use the Printing API function chrome.printing.submitJob() for sending a print job.

If an extension is not in the list, or the list is not set, the print job confirmation dialog will be shown to the user for every chrome.printing.submitJob() function call.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PrintingAPIExtensionsAllowlist\1 = "abcdefghabcdefghabcdefghabcdefgh"
Back to top

DisablePrintPreview

Disable Print Preview
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DisablePrintPreview
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\DisablePrintPreview
Mac/Linux preference name:
DisablePrintPreview
Supported on:
  • Google Chrome (Linux) since version 18
  • Google Chrome (Mac) since version 18
  • Google Chrome (Windows) since version 18
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to Enabled has Google Chrome open the system print dialog instead of the built-in print preview when users request a printout.

Setting the policy to Disabled or leaving it unset has print commands trigger the print preview screen.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

PrintHeaderFooter

Print Headers and Footers
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintHeaderFooter
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintHeaderFooter
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintHeaderFooter
Mac/Linux preference name:
PrintHeaderFooter
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
  • Google Chrome (Linux) since version 70
  • Google Chrome (Mac) since version 70
  • Google Chrome (Windows) since version 70
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled turns headers and footers on in print preview. Setting the policy to Disabled turns them off in print preview.

If you set the policy, users can't change it. If unset, users decides whether headers and footers appear.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

DefaultPrinterSelection

Default printer selection rules
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultPrinterSelection
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\DefaultPrinterSelection
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultPrinterSelection
Mac/Linux preference name:
DefaultPrinterSelection
Supported on:
  • Google Chrome (Linux) since version 48
  • Google Chrome (Mac) since version 48
  • Google Chrome (Windows) since version 48
  • Google ChromeOS (Google ChromeOS) since version 48
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy sets the rules for selecting the default printer in Google Chrome, overriding the default rules. Printer selection occurs the first time users try to print, when Google Chrome seeks a printer matching the specified attributes. In case of a less than perfect match, Google Chrome can be set to select any matching printer, depending on the order printers are discovered.

Leaving the policy unset or set to attributes for which there's no match means the built-in PDF printer is the default. If there's no PDF printer, Google Chrome defaults to none.

Printers connected to Google Cloud Print are considered "cloud", the rest of the printers are classified as "local".

Note: Omitting a field means all values match. For example, not specifying connectivity causes Print Preview to start discovery of all kinds of printers, "local" and "cloud". Regular expression patterns must follow the JavaScript RegExp syntax, and matches are case sensistive.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps.

Schema:
{ "properties": { "idPattern": { "description": "Regular expression to match printer id.", "type": "string" }, "kind": { "description": "Whether to limit the search of the matching printer to a specific set of printers.", "enum": [ "local", "cloud" ], "type": "string" }, "namePattern": { "description": "Regular expression to match printer display name.", "type": "string" } }, "type": "object" }
Example value:
"{ "kind": "cloud", "idPattern": ".*public", "namePattern": ".*Color" }"
Windows (Intune):
<enabled/>
<data id="DefaultPrinterSelection" value="{ \"kind\": \"cloud\", \"idPattern\": \".*public\", \"namePattern\": \".*Color\" }"/>
Back to top

Printers

Configures a list of printers
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\Printers
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets administrators set up a list of printers for their users. Printer selection occurs the first time users try to print.

Using the policy:

* Customize free-form display_name and description for ease of printer selection.

* Help users identify printers using manufacturer and model.

* uri should be an address reachable from a client computer, including the scheme, port, and queue.

* Optionally provide uuid to help deduplicate zeroconf printers.

* Either use the model name for effective_model or set autoconf to True. Printers with both or no properties get ignored.

PPDs are downloaded after the printer is used, and frequently used PPDs are cached. This policy doesn't affect whether users can configure printers on individual devices.

Note: For Microsoft® Active Directory® managed devices, this policy supports expansion of ${MACHINE_NAME[,pos[,count]]} to the Microsoft® Active Directory® machine name or a substring of it. For example, if the machine name is CHROMEBOOK, then ${MACHINE_NAME,6,4} gets replaced by the 4 characters starting after the 6th position, in other words, BOOK. The position is zero-based.

Schema:
{ "items": { "id": "PrinterTypeInclusive", "properties": { "description": { "type": "string" }, "display_name": { "type": "string" }, "manufacturer": { "type": "string" }, "model": { "type": "string" }, "ppd_resource": { "id": "PpdResourceInclusive", "properties": { "autoconf": { "description": "Boolean flag indicating whether IPP Everywhere should be used to set up the printer.", "type": "boolean" }, "effective_model": { "description": "This field must match one of the strings which represent a Google Chrome OS supported printer. The string will be used to identify and install the appropriate PPD for the printer. More information can be found at https://support.google.com/chrome?p=noncloudprint.", "type": "string" } }, "type": "object" }, "uri": { "type": "string" }, "uuid": { "type": "string" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\Printers\1 = "{ "display_name": "Color Laser", "description": "The printer next to the water cooler.", "manufacturer": "Printer Manufacturer", "model": "Color Laser 2004", "uri": "ipps://print-server.intranet.example.com:443/ipp/cl2k4", "uuid": "1c395fdb-5d93-4904-b246-b2c046e79d12", "ppd_resource": { "effective_model": "Printer Manufacturer ColorLaser2k4", "autoconf": false } }"
Back to top

PrintersBulkConfiguration

Enterprise printer configuration file
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintersBulkConfiguration
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting this policy configure enterprise printers. Its format matches the Printers dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. Google Chrome OS downloads the file for printer configurations and makes printers available along with PrintersBulkAccessMode, PrintersBulkAllowlist, and PrintersBulkBlocklist.

This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.

If you set the policy, users can't change it.

Schema:
{ "properties": { "hash": { "type": "string" }, "url": { "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PrintersBulkConfiguration = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef", "url": "https://example.com/printerpolicy" }
Back to top

PrintersBulkAccessMode

Printer configuration access policy.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintersBulkAccessMode
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from PrintersBulkConfiguration are available for users.

* BlocklistRestriction (value 0) uses PrintersBulkBlocklist to restrict access to the specified printers

* AllowlistPrintersOnly (value 1) uses PrintersBulkAllowlist to designate only those printers which are selectable

* AllowAll (value 2) displays all printers

Leaving the policy unset puts AllowAll in use.

  • 0 = All printers are shown except those in the blocklist.
  • 1 = Only printers in the allowlist are shown to users
  • 2 = Allow all printers from the configuration file.
Example value:
0x00000001 (Windows)
Back to top

PrintersBulkBlocklist

Disabled enterprise printers
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintersBulkBlocklist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If BlocklistRestriction is chosen for PrintersBulkAccessMode, then setting PrintersBulkBlocklist specifies which printers users can't use. All printers are provided to the user, except for the IDs listed in this policy. The IDs must correspond to the "id" or "guid" fields in the file specified in PrintersBulkConfiguration.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PrintersBulkBlocklist\1 = "id1" Software\Policies\Google\ChromeOS\PrintersBulkBlocklist\2 = "id2" Software\Policies\Google\ChromeOS\PrintersBulkBlocklist\3 = "id3"
Back to top

PrintersBulkAllowlist

Enabled enterprise printers
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintersBulkAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If AllowlistPrintersOnly is chosen for PrintersBulkAccessMode, then setting PRINTERS_BULK_ALLOWLIST specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to the user. The IDs must correspond to the "id" or "guid" fields in the file specified in PrintersBulkConfiguration.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PrintersBulkAllowlist\1 = "id1" Software\Policies\Google\ChromeOS\PrintersBulkAllowlist\2 = "id2" Software\Policies\Google\ChromeOS\PrintersBulkAllowlist\3 = "id3"
Back to top

DevicePrinters

Enterprise printer configuration file for devices
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePrinters
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy provides configurations for enterprise printers bound to devices. Its format matches the Printers dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. Google Chrome OS downloads the file for printer configurations and makes printers available along with DevicePrintersAccessMode, DevicePrintersAllowlist, and DevicePrintersBlocklist.

This policy:

* doesn't affect whether users can configure printers on individual devices

* supplements PrintersBulkConfiguration and individual users' printer setups

If unset, there are no device printers, and the other DevicePrinter* policies are ignored.

Schema:
{ "properties": { "hash": { "type": "string" }, "url": { "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DevicePrinters = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef", "url": "https://example.com/printerpolicy" }
Back to top

DevicePrintersAccessMode

Device printers configuration access policy.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePrintersAccessMode
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from DevicePrinters are available for users.

* BlocklistRestriction (value 0), DevicePrintersBlocklist can restrict access to the specified printers

* AllowlistPrintersOnly (value 1), DevicePrintersAllowlist designates only those printers which are selectable

* AllowAll (value 2), all printers are allowed.

Leaving the policy unset applies AllowAll.

  • 0 = All printers are shown except those in the blocklist.
  • 1 = Only printers in the allowlist are shown to users
  • 2 = Allow all printers from the configuration file.
Example value:
0x00000001 (Windows)
Back to top

DevicePrintersBlocklist

Disabled enterprise device printers
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePrintersBlocklist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes
Description:

If BlocklistRestriction is chosen for DevicePrintersAccessMode, then setting DevicePrintersBlocklist specifies which printers users can't use. All printers are provided to users, except for the IDs listed in this policy. The IDs must correspond to the "id" or "guid" fields in the file specified in DevicePrinters.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DevicePrintersBlocklist\1 = "id1" Software\Policies\Google\ChromeOS\DevicePrintersBlocklist\2 = "id2" Software\Policies\Google\ChromeOS\DevicePrintersBlocklist\3 = "id3"
Back to top

DevicePrintersAllowlist

Enabled enterprise device printers
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePrintersAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If AllowlistPrintersOnly is chosen for DevicePrintersAccessMode, then setting DevicePrintersAllowlist specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to users. The IDs must correspond to the "id" or "guid" fields in the file specified in DevicePrinters

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DevicePrintersAllowlist\1 = "id1" Software\Policies\Google\ChromeOS\DevicePrintersAllowlist\2 = "id2" Software\Policies\Google\ChromeOS\DevicePrintersAllowlist\3 = "id3"
Back to top

PrintPreviewUseSystemDefaultPrinter

Use System Default Printer as Default
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintPreviewUseSystemDefaultPrinter
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintPreviewUseSystemDefaultPrinter
Mac/Linux preference name:
PrintPreviewUseSystemDefaultPrinter
Supported on:
  • Google Chrome (Linux) since version 61
  • Google Chrome (Mac) since version 61
  • Google Chrome (Windows) since version 61
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means Google Chrome uses the OS default printer as the default destination for print preview.

Setting the policy to Disabled or leaving it unset means Google Chrome uses the most recently used printer as the default destination for print preview.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

UserPrintersAllowed

Allow access to CUPS printers
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserPrintersAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to control if users can access non-enterprise printers

If the policy is set to True, or not set at all, users will be able to add, configure, and print using their own printers.

If the policy is set to False, users will not be able to add and configure their own printers. They will also not be able to print using any previously configured printers.

Example value:
0x00000000 (Windows)
Back to top

ExternalPrintServers

External print servers
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExternalPrintServers
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Provides configurations of available print servers.

This policy allows you to provide configuration of external print servers to Google Chrome OS devices as JSON file.

The size of the file must not exceed 1MB and must contain an array of records (JSON objects). Each record must contain fields "id", "url" and "display_name" with strings as values. Values of "id" fields must be unique.

The file is downloaded and cached. The cryptographic hash is used to verify the integrity of the download. The file will be re-downloaded whenever the URL or the hash changes.

When this policy is set to correct value, devices will try to query specified print servers for available printers using IPP protocol.

If this policy is unset or set to incorrect value, none of the provided server printers are visible to users.

Currently, the number of print servers is limited to 16. Only the first 16 print servers from the list will be queried.

Schema:
{ "properties": { "hash": { "description": "The SHA-256 hash of the file.", "type": "string" }, "url": { "description": "URL to a JSON file with a list of print servers.", "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExternalPrintServers = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef", "url": "https://example.com/printserverpolicy" }
Back to top

ExternalPrintServersAllowlist

Enabled external print servers
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExternalPrintServersAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Specifies the subset of print servers that will be queried for server printers.

If this policy is used, only the server printers with ids matching the values in this policy are available to the user.

The ids must correspond to the "id" field in the file specified in ExternalPrintServers.

If this policy is not set, filtering is omitted and all print servers are taken into account.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExternalPrintServersAllowlist\1 = "id1" Software\Policies\Google\ChromeOS\ExternalPrintServersAllowlist\2 = "id2" Software\Policies\Google\ChromeOS\ExternalPrintServersAllowlist\3 = "id3"
Back to top

PrinterTypeDenyList

Disable printer types on the deny list
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrinterTypeDenyList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrinterTypeDenyList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrinterTypeDenyList
Mac/Linux preference name:
PrinterTypeDenyList
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 80
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

The printers of types placed on the deny list will be disabled from being discovered or having their capabilities fetched.

Placing all printer types on the deny list effectively disables printing, as there would be no available destinations to send a document for printing.

In versions before 102, including cloud on the deny list has the same effect as setting the CloudPrintSubmitEnabled policy to false. In order to keep Google Cloud Print destinations discoverable, the CloudPrintSubmitEnabled policy must be set to true and cloud must not be on the deny list. Beginning in version 102, Google Cloud Print destinations are not supported and will not appear regardless of policy values.

If the policy is not set, or is set to an empty list, all printer types will be available for discovery.

Extension printers are also known as print provider destinations, and include any destination that belongs to a Google Chrome extension.

Local printers are also known as native printing destinations, and include destinations available to the local machine and shared network printers.

  • "privet" = Zeroconf-based (mDNS + DNS-SD) protocol destinations (Deprecated)
  • "extension" = Extension-based destinations
  • "pdf" = The 'Save as PDF' destination
  • "local" = Local printer destinations
  • "cloud" = Google Cloud Print and 'Save to Google Drive' destinations (Deprecated)
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\PrinterTypeDenyList\1 = "local" Software\Policies\Google\Chrome\PrinterTypeDenyList\2 = "pdf"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PrinterTypeDenyList\1 = "local" Software\Policies\Google\ChromeOS\PrinterTypeDenyList\2 = "pdf"
Android/Linux:
[ "local", "pdf" ]
Mac:
<array> <string>local</string> <string>pdf</string> </array>
Windows (Intune):
<enabled/>
<data id="PrinterTypeDenyList" value=""local", "pdf""/>
Back to top

PrintRasterizationMode

Print Rasterization Mode
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintRasterizationMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintRasterizationMode
Supported on:
  • Google Chrome (Windows) since version 84
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls how Google Chrome prints on Microsoft® Windows®.

When printing to a non-PostScript printer on Microsoft® Windows®, sometimes print jobs need to be rasterized to print correctly.

When this policy is set to Full, Google Chrome will do full page rasterization if necessary.

When this policy is set to Fast, Google Chrome will avoid rasterization if possible, reducing the amount of rasterization can help reduce print job sizes and increase printing speed.

When this policy is not set, Google Chrome will be in Full mode.

  • 0 = Full
  • 1 = Fast
Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
<data id="PrintRasterizationMode" value="1"/>
Back to top

PrintPdfAsImageAvailability

Print PDF as Image Available
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintPdfAsImageAvailability
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintPdfAsImageAvailability
Mac/Linux preference name:
PrintPdfAsImageAvailability
Supported on:
  • Google Chrome (Windows) since version 94
  • Google Chrome (Mac) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls how Google Chrome makes the Print as image option available on Microsoft® Windows® and macOS when printing PDFs.

When printing a PDF on Microsoft® Windows® or macOS, sometimes print jobs need to be rasterized to an image for certain printers to get correct looking output.

When this policy is set to Enabled, Google Chrome will make the Print as image option available in the Print Preview when printing a PDF.

When this policy is set to Disabled or not set Google Chrome the Print as image option will not be available to users in Print Preview and PDFs will be printed as usual without being rasterized to an image before being sent to the destination.

Example value:
0x00000001 (Windows), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

PrintRasterizePdfDpi

Print Rasterize PDF DPI
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintRasterizePdfDpi
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintRasterizePdfDpi
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrintRasterizePdfDpi
Mac/Linux preference name:
PrintRasterizePdfDpi
Supported on:
  • Google Chrome (Linux) since version 94
  • Google Chrome (Mac) since version 94
  • Google Chrome (Windows) since version 94
  • Google ChromeOS (Google ChromeOS) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls print image resolution when Google Chrome prints PDFs with rasterization.

When printing a PDF using the Print to image option, it can be beneficial to specify a print resolution other than a device's printer setting or the PDF default. A high resolution will significantly increase the processing and printing time while a low resolution can lead to poor imaging quality.

This policy allows a particular resolution to be specified for use when rasterizing PDFs for printing.

If this policy is set to zero or not set at all then the system default resolution will be used during rasterization of page images.

Example value:
0x0000012c (Windows), 300 (Linux), 300 (Mac)
Windows (Intune):
<enabled/>
<data id="PrintRasterizePdfDpi" value="300"/>
Back to top

DeletePrintJobHistoryAllowed

Allow print job history to be deleted
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeletePrintJobHistoryAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls whether print job history can be deleted.

Locally stored print jobs can be deleted through the print management app or through deleting the users's browser history.

When this policy is enabled or unset, the user will be able to delete their print job history through the print mangement app or through deleting their browser history.

When this policy is disabled, the user will not be able to delete their print job history through the print management app or through deleting their browser history.

Example value:
0x00000000 (Windows)
Back to top

PrintPostScriptMode

Print PostScript Mode
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PrintPostScriptMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintPostScriptMode
Supported on:
  • Google Chrome (Windows) since version 95
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls how Google Chrome prints on Microsoft® Windows®.

When printing to a PostScript printer on Microsoft® Windows® different PostScript generation methods can affect printing performance.

When this policy is set to Default, Google Chrome will use a set of default options when generating PostScript. For text in particular, text will always be rendered using Type 3 fonts.

When this policy is set to Type42, Google Chrome will render text using Type 42 fonts if possible. This should increase printing speed for some PostScript printers.

When this policy is not set, Google Chrome will be in Default mode.

  • 0 = Default
  • 1 = Type42
Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
<data id="PrintPostScriptMode" value="1"/>
Back to top

PrintPdfAsImageDefault

Print PDF as Image Default
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\Recommended\PrintPdfAsImageDefault
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Printing\PrintPdfAsImageDefault
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\Recommended\PrintPdfAsImageDefault
Mac/Linux preference name:
PrintPdfAsImageDefault
Supported on:
  • Google Chrome (Linux) since version 95
  • Google Chrome (Mac) since version 95
  • Google Chrome (Windows) since version 95
  • Google ChromeOS (Google ChromeOS) since version 95
Supported features:
Can Be Mandatory: No, Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls if Google Chrome makes the Print as image option default to set when printing PDFs.

When this policy is set to Enabled, Google Chrome will default to setting the Print as image option in the Print Preview when printing a PDF.

When this policy is set to Disabled or not set Google Chrome then the user selection for Print as image option will be initially unset. The user will be allowed to select it for each individual PDFs print job, if the option is available.

For Microsoft® Windows® or macOS this policy only has an effect if PrintPdfAsImageAvailability is also enabled.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

Privacy screen settings

Controls user and device policies for the privacy screen feature.
Back to top

DeviceLoginScreenPrivacyScreenEnabled

Set the state of privacy screen on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenPrivacyScreenEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Can Be Mandatory: Yes, Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Set the state of the privacy screen feature on the login screen.

If this policy is set to True, privacy screen will be enabled when the login screen is shown.

If this policy is set to False, privacy screen will be disabled when the login screen is shown.

When this policy is set, the user cannot override the value when the login screen is shown.

If this policy is left unset, the privacy screen is disabled initially, but remains controllable by the user when the login screen is shown.

Example value:
0x00000001 (Windows)
Back to top

PrivacyScreenEnabled

Enable privacy screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrivacyScreenEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Can Be Mandatory: Yes, Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Enable/disable the privacy screen feature.

If this policy is set to True, privacy screen will always be enabled.

If this policy is set to False, privacy screen will always be disabled.

When this policy is set, the user cannot override the value.

If this policy is left unset, privacy screen is disabled initially but can be controlled by the user.

Example value:
0x00000001 (Windows)
Back to top

Projector

Controls policies for Projector.
Back to top

ProjectorEnabled

Enable Projector
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProjectorEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 99
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy gives Projector permission to create and transcribe screen recording and upload to Drive for enterprise users. This policy does not affect Family Link users. This policy does not affect ProjectorDogfoodForFamilyLinkEnabled policy for Family Link users.

If the policy is enabled, Projector will be enabled. If the policy is disabled, Projector will be disabled. If the policy is not set, Projector will by default disabled.

Example value:
0x00000001 (Windows)
Back to top

ProjectorDogfoodForFamilyLinkEnabled

Enable Projector dogfood for Family Link users
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProjectorDogfoodForFamilyLinkEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy enables Projector feature for Family Link users and gives it permission to create and transcribe screen recording and upload to Drive. This policy does not affect other types of users. This policy does not affect ProjectorEnabled policy for enterprise users.

If the policy is enabled, Projector dogfood will be enabled for Family Link users. If the policy is disabled, Projector dogfood will be disabled for Family Link users. If the policy is not set, Projector dogfood will be by default disabled for Family Link users.

Example value:
0x00000001 (Windows)
Back to top

Proxy server

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings. If you choose to never use a proxy server and always connect directly, all other options are ignored. If you choose to auto detect the proxy server, all other options are ignored. For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett. If you enable this setting, Google Chrome and ARC-apps ignore all proxy-related options specified from the command line. Leaving these policies not set will allow the users to choose the proxy settings on their own.
Back to top

ProxyMode (Deprecated)

Choose how to specify proxy server settings
Data type:
String [Android:choice, Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ProxyMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Proxy\ProxyMode
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProxyMode
Mac/Linux preference name:
ProxyMode
Android restriction name:
ProxyMode
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, please use ProxySettings instead.

Setting the policy to Enabled lets you specify the proxy server Chrome uses and prevents users from changing proxy settings. Chrome and ARC-apps ignore all proxy-related options specified from the command line. The policy only takes effect if the ProxySettings policy isn't specified.

Other options are ignored if you choose: * direct = Never use a proxy server and always connect directly * system = Use system proxy settings * auto_detect = Auto detect the proxy server

If you choose to use: * fixed_servers = Fixed proxy servers. You can specify further options with ProxyServer and ProxyBypassList. Only the HTTP proxy server with the highest priority is available for ARC-apps. * pac_script = A .pac proxy script. Use ProxyPacUrl to set the URL to a proxy .pac file.

Leaving the policy unset lets users choose the proxy settings.

Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).

  • "direct" = Never use a proxy
  • "auto_detect" = Auto detect proxy settings
  • "pac_script" = Use a .pac proxy script
  • "fixed_servers" = Use fixed proxy servers
  • "system" = Use system proxy settings
Example value:
"direct"
Windows (Intune):
<enabled/>
<data id="ProxyMode" value="direct"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Proxy
Back to top

ProxyServerMode (Deprecated)

Choose how to specify proxy server settings
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ProxyServerMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Proxy\ProxyServerMode
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProxyServerMode
Mac/Linux preference name:
ProxyServerMode
Android restriction name:
ProxyServerMode
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, use ProxyMode instead.

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.

This policy only takes effect if the ProxySettings policy has not been specified.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.

If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

If you enable this setting, Google Chrome ignores all proxy-related options specified from the command line.

Leaving this policy not set will allow the users to choose the proxy settings on their own.

  • 0 = Never use a proxy
  • 1 = Auto detect proxy settings
  • 2 = Manually specify proxy settings
  • 3 = Use system proxy settings
Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

Example value:
0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="ProxyServerMode" value="2"/>
Back to top

ProxyServer (Deprecated)

Address or URL of proxy server
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ProxyServer
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Proxy\ProxyServer
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProxyServer
Mac/Linux preference name:
ProxyServer
Android restriction name:
ProxyServer
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, please use ProxySettings instead.

Setting the policy lets you specify the URL of the proxy server. This policy only takes effect if the ProxySettings policy isn't specified and you selected fixed_servers with ProxyMode.

Leave this policy unset if you selected any other mode for setting proxy policies.

Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).

Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

Example value:
"123.123.123.123:8080"
Windows (Intune):
<enabled/>
<data id="ProxyServer" value="123.123.123.123:8080"/>
Back to top

ProxyPacUrl (Deprecated)

URL to a proxy .pac file
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ProxyPacUrl
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Proxy\ProxyPacUrl
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProxyPacUrl
Mac/Linux preference name:
ProxyPacUrl
Android restriction name:
ProxyPacUrl
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, please use ProxySettings instead.

Setting the policy lets you specify a URL to a proxy .pac file. This policy only takes effect if the ProxySettings policy isn't specified and you selected pac_script with ProxyMode.

Leave this policy unset if you selected any other mode for setting proxy policies.

Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).

Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

Example value:
"https://internal.site/example.pac"
Windows (Intune):
<enabled/>
<data id="ProxyPacUrl" value="https://internal.site/example.pac"/>
Back to top

ProxyBypassList (Deprecated)

Proxy bypass rules
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ProxyBypassList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Proxy\ProxyBypassList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProxyBypassList
Mac/Linux preference name:
ProxyBypassList
Android restriction name:
ProxyBypassList
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, please use ProxySettings instead.

Setting the policy means Google Chrome bypasses any proxy for the list of hosts given here. This policy only takes effect if the ProxySettings policy isn't specified and you specified either fixed_servers or pac_script for ProxyMode.

Leave this policy unset if you selected any other mode for setting proxy policies.

Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).

Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

Example value:
"https://www.example1.com,https://www.example2.com,https://internalsite/"
Windows (Intune):
<enabled/>
<data id="ProxyBypassList" value="https://www.example1.com,https://www.example2.com,https://internalsite/"/>
Back to top

Quick Answers

Controls settings for Quick Answers.
Back to top

QuickAnswersEnabled

Enable Quick Answers
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuickAnswersEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy gives Quick Answers permission to access selected content and send the info to the server.

If the policy is enabled, Quick Answers will be enabled. If the policy is disabled, Quick Answers will be disabled. If the policy is not set, users can decide whether to enable or disable Quick Answers.

Example value:
0x00000001 (Windows)
Back to top

QuickAnswersDefinitionEnabled

Enable Quick Answers Definition
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuickAnswersDefinitionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy gives Quick Answers permission to access selected content and send the info to the server to get definition results.

If the policy is enabled or not set, Quick Answers Definition will be enabled. If the policy is disabled, Quick Answers Definition will be disabled.

Example value:
0x00000001 (Windows)
Back to top

QuickAnswersTranslationEnabled

Enable Quick Answers Translation
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuickAnswersTranslationEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy gives Quick Answers permission to access selected content and send the info to the server to get translation results.

If the policy is enabled or not set, Quick Answers translation will be enabled. If the policy is disabled, Quick Answers translation will be disabled.

Example value:
0x00000001 (Windows)
Back to top

QuickAnswersUnitConversionEnabled

Enable Quick Answers Unit Conversion
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuickAnswersUnitConversionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy gives Quick Answers permission to access selected content and send the info to the server to get unit conversion results.

If the policy is enabled or not set, Quick Answers unit conversion will be enabled. If the policy is disabled, Quick Answers unit conversion will be disabled.

Example value:
0x00000001 (Windows)
Back to top

Quick unlock

Configures quick unlock related policies.
Back to top

QuickUnlockModeAllowlist

Configure allowed quick unlock modes
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuickUnlockModeAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy controls which quick unlock modes can unlock the lock screen.

To allow:

* Every quick unlock mode, use ["all"] (includes modes added in the future).

* Only PIN unlock, use ["PIN"].

* PIN and fingerprint, use ["PIN", "FINGERPRINT"].

If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.

  • "all" = All
  • "PIN" = PIN
  • "FINGERPRINT" = Fingerprint
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\QuickUnlockModeAllowlist\1 = "PIN"
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : QuickUnlock
Back to top

QuickUnlockTimeout

Set how often user has to enter password to use quick unlock
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuickUnlockTimeout
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 57
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy controls how often the lock screen requests the password for quick unlock. Each time the lock screen appears, if the last password entry occurred before the time window specified by the value chosen, quick unlock won't be available. If users stay on the lock screen past this amount of time, a password is requested next time they enter the wrong code or re-enter the lock screen, whichever comes first.

Leaving the policy unset means users using quick unlock enter their password on the lock screen daily.

  • 0 = Password entry is required every six hours
  • 1 = Password entry is required every twelve hours
  • 2 = Password entry is required every two days (48 hours)
  • 3 = Password entry is required every week (168 hours)
Example value:
0x00000002 (Windows)
Back to top

PinUnlockMinimumLength

Set the minimum length of the lock screen PIN
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PinUnlockMinimumLength
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 57
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy enforces the minimum PIN length chosen. (Values below 1 are rounded up to the minimum of 1.)

Leaving the policy unset enforces a minimal PIN length of 6 digits, the recommended minimum.

Example value:
0x00000006 (Windows)
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PinUnlock
Back to top

PinUnlockMaximumLength

Set the maximum length of the lock screen PIN
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PinUnlockMaximumLength
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 57
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy means the configured maximum PIN length is enforced. A value of 0 or less means the user may set a PIN of any length. If the value is less than PinUnlockMinimumLength but greater than 0, the maximum length is set to the minimum length.

Leaving the policy unset means no maximum length is enforced.

Example value:
0x00000000 (Windows)
Back to top

PinUnlockWeakPinsAllowed

Enable users to set weak PINs for the lock screen PIN
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PinUnlockWeakPinsAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 57
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled allows weak PINs. Some characteristics of weak PINs: only one digit (1111), digits increase by 1 (1234), digits decrease by 1 (4321), and common PINs. Setting the policy to Disabled means users can't set weak, easy-to-guess PINs.

By default, users get a warning, not an error, for a weak PIN.

Example value:
0x00000000 (Windows)
Back to top

PinUnlockAutosubmitEnabled

Enable PIN auto-submit feature on the lock and login screen.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PinUnlockAutosubmitEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

The PIN auto-submit feature changes how PINs are entered in ChromeOS. Instead of showing the same textfield that is used for password input, this feature shows a special UI that clearly shows to the user how many digits are necessary for their PIN. As a consequence, the user's PIN length will be stored outside the user encrypted data. Only supports PINs that are between 6 and 12 digits long.

If this policy is set to false, users will not have the option of enabling the feature on the Settings page.

Example value:
0x00000001 (Windows)
Back to top

Remote access

Configure remote access options in Chrome Remote Desktop host. Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application. The native service is packaged and executed separately from the Google Chrome browser. These policies are ignored unless the Chrome Remote Desktop host is installed.
Back to top

RemoteAccessHostClientDomain (Deprecated)

Configure the required domain name for remote access clients
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostClientDomain
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostClientDomain
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostClientDomain
Mac/Linux preference name:
RemoteAccessHostClientDomain
Supported on:
  • Google Chrome (Linux) since version 22
  • Google Chrome (Mac) since version 22
  • Google Chrome (Windows) since version 22
  • Google ChromeOS (Google ChromeOS) since version 41
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

This policy is deprecated. Please use RemoteAccessHostClientDomainList instead.

Example value:
"my-awesome-domain.com"
Windows (Intune):
<enabled/>
<data id="RemoteAccessHostClientDomain" value="my-awesome-domain.com"/>
Back to top

RemoteAccessHostClientDomainList

Configure the required domain names for remote access clients
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostClientDomainList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostClientDomainList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostClientDomainList
Mac/Linux preference name:
RemoteAccessHostClientDomainList
Supported on:
  • Google Chrome (Linux) since version 60
  • Google Chrome (Mac) since version 60
  • Google Chrome (Windows) since version 60
  • Google ChromeOS (Google ChromeOS) since version 60
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy specifies the client domain names that are imposed on remote access clients, and users can't change them. Only clients from one of the specified domains can connect to the host.

Setting the policy to an empty list or leaving it unset applies the default policy for the connection type. For remote assistance, this allows clients from any domain to connect to the host. For anytime remote access, only the host owner can connect.

See also RemoteAccessHostDomainList.

Note: This setting overrides RemoteAccessHostClientDomain, if present.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\RemoteAccessHostClientDomainList\1 = "my-awesome-domain.com" Software\Policies\Google\Chrome\RemoteAccessHostClientDomainList\2 = "my-auxiliary-domain.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\RemoteAccessHostClientDomainList\1 = "my-awesome-domain.com" Software\Policies\Google\ChromeOS\RemoteAccessHostClientDomainList\2 = "my-auxiliary-domain.com"
Android/Linux:
[ "my-awesome-domain.com", "my-auxiliary-domain.com" ]
Mac:
<array> <string>my-awesome-domain.com</string> <string>my-auxiliary-domain.com</string> </array>
Windows (Intune):
<enabled/>
<data id="RemoteAccessHostClientDomainListDesc" value="1&#xF000;my-awesome-domain.com&#xF000;2&#xF000;my-auxiliary-domain.com"/>
Back to top

RemoteAccessHostFirewallTraversal

Enable firewall traversal from remote access host
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostFirewallTraversal
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostFirewallTraversal
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostFirewallTraversal
Mac/Linux preference name:
RemoteAccessHostFirewallTraversal
Supported on:
  • Google Chrome (Linux) since version 14
  • Google Chrome (Mac) since version 14
  • Google Chrome (Windows) since version 14
  • Google ChromeOS (Google ChromeOS) since version 41
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy to Enabled or leaving it unset allows the usage of STUN servers, letting remote clients discover and connect to this machine, even if separated by a firewall.

Setting the policy to Disabled when outgoing UDP connections are filtered by the firewall means the machine only allows connections from client machines within the local network.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

RemoteAccessHostDomain (Deprecated)

Configure the required domain name for remote access hosts
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostDomain
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostDomain
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostDomain
Mac/Linux preference name:
RemoteAccessHostDomain
Supported on:
  • Google Chrome (Linux) since version 22
  • Google Chrome (Mac) since version 22
  • Google Chrome (Windows) since version 22
  • Google ChromeOS (Google ChromeOS) since version 41
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

This policy is deprecated. Please use RemoteAccessHostDomainList instead.

Example value:
"my-awesome-domain.com"
Windows (Intune):
<enabled/>
<data id="RemoteAccessHostDomain" value="my-awesome-domain.com"/>
Back to top

RemoteAccessHostDomainList

Configure the required domain names for remote access hosts
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostDomainList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostDomainList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostDomainList
Mac/Linux preference name:
RemoteAccessHostDomainList
Supported on:
  • Google Chrome (Linux) since version 60
  • Google Chrome (Mac) since version 60
  • Google Chrome (Windows) since version 60
  • Google ChromeOS (Google ChromeOS) since version 60
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy specifies the host domain names that are imposed on remote access hosts, and users can't change them. Hosts can be shared only using accounts registered on one of the specified domain names.

Setting the policy to an empty list or leaving it unset means hosts can be shared using any account.

See also RemoteAccessHostClientDomainList.

Note: This setting will override RemoteAccessHostDomain, if present.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\RemoteAccessHostDomainList\1 = "my-awesome-domain.com" Software\Policies\Google\Chrome\RemoteAccessHostDomainList\2 = "my-auxiliary-domain.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\RemoteAccessHostDomainList\1 = "my-awesome-domain.com" Software\Policies\Google\ChromeOS\RemoteAccessHostDomainList\2 = "my-auxiliary-domain.com"
Android/Linux:
[ "my-awesome-domain.com", "my-auxiliary-domain.com" ]
Mac:
<array> <string>my-awesome-domain.com</string> <string>my-auxiliary-domain.com</string> </array>
Windows (Intune):
<enabled/>
<data id="RemoteAccessHostDomainListDesc" value="1&#xF000;my-awesome-domain.com&#xF000;2&#xF000;my-auxiliary-domain.com"/>
Back to top

RemoteAccessHostRequireCurtain

Enable curtaining of remote access hosts
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostRequireCurtain
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostRequireCurtain
Mac/Linux preference name:
RemoteAccessHostRequireCurtain
Supported on:
  • Google Chrome (Linux) since version 23
  • Google Chrome (Mac) since version 23
  • Google Chrome (Windows) since version 23
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy to Enabled turns off remote access hosts' physical input and output devices during a remote connection.

Setting the policy to Disabled or leaving it unset lets both local and remote users interact with the host while it's shared.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

RemoteAccessHostAllowClientPairing

Enable or disable PIN-less authentication for remote access hosts
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostAllowClientPairing
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostAllowClientPairing
Mac/Linux preference name:
RemoteAccessHostAllowClientPairing
Supported on:
  • Google Chrome (Linux) since version 30
  • Google Chrome (Mac) since version 30
  • Google Chrome (Windows) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy to Enabled or leaving it unset lets users pair clients and hosts at connection time, eliminating the need to enter a PIN every time.

Setting the policy to Disabled makes this feature unavailable.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

RemoteAccessHostAllowRelayedConnection

Enable the use of relay servers by the remote access host
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostAllowRelayedConnection
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostAllowRelayedConnection
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostAllowRelayedConnection
Mac/Linux preference name:
RemoteAccessHostAllowRelayedConnection
Supported on:
  • Google Chrome (Linux) since version 36
  • Google Chrome (Mac) since version 36
  • Google Chrome (Windows) since version 36
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

If RemoteAccessHostFirewallTraversal is set to Enabled, setting RemoteAccessHostAllowRelayedConnection to Enabled or leaving it unset allows the use of remote clients to use relay servers to connect to this machine when a direct connection is not available, for example, because of firewall restrictions.

Setting the policy to Disabled doesn't turn remote access off, but only allows connections from the same network (not NAT traversal or relay).

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

RemoteAccessHostUdpPortRange

Restrict the UDP port range used by the remote access host
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostUdpPortRange
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostUdpPortRange
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostUdpPortRange
Mac/Linux preference name:
RemoteAccessHostUdpPortRange
Supported on:
  • Google Chrome (Linux) since version 36
  • Google Chrome (Mac) since version 36
  • Google Chrome (Windows) since version 36
  • Google ChromeOS (Google ChromeOS) since version 41
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy restricts the UDP port range used by the remote access host in this machine.

Leaving the policy unset or set to an empty string means the remote access host can use any available port.

Note: If RemoteAccessHostFirewallTraversal is Disabled, the remote access host will use UDP ports in the 12400-12409 range.

Example value:
"12400-12409"
Windows (Intune):
<enabled/>
<data id="RemoteAccessHostUdpPortRange" value="12400-12409"/>
Back to top

RemoteAccessHostMatchUsername

Require that the name of the local user and the remote access host owner match
Data type:
Boolean
Mac/Linux preference name:
RemoteAccessHostMatchUsername
Supported on:
  • Google Chrome (Linux) since version 25
  • Google Chrome (Mac) since version 25
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy to Enabled has the remote access host compare the name of the local user the host is associated with and the name of the Google Account registered as the host owner ("johndoe," if the host is owned by "johndoe@example.com"). This host won't start if the host owner's name differs from the name of the local user that the host is associated with. To enforce that the owner's Google Account is associated with a specific domain, use the policy with RemoteAccessHostDomain.

Setting the policy to Disabled or leaving it unset means the remote access host can be associated with any local user.

Example value:
false (Linux), <false /> (Mac)
Back to top

RemoteAccessHostAllowUiAccessForRemoteAssistance

Allow remote users to interact with elevated windows in remote assistance sessions
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostAllowUiAccessForRemoteAssistance
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostAllowUiAccessForRemoteAssistance
Supported on:
  • Google Chrome (Windows) since version 55
Supported features:
Dynamic Policy Refresh: No, Per Profile: No, Platform Only: Yes
Description:

Setting the policy to Enabled means the remote assistance host runs in a process with uiAccess permissions. This lets remote users interact with elevated windows on the local user's desktop.

Setting the policy to Disabled or leaving it unset means the remote assistance host runs in the user's context, and remote users can't interact with elevated windows on the desktop.

Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
Back to top

RemoteAccessHostAllowFileTransfer

Allow remote access users to transfer files to/from the host
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostAllowFileTransfer
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostAllowFileTransfer
Mac/Linux preference name:
RemoteAccessHostAllowFileTransfer
Supported on:
  • Google Chrome (Linux) since version 74
  • Google Chrome (Mac) since version 74
  • Google Chrome (Windows) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

Setting the policy to Enabled or leaving it unset allows users connected to a remote access host to transfer files between the client and the host. This doesn't apply to remote assistance connections, which don't support file transfer.

Setting the policy to Disabled disallows file transfer.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

RemoteAccessHostAllowRemoteAccessConnections

Allow remote access connections to this machine
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostAllowRemoteAccessConnections
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostAllowRemoteAccessConnections
Mac/Linux preference name:
RemoteAccessHostAllowRemoteAccessConnections
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

If this policy is Disabled, the remote access host service cannot be started or configured to accept incoming connections. This policy does not affect remote support scenarios.

This policy has no effect if it is set to Enabled, left empty, or is not set.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

RemoteAccessHostMaximumSessionDurationMinutes

Maximum session duration allowed for remote access connections
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostMaximumSessionDurationMinutes
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostMaximumSessionDurationMinutes
Mac/Linux preference name:
RemoteAccessHostMaximumSessionDurationMinutes
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

If this policy is set, remote access connections will automatically disconnect after the number of minutes defined in the policy have elapsed. This does not prevent the client from reconnecting after the maximum session duration has been reached. Setting the policy to a value that is not within the min/max range may prevent the host from starting. This policy does not affect remote support scenarios.

This policy has no effect if it is not set. In this case, remote access connections will have no maximum duration on this machine.

Restrictions:
  • Minimum:30
  • Maximum:10080
Example value:
0x000004b0 (Windows), 1200 (Linux), 1200 (Mac)
Windows (Intune):
<enabled/>
<data id="RemoteAccessHostMaximumSessionDurationMinutes" value="1200"/>
Back to top

RemoteAccessHostClipboardSizeBytes

The maximum size, in bytes, that can be transferred between client and host via clipboard synchronization
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostClipboardSizeBytes
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostClipboardSizeBytes
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostClipboardSizeBytes
Mac/Linux preference name:
RemoteAccessHostClipboardSizeBytes
Supported on:
  • Google Chrome (Linux) since version 97
  • Google Chrome (Mac) since version 97
  • Google Chrome (Windows) since version 97
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

If this policy is set, clipboard data sent to and from the host will be truncated to the limit set by this policy.

If a value of 0 is set, then clipboard sync is disabled.

This policy affects both remote access and remote support scenarios.

This policy has no effect if it is not set.

Setting the policy to a value that is not within the min/max range may prevent the host from starting.

Please note that the actual upper bound for the clipboard size is based on the maximum WebRTC data channel message size which this policy does not control.

Restrictions:
  • Minimum:0
  • Maximum:2147483647
Example value:
0x00100000 (Windows), 1048576 (Linux), 1048576 (Mac)
Windows (Intune):
<enabled/>
<data id="RemoteAccessHostClipboardSizeBytes" value="1048576"/>
Back to top

RemoteAccessHostAllowRemoteSupportConnections

Allow remote support connections to this machine
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteAccessHostAllowRemoteSupportConnections
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~RemoteAccess\RemoteAccessHostAllowRemoteSupportConnections
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteAccessHostAllowRemoteSupportConnections
Mac/Linux preference name:
RemoteAccessHostAllowRemoteSupportConnections
Supported on:
  • Google Chrome (Linux) since version 97
  • Google Chrome (Mac) since version 97
  • Google Chrome (Windows) since version 97
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No, Platform Only: Yes
Description:

If this policy is disabled, the remote support host cannot be started or configured to accept incoming connections.

This policy does not affect remote access scenarios.

This policy does not prevent enterprise admins from connecting to managed Google Chrome OS devices.

This policy has no effect if enabled, left empty, or is not set.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

Remote attestation

Configure the remote attestation with TPM mechanism.
Back to top

AttestationEnabledForDevice

Enable remote attestation for the device
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 28
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled allows remote attestation for the device. A certificate is automatically generated and uploaded to the Device Management Server.

Setting the policy to Disabled or leaving it unset means no certificate is generated and calls to the Enterprise Platform Keys API fail.

Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Attestation
Back to top

AttestationEnabledForUser

Enable remote attestation for the user
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AttestationEnabledForUser
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 28
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled lets users use the hardware on Google Chrome OS devices to remotely attest its identity to the privacy CA through the Enterprise Platform Keys API using chrome.enterprise.platformKeys.challengeUserKey().

Setting the policy to Disabled or leaving it unset has calls to the API fail with an error code.

Example value:
0x00000001 (Windows)
Back to top

AttestationExtensionAllowlist

Extensions allowed to to use the remote attestation API
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AttestationExtensionAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies the allowed extensions to use the Enterprise Platform Keys API functions for remote attestation. Extensions must be on this list to use the API.

If an extension is not in the list, or the list is not set, the call to the API fails with an error code.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AttestationExtensionAllowlist\1 = "ghdilpkmfbfdnomkmaiogjhjnggaggoi"
Back to top

AttestationForContentProtectionEnabled

Enable the use of remote attestation for content protection for the device
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 31
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset lets Google Chrome OS devices use remote attestation (Verified Access) to get a certificate issued by the Google Chrome OS CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the Google Chrome OS CA which uniquely identifies the device.

Setting the policy to Disabled means the device won't use remote attestation for content protection, and the device may not play protected content.

Back to top

DeviceWebBasedAttestationAllowedUrls

URLs that will be granted access to perform the device attestation during SAML authentication
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceWebBasedAttestationAllowedUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy configures which URLs will be granted access to use remote attestation of device identity during the SAML flow on the sign-in screen.

Specifically, if a URL matches one of the patterns provided through this policy, it will be allowed to receive a HTTP header containing a response to a remote attestation challenge, attesting device identity and device state.

If this policy is not set or is set to an empty list, no URL is allowed to use remote attestation on the sign-in screen.

URLs must have HTTPS scheme, e.g. "https://example.com".

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceWebBasedAttestationAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\ChromeOS\DeviceWebBasedAttestationAllowedUrls\2 = "https://[*.]example.edu/"
Back to top

Safe Browsing settings

Configure Safe Browsing related policies.
Back to top

SafeBrowsingEnabled (Deprecated)

Enable Safe Browsing
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SafeBrowsingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~SafeBrowsing\SafeBrowsingEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SafeBrowsingEnabled
Mac/Linux preference name:
SafeBrowsingEnabled
Android restriction name:
SafeBrowsingEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated in Google Chrome 83, please use SafeBrowsingProtectionLevel instead.

Setting the policy to Enabled keeps Chrome's Safe Browsing feature on. Setting the policy to Disabled keeps Safe Browsing off.

If you set this policy, users can't change it or override the "Enable phishing and malware protection" setting in Chrome. If not set, "Enable phishing and malware protection" is set to True, but the user can change it.

See more about Safe Browsing ( https://developers.google.com/safe-browsing ).

If the policy SafeBrowsingProtectionLevel is set, the value of the policy SafeBrowsingEnabled is ignored.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : SafeBrowsing
Back to top

SafeBrowsingExtendedReportingEnabled

Enable Safe Browsing Extended Reporting
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SafeBrowsingExtendedReportingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~SafeBrowsing\SafeBrowsingExtendedReportingEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SafeBrowsingExtendedReportingEnabled
Mac/Linux preference name:
SafeBrowsingExtendedReportingEnabled
Android restriction name:
SafeBrowsingExtendedReportingEnabled
Supported on:
  • Google Chrome (Linux) since version 66
  • Google Chrome (Mac) since version 66
  • Google Chrome (Windows) since version 66
  • Google ChromeOS (Google ChromeOS) since version 66
  • Google Chrome (Android) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled turns on Google Chrome's Safe Browsing Extended Reporting, which sends some system information and page content to Google servers to help detect dangerous apps and sites.

Setting the policy to Disabled means reports are never sent.

If you set this policy, users can't change it. If not set, users can decide whether to send reports or not.

See more about Safe Browsing ( https://developers.google.com/safe-browsing ).

Note for Google Chrome OS devices supporting Android apps:

This policy is not supported within Arc.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SafeBrowsingProtectionLevel

Safe Browsing Protection Level
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SafeBrowsingProtectionLevel
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~SafeBrowsing\SafeBrowsingProtectionLevel
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SafeBrowsingProtectionLevel
Mac/Linux preference name:
SafeBrowsingProtectionLevel
Android restriction name:
SafeBrowsingProtectionLevel
Supported on:
  • Google Chrome (Linux) since version 83
  • Google Chrome (Mac) since version 83
  • Google Chrome (Windows) since version 83
  • Google ChromeOS (Google ChromeOS) since version 83
  • Google Chrome (Android) since version 87
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to control whether Google Chrome's Safe Browsing feature is enabled and the mode it operates in.

If this policy is set to 'NoProtection' (value 0), Safe Browsing is never active.

If this policy is set to 'StandardProtection' (value 1, which is the default), Safe Browsing is always active in the standard mode.

If this policy is set to 'EnhancedProtection' (value 2), Safe Browsing is always active in the enhanced mode, which provides better security, but requires sharing more browsing information with Google.

If you set this policy as mandatory, users cannot change or override the Safe Browsing setting in Google Chrome.

If this policy is left not set, Safe Browsing will operate in Standard Protection mode but users can change this setting.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

  • 0 = Safe Browsing is never active.
  • 1 = Safe Browsing is active in the standard mode.
  • 2 = Safe Browsing is active in the enhanced mode. This mode provides better security, but requires sharing more browsing information with Google.
Note for Google Chrome OS devices supporting Android apps:

This policy is not supported within Arc.

Example value:
0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="SafeBrowsingProtectionLevel" value="2"/>
Back to top

SafeBrowsingAllowlistDomains

Configure the list of domains on which Safe Browsing will not trigger warnings.
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SafeBrowsingAllowlistDomains
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~SafeBrowsing\SafeBrowsingAllowlistDomains
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SafeBrowsingAllowlistDomains
Mac/Linux preference name:
SafeBrowsingAllowlistDomains
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means Safe Browsing will trust the domains you designate. It won't check them for dangerous resources such as phishing, malware, or unwanted software. Safe Browsing's download protection service won't check downloads hosted on these domains. Its password protection service won't check for password reuse.

Leaving the policy unset means default Safe Browsing protection applies to all resources.

This policy must be set as a list of fully qualified domain names. It does not support regular expressions, and will not allowlist subdomains of domains listed in the policy.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SafeBrowsingAllowlistDomains\1 = "mydomain.com" Software\Policies\Google\Chrome\SafeBrowsingAllowlistDomains\2 = "myuniversity.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SafeBrowsingAllowlistDomains\1 = "mydomain.com" Software\Policies\Google\ChromeOS\SafeBrowsingAllowlistDomains\2 = "myuniversity.edu"
Android/Linux:
[ "mydomain.com", "myuniversity.edu" ]
Mac:
<array> <string>mydomain.com</string> <string>myuniversity.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="SafeBrowsingAllowlistDomainsDesc" value="1&#xF000;mydomain.com&#xF000;2&#xF000;myuniversity.edu"/>
Back to top

PasswordProtectionWarningTrigger

Password protection warning trigger
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PasswordProtectionWarningTrigger
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~SafeBrowsing\PasswordProtectionWarningTrigger
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PasswordProtectionWarningTrigger
Mac/Linux preference name:
PasswordProtectionWarningTrigger
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you control the triggering of password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.

Use PasswordProtectionLoginURLs and PasswordProtectionChangePasswordURL to set which password to protect.

If this policy is set to:

* PasswordProtectionWarningOff, no password protection warning will be shown.

* PasswordProtectionWarningOnPasswordReuse, password protection warning will be shown when the user reuses their protected password on a non-allowed site.

* PasswordProtectionWarningOnPhishingReuse, password protection warning will be shown when the user reuses their protected password on a phishing site.

Leaving the policy unset has the password protection service only protect Google passwords, but users can change this setting.

  • 0 = Password protection warning is off
  • 1 = Password protection warning is triggered by password reuse
  • 2 = Password protection warning is triggered by password reuse on phishing page
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="PasswordProtectionWarningTrigger" value="1"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PasswordProtection
Back to top

PasswordProtectionLoginURLs

Configure the list of enterprise login URLs where password protection service should capture salted hashes of passwords.
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PasswordProtectionLoginURLs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~SafeBrowsing\PasswordProtectionLoginURLs
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PasswordProtectionLoginURLs
Mac/Linux preference name:
PasswordProtectionLoginURLs
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy sets the list of enterprise login URLs (HTTP and HTTPS protocols only). Password protection service will capture salted hashes of passwords on these URLs and use them for password reuse detection. For Google Chrome to correctly capture password salted hashes, ensure your sign-in pages follow these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).

Turning this setting off or leaving it unset means the password protection service only captures the password salted hashes on https://accounts.google.com.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\PasswordProtectionLoginURLs\1 = "https://mydomain.com/login.html" Software\Policies\Google\Chrome\PasswordProtectionLoginURLs\2 = "https://login.mydomain.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PasswordProtectionLoginURLs\1 = "https://mydomain.com/login.html" Software\Policies\Google\ChromeOS\PasswordProtectionLoginURLs\2 = "https://login.mydomain.com"
Android/Linux:
[ "https://mydomain.com/login.html", "https://login.mydomain.com" ]
Mac:
<array> <string>https://mydomain.com/login.html</string> <string>https://login.mydomain.com</string> </array>
Windows (Intune):
<enabled/>
<data id="PasswordProtectionLoginURLsDesc" value="1&#xF000;https://mydomain.com/login.html&#xF000;2&#xF000;https://login.mydomain.com"/>
Back to top

PasswordProtectionChangePasswordURL

Configure the change password URL.
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PasswordProtectionChangePasswordURL
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~SafeBrowsing\PasswordProtectionChangePasswordURL
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PasswordProtectionChangePasswordURL
Mac/Linux preference name:
PasswordProtectionChangePasswordURL
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy sets the URL for users to change their password after seeing a warning in the browser. The password protection service sends users to the URL (HTTP and HTTPS protocols only) you designate through this policy. For Google Chrome to correctly capture the salted hash of the new password on this change password page, make sure your change password page follows these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).

Turning the policy off or leaving it unset means the service sends users to https://myaccount.google.com to change their password.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
"https://mydomain.com/change_password.html"
Windows (Intune):
<enabled/>
<data id="PasswordProtectionChangePasswordURL" value="https://mydomain.com/change_password.html"/>
Back to top

Saml user identity management settings

Controls settings for users authenticated via SAML with an extaernal IdP
Back to top

SamlInSessionPasswordChangeEnabled

Password synchronization between third-party SSO providers and Chrome devices
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SamlInSessionPasswordChangeEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 98
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Enables SAML password sync between multiple Chrome devices by monitoring the value of password sync token and sending a user through the online re-authentication if password was updated and needs to be synchronized.

Enables a page at chrome://password-change that lets SAML users change their SAML passwords while in-session, which ensures that the SAML password and the device lockscreen password are kept in-sync.

This policy also enables notifications that warn SAML users if their SAML passwords are soon to expire so that they can deal with this immediately by doing an in-session password change. But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow.

Setting this policy to Disabled or not set, SAML password can't be changed at chrome://password-change and there won't be any notification when SAML passwords are soon to expire.

Example value:
0x00000001 (Windows)
Back to top

SamlPasswordExpirationAdvanceWarningDays

How many days in advance to notify SAML users when their password is due to expire
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SamlPasswordExpirationAdvanceWarningDays
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 98
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy has no effect unless SamlInSessionPasswordChangeEnabled is true. If that policy is true, and this policy is set to (for example) 14, that means SAML users will be notified 14 days in advance that their password is due to expire on a certain date. Then they can deal with this immediately by doing an in-session password change and updating their password before it expires. But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow. Setting this policy to zero means the users will not be notified in advance - they will only be notified once the password has already expired.

If this policy is set, the user cannot change or override it.

Restrictions:
  • Minimum:0
  • Maximum:90
Example value:
0x0000000e (Windows)
Back to top

LockScreenReauthenticationEnabled

Enables online re-authentication on lock screen for SAML users
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LockScreenReauthenticationEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 98
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Enables online user signin on a lock screen. If the policy is set to true online re-authentication on the lock screen is triggered e.g. by SAMLOfflineSigninTimeLimit. The re-authentication is enforced immediately when on the lock screen or next time a user locks the screen after the condition is met. If the policy is set to false or unset users can always unlock the screen with their local credentials.

Example value:
0x00000001 (Windows)
Back to top

SAMLOfflineSigninTimeLimit

Limit the time for which a user authenticated via SAML can log in offline
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SAMLOfflineSigninTimeLimit
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 34
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

During login, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).

When this policy is set to a value of -1, the user can authenticate offline indefinitely. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again.

Leaving this policy not set will make Google Chrome OS use a default time limit of 14 days after which the user must use online authentication again.

This policy affects only users who authenticated using SAML.

The policy value should be specified in seconds.

Restrictions:
  • Minimum:-1
Example value:
0x00000020 (Windows)
Back to top

Sign-in settings

Controls the behavior of the sign-in screen, where users log into their accounts. Settings include who can log in, what type of accounts are allowed, what authentication methods should be used, as well as general accessibility, input method and locale settings.
Back to top

DeviceGuestModeEnabled

Enable guest mode
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceGuestModeEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 12
Supported features:
Dynamic Policy Refresh: Yes
Description:

If this policy is set to true or not configured, Google Chrome OS will enable guest logins. Guest logins are anonymous user sessions and do not require a password.

If this policy is set to false, Google Chrome OS will not allow guest sessions to be started.

Example value:
0x00000001 (Windows)
Back to top

DeviceUserAllowlist

Login user allow list
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceUserAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes
Description:

Defines the list of users that are allowed to login to the device. Entries are of the form user@domain, such as madmax@managedchrome.com. To allow arbitrary users on a domain, use entries of the form *@domain.

If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the DeviceAllowNewUsers policy to be configured appropriately. If DeviceFamilyLinkAccountsAllowed is enabled, Family Link users will be allowed additionally to the accounts defined in this policy.

Note for Google Chrome OS devices supporting Android apps:

This policy controls who may start a Google Chrome OS session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceUserAllowlist\1 = "madmax@managedchrome.com"
Back to top

DeviceAllowNewUsers

Allow creation of new user accounts
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAllowNewUsers
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 12
Supported features:
Dynamic Policy Refresh: Yes
Description:

Controls whether Google Chrome OS allows new user accounts to be created.

If this policy is set to false, only users present in DeviceUserAllowlist will be able to login.

If this policy is set to true or not configured, all users will be able to login.

Note for Google Chrome OS devices supporting Android apps:

This policy controls whether new users can be added to Google Chrome OS. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenDomainAutoComplete

Enable domain name autocomplete during user sign in
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenDomainAutoComplete
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 44
Supported features:
Dynamic Policy Refresh: Yes
Description:

If this policy is set to a blank string or not configured, Google Chrome OS will not show an autocomplete option during user sign-in flow. If this policy is set to a string representing a domain name, Google Chrome OS will show an autocomplete option during user sign-in allowing the user to type in only their user name without the domain name extension. The user will be able to overwrite this domain name extension. If the value of the policy is not a valid domain, the policy will not be applied.

Example value:
"students.school.edu"
Back to top

DeviceShowUserNamesOnSignin

Show usernames on login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceShowUserNamesOnSignin
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 12
Supported features:
Dynamic Policy Refresh: Yes
Description:

If this policy is set to true or not configured, Google Chrome OS will show existing users on the login screen and allow to pick one.

If this policy is set to false, Google Chrome OS will not show existing users on the login screen. The normal sign-in screen (prompting for the user email and password or phone) or the SAML interstitial screen (if enabled via the LoginAuthenticationBehavior policy) will be shown, unless a Managed Session is configured. When a Managed Session is configured, only the Managed Session accounts will be shown, allowing to pick one of them.

Note that this policy does not affect whether the device keeps or discards the local user data.

Example value:
0x00000001 (Windows)
Back to top

DeviceWallpaperImage

Device wallpaper image
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceWallpaperImage
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 61
Supported features:
Dynamic Policy Refresh: Yes
Description:

Configure device-level wallpaper image that is shown on the login screen if no user has yet signed in to the device. The policy is set by specifying the URL from which the ChromeOS device can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication. The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If the device wallpaper policy is set, the ChromeOS device will download and use the wallpaper image on the login screen if no user has yet signed in to the device. Once the user logs in, the user's wallpaper policy kicks in.

If the device wallpaper policy is left not set, it's the user's wallpaper policy to decide what to show if the user's wallpaper policy is set.

Schema:
{ "properties": { "hash": { "description": "The SHA-256 hash of the wallpaper image.", "type": "string" }, "url": { "description": "The URL from which the wallpaper image can be downloaded.", "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceWallpaperImage = { "hash": "1337c0ded00d84b1dbadf00dd15ea5eb000deaddeaddeaddeaddeaddeaddead0", "url": "https://example.com/device_wallpaper.jpg" }
Back to top

DeviceEphemeralUsersEnabled

Wipe user data on sign-out
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceEphemeralUsersEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 19
Supported features:
Dynamic Policy Refresh: Yes
Description:

Determines whether Google Chrome OS keeps local account data after logout. If set to true, no persistent accounts are kept by Google Chrome OS and all data from the user session will be discarded after logout. If this policy is set to false or not configured, the device may keep (encrypted) local user data.

Example value:
0x00000001 (Windows)
Back to top

LoginAuthenticationBehavior

Configure the login authentication behavior
Data type:
Integer
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 51
Supported features:
Dynamic Policy Refresh: Yes
Description:

When this policy is set, the login authentication flow will be in one of the following ways depending on the value of the setting:

If set to GAIA, login will be done via the normal GAIA authentication flow.

If set to SAML_INTERSTITIAL, login will show an interstitial screen offering the user to go forward with authentication via the SAML IdP of the device's enrollment domain, or go back to the normal GAIA login flow.

  • 0 = Authentication via the default GAIA flow
  • 1 = Redirect to SAML IdP after user confirmation
Back to top

DeviceTransferSAMLCookies

Transfer SAML IdP cookies during login
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 38
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specifies whether authentication cookies set by a SAML IdP during login should be transferred to the user's profile.

When a user authenticates via a SAML IdP during login, cookies set by the IdP are written to a temporary profile at first. These cookies can be transferred to the user's profile to carry forward the authentication state.

When this policy is set to true, cookies set by the IdP are transferred to the user's profile every time they authenticate against the SAML IdP during login.

When this policy is set to false or unset, cookies set by the IdP are transferred to the user's profile during their first login on a device only.

This policy affects users whose domain matches the device's enrollment domain only. For all other users, cookies set by the IdP are transferred to the user's profile during their first login on the device only.

Note for Google Chrome OS devices supporting Android apps:

Cookies transferred to the user's profile are not accessible to Android apps.

Back to top

LoginVideoCaptureAllowedUrls

URLs that will be granted access to video capture devices on SAML login pages
Data type:
List of strings
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 52
Supported features:
Dynamic Policy Refresh: Yes
Description:

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to video capture devices will be granted on SAML login pages. If no match is found, access will be automatically denied. Wildcard patterns are not allowed.

Back to top

DeviceLoginScreenExtensions

Configure the list of installed apps and extensions on the login screen
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenExtensions
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 60
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specifies a list of apps and extensions that are installed silently on the login screen, without user interaction, and which cannot be uninstalled or disabled by the user.

Permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension. Google Chrome restricts the set of permissions that the extensions can request.

Note that, for security and privacy reasons, only apps and extensions that belong to the allow list bundled into Google Chrome can be installed. All other items will be ignored.

If an app or extension that previously had been force-installed is removed from this list, it is automatically uninstalled by Google Chrome.

Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in developer mode. The "update" URL, if specified, should point to an update manifest XML document as described at https://developer.chrome.com/extensions/autoupdate. By default, the Chrome Web Store's update URL is used (which currently is "https://clients2.google.com/service/update2/crx"). Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest.

For example, khpfeaanjngmcnplbdlpegiifgpfgdco;https://clients2.google.com/service/update2/crx installs the Smart Card Connector app from the standard Chrome Web Store "update" URL. For more information about hosting extensions, see: https://developer.chrome.com/extensions/hosting.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceLoginScreenExtensions\1 = "khpfeaanjngmcnplbdlpegiifgpfgdco;https://clients2.google.com/service/update2/crx"
Back to top

DeviceLoginScreenLocales

Device sign-in screen locale
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenLocales
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 58
Supported features:
Dynamic Policy Refresh: No
Description:

Configures the locale which is enforced on the Google Chrome OS sign-in screen.

If this policy is set, the sign-in screen will always be displayed in the locale which is given by the first value of this policy (the policy is defined as a list for forward compatibility). If this policy is not set or is set to an empty list, the sign-in screen will be displayed in the locale of the last user session. If this policy is set to a value which is not a valid locale, the sign-in screen will be displayed in a fallback locale (currently, en-US).

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceLoginScreenLocales\1 = "en-US"
Back to top

DeviceLoginScreenInputMethods

Device sign-in screen keyboard layouts
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenInputMethods
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 58
Supported features:
Dynamic Policy Refresh: Yes
Description:

Configures which keyboard layouts are allowed on the Google Chrome OS sign-in screen.

If this policy is set to a list of input method identifiers, the given input methods will be available on the sign-in screen. The first given input method will be preselected. While a user pod is focused on the sign-in screen, the user's last used input method will be available in addition to the input methods given by this policy. If this policy is not set, the input methods on the sign-in screen will be derived from the locale in which the sign-in screen is displayed. Values which are not valid input method identifiers will be ignored.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceLoginScreenInputMethods\1 = "xkb:us::en" Software\Policies\Google\ChromeOS\DeviceLoginScreenInputMethods\2 = "xkb:ch::ger"
Back to top

DeviceLoginScreenSystemInfoEnforced

Force the sign-in screen to show or hide system information.
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes
Description:

Specify whether the system information (e.g. ChromeOS version, device serial number) is always shown (or hidden) on the login screen.

If the policy is set to true, the system information will be shown forcedly. If the policy is set to false, the system information will be hidden forcedly. If the policy is unset, default hehavior (being shown for Canary / Dev channel) is effective. Users can toggle the visibility by specific operations (e.g., Alt-V).

Back to top

DeviceSecondFactorAuthentication

Integrated second factor authentication mode
Data type:
Integer
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 61
Supported features:
Dynamic Policy Refresh: No
Description:

Specifies how the on-board secure element hardware can be used to provide a second-factor authentication if it is compatible with this feature. The machine power button is used to detect the user physical presence.

If 'Disabled' is selected, no second factor is provided.

If 'U2F' is selected, the integrated second factor will behave according the FIDO U2F specification.

If 'U2F_EXTENDED' is selected, the integrated second factor will provide the U2F functions plus some extensions for individual attestation.

  • 1 = Second factor disabled
  • 2 = U2F (Universal Second Factor)
  • 3 = U2F plus extensions for individual attestation
Back to top

DeviceLoginScreenAutoSelectCertificateForUrls

Automatically select client certificates for these sites on the sign-in screen
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenAutoSelectCertificateForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Dynamic Policy Refresh: Yes
Description:

Allows you to specify a list of url patterns that specify sites for which a client certificate is automatically selected on the sign-in screen in the frame hosting the SAML flow, if the site requests a certificate. An example usage is to configure a device-wide certificate to be presented to the SAML IdP.

The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.

Examples for the usage of the $FILTER section:

* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.

* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.

* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.

* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.

* When $FILTER is set to {}, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.

If this policy is left not set, no auto-selection will be done for any site.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.

Schema:
{ "items": { "properties": { "filter": { "properties": { "ISSUER": { "$ref": "CertPrincipalFields" }, "SUBJECT": { "$ref": "CertPrincipalFields" } }, "type": "object" }, "pattern": { "type": "string" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceLoginScreenAutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"
Back to top

DeviceShowNumericKeyboardForPassword

Show numeric keyboard for password
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceShowNumericKeyboardForPassword
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to true displays numeric keyboard by default for entering password on the login screen. Users still could switch to the normal keyboard.

If you set the policy, users can't change it. If not set or set to false, it has no effect.

Example value:
0x00000001 (Windows)
Back to top

DeviceFamilyLinkAccountsAllowed

Allow addition of Family Link accounts to the device
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceFamilyLinkAccountsAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes
Description:

Controls whether Google Chrome OS allows new Family Link user accounts to be added on the device. This policy is only useful in combination with DeviceUserAllowlist. It allows Family Link accounts additionally to the accounts defined in the allowlist. This policy does not affect the behavior of other sign-in policies. Particularly it will not have any effect when: - Adding new users to the device is disabled with DeviceAllowNewUsers policy. - Adding all users is allowed with DeviceUserAllowlist policy.

If this policy is set to false (or not configured), no additional rules will be applied to Family Link accounts. If this policy is set to true, new Family Link user accounts will be allowed additionally to those defined in DeviceUserAllowlist.

Example value:
0x00000000 (Windows)
Back to top

DeviceLoginScreenPromptOnMultipleMatchingCertificates

Prompt when multiple certificates match on the sign-in screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenPromptOnMultipleMatchingCertificates
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy controls whether the user is prompted to select a client certificate on the sign-in screen in the frame hosting the SAML flow when more than one certificate matches DeviceLoginScreenAutoSelectCertificateForUrls. If this policy is set to Enabled, the user is asked to select the client certificate whenever the auto-selection policy matches multiple certificates. If this policy is set to Disabled or not set, the user is never prompted to select a client certificate on the sign-in screen. Note: This policy is in general not recommended, since it imposes potential privacy risks (in case device-wide TPM-backed certificates are used) and presents poor user experience.

Example value:
0x00000001 (Windows)
Back to top

DeviceRunAutomaticCleanupOnLogin

Control automatic cleanup during login
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceRunAutomaticCleanupOnLogin
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 99
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

When this policy is set to true, automatic cleanup is executed during login to ensure enough free disk space is available. Cleanup will only run when strictly necessary, but will still impact the login time. Setting the policy to false (the default) ensures the login time is not affected.

Example value:
0x00000001 (Windows)
Back to top

Startup, Home page and New Tab page

Configure the pages to load on startup, the default home page and the default new tab page in Google Chrome and prevents users from changing them. The user's home page settings are only completely locked down if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'. The policy 'URLs to open on startup' is ignored unless you select 'Open a list of URLs' in 'Action on startup'.
Back to top

ShowHomeButton

Show Home button on toolbar
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ShowHomeButton
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Startup\ShowHomeButton
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ShowHomeButton
Mac/Linux preference name:
ShowHomeButton
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled shows the Home button on Google Chrome's toolbar. Setting the policy to Disabled keeps the Home button from appearing.

If you set the policy, users can't change it in Google Chrome. If not set, users chooses whether to show the Home button.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

HomepageLocation

Configure the home page URL
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HomepageLocation
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Startup\HomepageLocation
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\HomepageLocation
Mac/Linux preference name:
HomepageLocation
Android restriction name:
HomepageLocation
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 81
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy sets the default homepage URL in Google Chrome. You open the homepage using the Home button. On desktop, the RestoreOnStartup policies control the pages that open on startup.

If the homepage is set to the New Tab Page, by the user or HomepageIsNewTabPage, this policy has no effect.

The URL needs a standard scheme, such as http://example.com or https://example.com. When this policy is set, users can't change their homepage URL in Google Chrome.

Leaving both HomepageLocation and HomepageIsNewTabPage unset lets users choose their homepage.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
"https://www.chromium.org"
Windows (Intune):
<enabled/>
<data id="HomepageLocation" value="https://www.chromium.org"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Homepage
Back to top

HomepageIsNewTabPage

Use New Tab Page as homepage
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HomepageIsNewTabPage
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Startup\HomepageIsNewTabPage
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\HomepageIsNewTabPage
Mac/Linux preference name:
HomepageIsNewTabPage
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled makes the New Tab page the user's homepage, ignoring any homepage URL location. Setting the policy to Disabled means that their homepage is never the New Tab page, unless the user's homepage URL is set to chrome://newtab.

If you set the policy, users can't change their homepage type in Google Chrome. If not set, the user decides whether or not the New Tab page is their homepage.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

NewTabPageLocation

Configure the New Tab page URL
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NewTabPageLocation
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Startup\NewTabPageLocation
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NewTabPageLocation
Mac/Linux preference name:
NewTabPageLocation
Supported on:
  • Google Chrome (Linux) since version 58
  • Google Chrome (Mac) since version 58
  • Google Chrome (Windows) since version 58
  • Google ChromeOS (Google ChromeOS) since version 58
  • Google Chrome (iOS) since version 99
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy configures the default New Tab page URL and prevents users from changing it.

The New Tab page opens with new tabs and windows.

This policy doesn't decide which pages open on start up. Those are controlled by the RestoreOnStartup policies. This policy does affect the homepage, if that's set to open the New Tab page, as well as the startup page if it's set to open the New Tab page.

It is a best practice to provide fully canonicalized URL, if the URL is not fully canonicalized Google Chrome will default to https://.

Leaving the policy unset or empty puts the default New Tab page in use.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
"https://www.chromium.org"
Windows (Intune):
<enabled/>
<data id="NewTabPageLocation" value="https://www.chromium.org"/>
Back to top

RestoreOnStartup

Action on startup
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RestoreOnStartup
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Startup\RestoreOnStartup
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RestoreOnStartup
Mac/Linux preference name:
RestoreOnStartup
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets you specify system behavior on startup. Turning this setting off amounts to leaving it unset as Google Chrome must have specified start up behavior.

If you set the policy, users can't change it in Google Chrome. If not set, users can change it.

Setting this policy to RestoreOnStartupIsLastSession or RestoreOnStartupIsLastSessionAndURLs turns off some settings that rely on sessions or that perform actions on exit, such as clearing browsing data on exit or session-only cookies.

If this policy is set to RestoreOnStartupIsLastSessionAndURLs, browser will restore previous session and open a separate window to show URLs that are set from RestoreOnStartupURLs. Note that users can choose to keep those URLs open and they will also be restored in the future session.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

  • 5 = Open New Tab Page
  • 1 = Restore the last session
  • 4 = Open a list of URLs
  • 6 = Open a list of URLs and restore the last session
Example value:
0x00000004 (Windows), 4 (Linux), 4 (Mac)
Windows (Intune):
<enabled/>
<data id="RestoreOnStartup" value="4"/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : RestoreOnStartup
Back to top

RestoreOnStartupURLs

URLs to open on startup
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RestoreOnStartupURLs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome~Startup\RestoreOnStartupURLs
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RestoreOnStartupURLs
Mac/Linux preference name:
RestoreOnStartupURLs
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If RestoreOnStartup is set to RestoreOnStartupIsURLs, then setting RestoreOnStartupURLs to a list of URLs specify which URLs open.

If not set, the New Tab page opens on start up.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\RestoreOnStartupURLs\1 = "https://example.com" Software\Policies\Google\Chrome\RestoreOnStartupURLs\2 = "https://www.chromium.org"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\RestoreOnStartupURLs\1 = "https://example.com" Software\Policies\Google\ChromeOS\RestoreOnStartupURLs\2 = "https://www.chromium.org"
Android/Linux:
[ "https://example.com", "https://www.chromium.org" ]
Mac:
<array> <string>https://example.com</string> <string>https://www.chromium.org</string> </array>
Windows (Intune):
<enabled/>
<data id="RestoreOnStartupURLsDesc" value="1&#xF000;https://example.com&#xF000;2&#xF000;https://www.chromium.org"/>
Back to top

User and device reporting

Controls what kind of user and device information is reported.
Back to top

EnableDeviceGranularReporting

Enable granular reporting controls
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to enabled or leaving it unset allows for the device to recieve granular reporting controls. Setting the policy to Disabled means enrolled devices won't receive granular reporting controls.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : UserAndDeviceReporting
Back to top

ReportDeviceVersionInfo

Report OS and firmware version
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 18
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset has enrolled devices periodically report their OS and firmware version.

Setting the policy to Disabled means enrolled devices don't report version info.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceBootMode

Report device boot mode
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 18
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset has enrolled devices report the state of the device's dev switch when the machine booted.

Setting the policy to Disabled means enrolled devices don't report the state of the dev switch.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceUsers

Report device users
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 32
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset has enrolled devices report the list of device users that signed in recently.

Setting the policy to Disabled means enrolled devices don't report the list of users.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceActivityTimes

Report device activity times
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 18
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset has enrolled devices report time periods when a user is active on the device.

Setting the policy to Disabled means enrolled devices don't record or report activity times.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceAudioStatus

Report device audio status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to enabled or leaving it unset has enrolled devices report device audio volume.

Setting the policy to Disabled means enrolled devices don't record or report audio status. Exception: System volume level information is controlled by ReportDeviceHardwareStatus for M95 and below.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceNetworkConfiguration

Report network configuration
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report users network configuration on enrolled devices.

If the policy is set to false, the information will not be reported. If set to true or unset, the device's network configuration will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceNetworkInterfaces (Deprecated)

Report device network interfaces
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy is deprecated in M96. Please use ReportDeviceNetworkConfiguration and ReportDeviceNetworkStatus instead.

Setting the policy to Enabled or leaving it unset has enrolled devices report the list of network interfaces with their types and hardware addresses. Setting the policy to Disabled means enrolled devices don't report the network interface.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceNetworkStatus

Report network status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report users network status on enrolled devices.

If the policy is set to false, the information will not be reported. If set to true or unset, the device's network status will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceHardwareStatus (Deprecated)

Report hardware status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 42
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy is deprecated as of M96. Please use ReportDeviceCpuInfo, ReportDeviceMemoryInfo, ReportDeviceStorageStatus, ReportDeviceSecurityStatus, and ReportDeviceAudioStatus instead.

Setting the policy to Enabled or leaving it unset has enrolled devices report hardware statistics such as CPU/RAM usage. Setting the policy to Disabled means enrolled devices don't report the hardware statistics.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceSessionStatus

Report information about active kiosk sessions
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 42
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled or leaving it unset has enrolled devices report the active kiosk session information such as application ID and version.

Setting the policy to Disabled means enrolled devices don't report kiosk session information.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceGraphicsStatus

Report display and graphics statuses
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report information related to display, such as refresh rate, and information related to graphics, such as driver version.

If the policy is set to false or left unset, the display and graphics statuses will not be reported. If set to true, display and graphics statuses will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceCrashReportInfo

Report information about crash reports.
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report information related to crash reports, such as remote id, capture timestamp and cause.

If the policy is set to false or left unset, the crash report information will not be reported. If set to true, crash report information will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceOsUpdateStatus

Report OS update status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report OS update information such as update status, platform version, last update check and last reboot.

If the policy is set to false or left unset, the OS update information will not be reported. If set to true, OS update information will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceBoardStatus

Report board status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 73
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled has enrolled devices report hardware statistics for SoC components.

Setting the policy to Disabled or leaving it unset means enrolled devices don't report the statistics.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceCpuInfo

Report CPU info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy is set to Enabled by default. It controls the enrolled devices to report the CPU model name, architecture, and maximum clock speed (and CPU utilization and temperature for M96 and above).

Setting the policy to Disabled means enrolled devices don’t report any CPU information. Exception CPU utilization and temperature reporting is controlled by ReportDeviceHardwareStatus for M95 and below.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceTimezoneInfo

Report Timezone info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report information for a device's timezone.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's currently set timezone will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceMemoryInfo

Report memory info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy is set to Enabled by default. It controls the enrolled devices to report the memory information.

Setting the policy to Disabled means enrolled devices don’t report any memory information. Exception: free memory information is controlled by ReportDeviceHardwareStatus for M95 or below.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceBacklightInfo

Report backlight info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report information about a device's backlights.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's backlight information will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDevicePeripherals

Report peripheral details
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 101
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to True has enrolled devices report information related to peripherals that are plugged into the device.

Setting the policy to False or leaving it unset means enrolled devices don't report peripherals information.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDevicePowerStatus

Report power status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 73
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled has enrolled devices report hardware statistics and identifiers related to power.

Setting the policy to Disabled or leaving it unset means enrolled devices don't report power statistics.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceSecurityStatus

Report device security status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to enabled reports device TPM security status.

Setting the policy to Disabled or leaving it unset means enrolled devices don't record or report TPM security status. Exception: TPM information is controlled by ReportDeviceHardwareStatus for M95 and below.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceStorageStatus

Report storage status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 73
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy is set to Enabled by default. It controls the enrolled devices to report hardware statistics and identifiers for storage devices.

Setting the policy to Disabled means enrolled devices don't report storage statistics. Eexception: Disk size and disk free space is controlled by ReportDeviceHardwareStatus for M95 and below.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceAppInfo

Report applications information
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report information for a device's application inventory and usage.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's applications and usage will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceBluetoothInfo

Report Bluetooth info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report a device's Bluetooth information.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's Bluetooth information will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceFanInfo

Report fan info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report a device's fan information.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's fan information will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceVpdInfo

Report VPD info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report a device's VPD information.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's VPD information will be reported. Vital Product Data (VPD) is a collection of configuration and informational data (such as part and serial numbers) associated with the device.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceSystemInfo

Report system info
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report a device's system information.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's system information will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportDeviceLoginLogout

Report login/logout
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report users login/logout events on enrolled devices including failed logins.

If the policy is set to false or left unset, the information will not be reported. If set to true, the device's login/logout events will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportCRDSessions

Report CRD sessions
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 99
Supported features:
Dynamic Policy Refresh: Yes
Description:

Report CRD sessions events on enrolled devices for affiliated users.

If the policy is Disabled or left unset, the information will not be reported. If Enabled, the CRD events will be reported, if the user is affiliated

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportUploadFrequency

Frequency of device status report uploads
Data type:
Integer
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 42
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy determines how frequently to send device status uploads, in milliseconds. The minimum allowed is 60 seconds.

If not set, the default interval of 3 hours applies.

Restrictions:
  • Minimum:60000
Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

ReportArcStatusEnabled

Report information about status of Android
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 55
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If Android apps are on, then setting the policy to True has enrolled devices report Android status information.

Setting the policy to Disabled or leaving it unset means enrolled devices don't report Android status information

Back to top

HeartbeatEnabled

Send network packets to the management server to monitor online status
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 43
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled sends monitoring network packets (heartbeats) to the management server to monitor online status, to allow the server to detect if the device is offline.

Setting the policy to Disabled or leaving it unset sends no packets.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

HeartbeatFrequency

Frequency of monitoring network packets
Data type:
Integer
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 43
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy determines how frequently to send monitoring network packets, in milliseconds. Intervals range from 30 seconds to 24 hours. Values outside this range are clamped to this range.

If not set, the default interval of 3 minutes applies.

Restrictions:
  • Minimum:30000
Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

LogUploadEnabled

Send system logs to the management server
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 46
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled sends system logs to the management server, to allow admins to monitor system logs.

Setting the policy to Disabled or leaving it unset reports no system logs.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

DeviceMetricsReportingEnabled

Enable metrics reporting
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceMetricsReportingEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 14
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to Enabled has Google Chrome OS report usage metrics and diagnostic data, including crash reports, back to Google. Setting the policy to Disabled turns off metrics and diagnostic data reporting.

Leaving the policy unset keeps metrics and diagnostic data reporting off on unmanaged devices and on for managed devices.

Note for Google Chrome OS devices supporting Android apps:

This policy also controls Android usage and diagnostic data collection.

Example value:
0x00000001 (Windows)
Back to top

Wilco DTC

Controls wilco diagnostics and telemetry controller settings.
Back to top

DeviceWilcoDtcAllowed

Allows wilco diagnostics and telemetry controller
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceWilcoDtcAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled when wilco diagnostics and telemetry controller (DTC) is available on the device turns collecting, processing, and reporting of telemetry and diagnostics data on.

Setting the policy to Disabled or leaving it unset turns DTC off. It can't collect, process, or report telemetry and diagnostics data from the device.

Example value:
0x00000000 (Windows)
Back to top

DeviceWilcoDtcConfiguration

Wilco DTC configuration
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceWilcoDtcConfiguration
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy configures the wilco diagnostics and telemetry controller (DTC), if available on the device. The setup size can't exceed 1MB (1,000,000 bytes) and must be in JSON format. The wilco DTC is responsible for handling it. The cryptographic hash verifies the integrity of the download. The configuration is downloaded and cached. It's redownloaded whenever the URL or the hash changes.

If you set this policy, users can't change it.

Schema:
{ "properties": { "hash": { "type": "string" }, "url": { "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceWilcoDtcConfiguration = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", "url": "https://example.com/wilcodtcconfig" }
Back to top

AbusiveExperienceInterventionEnforce

Abusive Experience Intervention Enforce
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AbusiveExperienceInterventionEnforce
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AbusiveExperienceInterventionEnforce
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AbusiveExperienceInterventionEnforce
Mac/Linux preference name:
AbusiveExperienceInterventionEnforce
Supported on:
  • Google Chrome (Linux) since version 65
  • Google Chrome (Mac) since version 65
  • Google Chrome (Windows) since version 65
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If SafeBrowsingEnabled is not Disabled, then setting AbusiveExperienceInterventionEnforce to Enabled or leaving it unset prevents sites with abusive experiences from opening new windows or tabs.

Setting SafeBrowsingEnabled to Disabled or AbusiveExperienceInterventionEnforce to Disabled lets sites with abusive experiences open new windows or tabs.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AccessCodeCastDeviceDuration

Specifies how long (in seconds) a cast device selected with an access code or QR code stays in the Google Cast menu's list of cast devices.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AccessCodeCastDeviceDuration
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AccessCodeCastDeviceDuration
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AccessCodeCastDeviceDuration
Mac/Linux preference name:
AccessCodeCastDeviceDuration
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 103
  • Google Chrome (Linux) since version 103
  • Google Chrome (Mac) since version 103
  • Google Chrome (Windows) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy specifies how long (in seconds) a cast device that was previously selected via an access code or QR code can be seen within the Google Cast menu of cast devices. The lifetime of an entry starts at the time the access code was first entered or the QR code was first scanned. During this period the cast device will appear in the Google Cast menu's list of cast devices. After this period, in order to use the cast device again the access code must be reentered or the QR code must be rescanned. By default, the period is zero seconds, so cast devices will not stay in the Google Cast menu, and so the access code must be reentered, or the QR code rescanned, in order to initiate a new casting session. Note that this policy only affects how long a cast devices appears in the Google Cast menu, and has no effect on any ongoing cast session which will continue even if the period expires. This policy has no effect unless the AccessCodeCastEnabled policy is Enabled.

Example value:
0x0000003c (Windows), 60 (Linux), 60 (Mac)
Windows (Intune):
<enabled/>
<data id="AccessCodeCastDeviceDuration" value="60"/>
Back to top

AccessCodeCastEnabled

Allow users to select cast devices with an access code or QR code from within the Google Cast menu.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AccessCodeCastEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AccessCodeCastEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AccessCodeCastEnabled
Mac/Linux preference name:
AccessCodeCastEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 102
  • Google Chrome (Linux) since version 102
  • Google Chrome (Mac) since version 102
  • Google Chrome (Windows) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls whether a user will be presented with an option, within the Google Cast menu which allows them to cast to cast devices that do not appear in the Google Cast menu, using either the access code or QR code displayed on the cast devices's screen. By default, a user must reenter the access code or rescan the QR code in order to initiate a subsequent casting session, but if the AccessCodeCastDeviceDuration policy has been set to a non-zero value (the default is zero), then the cast device will remain in the list of available cast devices until the specified period of time has expired. When this policy is set to Enabled, users will be presented with the option to select cast devices by using an access code or by scanning a QR code. When this policy is set to Disabled or not set, users will not be given the option to select cast devices by using an access code or by scanning a QR code.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AccessibilityImageLabelsEnabled

Enable Get Image Descriptions from Google.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AccessibilityImageLabelsEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AccessibilityImageLabelsEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AccessibilityImageLabelsEnabled
Mac/Linux preference name:
AccessibilityImageLabelsEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
  • Google Chrome (Linux) since version 84
  • Google Chrome (Mac) since version 84
  • Google Chrome (Windows) since version 84
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

The Get Image Descriptions from Google accessibility feature enables visually-impaired screen reader users to get descriptions of unlabeled images on the web. Users who choose to enable it will have the option of using an anonymous Google service to provide automatic descriptions for unlabeled images they encounter on the web.

If this feature is enabled, the content of images will be sent to Google servers in order to generate a description. No cookies or other user data is sent, and Google does not save or log any image content.

If this policy is set to Enabled, the Get Image Descriptions from Google feature will be enabled, though it will only affect users who are using a screen reader or other similar assistive technology.

If this policy is set to Disabled, users will not have the option of enabling the feature.

If this policy is not set, user can choose to use this feature or not.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

AdditionalDnsQueryTypesEnabled

Allow DNS queries for additional DNS record types
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AdditionalDnsQueryTypesEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AdditionalDnsQueryTypesEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AdditionalDnsQueryTypesEnabled
Mac/Linux preference name:
AdditionalDnsQueryTypesEnabled
Android restriction name:
AdditionalDnsQueryTypesEnabled
Supported on:
  • Google Chrome (Android) since version 92
  • Google Chrome (Linux) since version 92
  • Google Chrome (Mac) since version 92
  • Google Chrome (Windows) since version 92
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy controls whether Google Chrome may query additional DNS record types when making insecure DNS requests. This policy has no effect on DNS queries made via Secure DNS, which may always query additional DNS types.

If this policy is unset or set to Enabled, additional types such as HTTPS (DNS type 65) may be queried in addition to A (DNS type 1) and AAAA (DNS type 28).

If this policy is set to Disabled, DNS will only be queried for A (DNS type 1) and/or AAAA (DNS type 28).

This policy is a temporary measure and will be removed in future versions of Google Chrome. After removal of the policy, Google Chrome will always be able to query additional DNS types.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AdsSettingForIntrusiveAdsSites

Ads setting for sites with intrusive ads
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AdsSettingForIntrusiveAdsSites
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AdsSettingForIntrusiveAdsSites
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AdsSettingForIntrusiveAdsSites
Mac/Linux preference name:
AdsSettingForIntrusiveAdsSites
Supported on:
  • Google Chrome (Linux) since version 65
  • Google Chrome (Mac) since version 65
  • Google Chrome (Windows) since version 65
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Unless SafeBrowsingEnabled is set to False, then setting AdsSettingForIntrusiveAdsSites to 1 or leaving it unset allows ads on all sites.

Setting the policy to 2 blocks ads on sites with intrusive ads.

  • 1 = Allow ads on all sites
  • 2 = Do not allow ads on sites with intrusive ads
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="AdsSettingForIntrusiveAdsSites" value="1"/>
Back to top

AdvancedProtectionAllowed

Enable additional protections for users enrolled in the Advanced Protection program
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AdvancedProtectionAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AdvancedProtectionAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AdvancedProtectionAllowed
Mac/Linux preference name:
AdvancedProtectionAllowed
Supported on:
  • Google Chrome (Linux) since version 83
  • Google Chrome (Mac) since version 83
  • Google Chrome (Windows) since version 83
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls whether users enrolled in the Advanced Protection program receive extra protections. Some of these features may involve the sharing of data with Google (for example, Advanced Protection users will be able to send their downloads to Google for malware scanning). If set to True or not set, enrolled users will receive extra protections. If set to False, Advanced Protection users will receive only the standard consumer features.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AllowDeletingBrowserHistory

Enable deleting browser and download history
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AllowDeletingBrowserHistory
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AllowDeletingBrowserHistory
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowDeletingBrowserHistory
Mac/Linux preference name:
AllowDeletingBrowserHistory
Supported on:
  • Google Chrome (Linux) since version 57
  • Google Chrome (Mac) since version 57
  • Google Chrome (Windows) since version 57
  • Google ChromeOS (Google ChromeOS) since version 57
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset means browser history and download history can be deleted in Chrome, and users can't change this setting.

Setting the policy to Disabled means browser history and download history can't be deleted. Even with this policy off, the browsing and download history are not guaranteed to be retained. Users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AllowDinosaurEasterEgg

Allow Dinosaur Easter Egg Game
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AllowDinosaurEasterEgg
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AllowDinosaurEasterEgg
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowDinosaurEasterEgg
Mac/Linux preference name:
AllowDinosaurEasterEgg
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 48
  • Google Chrome (Linux) since version 48
  • Google Chrome (Mac) since version 48
  • Google Chrome (Windows) since version 48
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to True allows users to play the dinosaur game. Setting the policy to False means users can't play the dinosaur easter egg game when device is offline.

Leaving the policy unset means users can't play the game on enrolled Google Chrome OS, but can under other circumstances.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

AllowFileSelectionDialogs

Allow invocation of file selection dialogs
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AllowFileSelectionDialogs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AllowFileSelectionDialogs
Mac/Linux preference name:
AllowFileSelectionDialogs
Supported on:
  • Google Chrome (Linux) since version 12
  • Google Chrome (Mac) since version 12
  • Google Chrome (Windows) since version 12
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset means Chrome can display, and users can open, file selection dialogs.

Setting the policy to Disabled means that whenever users perform actions provoking a file selection dialog, such as importing bookmarks, uploading files, and saving links, a message appears instead. The user is assumed to have clicked Cancel on the file selection dialog.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AllowScreenLock

Permit locking the screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowScreenLock
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 52
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset lets users who authenticate with a password lock the screen.

Setting the policy to Disabled means users can't lock the screen. (They can only sign out from the user session.)

Example value:
0x00000000 (Windows)
Back to top

AllowSystemNotifications

Allows system notifications
Data type:
Boolean
Mac/Linux preference name:
AllowSystemNotifications
Supported on:
  • Google Chrome (Linux) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Configures whether Google Chrome on Linux will use system notifications.

If set to True or not set, Google Chrome is allowed to use system notifications.

If set to False, Google Chrome will not use system notifications. Google Chrome's Message Center will be used as a fallback.

Example value:
true (Linux)
Back to top

AllowedDomainsForApps

Define domains allowed to access Google Workspace
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AllowedDomainsForApps
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AllowedDomainsForApps
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowedDomainsForApps
Mac/Linux preference name:
AllowedDomainsForApps
Android restriction name:
AllowedDomainsForApps
Supported on:
  • Google Chrome (Linux) since version 51
  • Google Chrome (Mac) since version 51
  • Google Chrome (Windows) since version 51
  • Google ChromeOS (Google ChromeOS) since version 51
  • Google Chrome (Android) since version 51
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy turns on Chrome's restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains.

Leaving this setting empty or unset means users can access Google Workspace with any account.

Users cannot change or override this setting.

Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://support.google.com/a/answer/1668854.

Example value:
"managedchrome.com,example.com"
Windows (Intune):
<enabled/>
<data id="AllowedDomainsForApps" value="managedchrome.com,example.com"/>
Back to top

AllowedInputMethods

Configure the allowed input methods in a user session
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowedInputMethods
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets users choose one of the input methods for Google Chrome OS sessions that you specify.

If you leave it unset or set to an empty list, users can select all supported input methods.

Note: If the current input method is unsupported, it switches to the hardware keyboard layout (if allowed) or the first valid entry in this list. Invalid or unsupported methods are ignored.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AllowedInputMethods\1 = "xkb:us::eng"
Back to top

AllowedLanguages

Configure the allowed languages in a user session
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AllowedLanguages
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 72
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy lets users add only one of the languages listed in this policy to the list of preferred languages.

If not set or set to an empty list, users can specify languages as preferred.

If set to a list with invalid values, those values are ignored. If users added languages not allowed by this policy to the list of preferred languages, they're removed. If they had Google Chrome OS displayed in a language not allowed by this policy, the next time they sign in, the display language switches to an allowed UI language. Otherwise, if this policy only has invalid entries, Google Chrome OS switches to the first valid value specified by this policy or a fallback locale such as en-US.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AllowedLanguages\1 = "en-US"
Back to top

AlternateErrorPagesEnabled

Enable alternate error pages
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AlternateErrorPagesEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AlternateErrorPagesEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AlternateErrorPagesEnabled
Mac/Linux preference name:
AlternateErrorPagesEnabled
Android restriction name:
AlternateErrorPagesEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True means Google Chrome uses alternate error pages built into (such as "page not found"). Setting the policy to False means Google Chrome never uses alternate error pages.

If you set the policy, users can't change it. If not set, the policy is on, but users can change this setting.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AlwaysOpenPdfExternally

Always Open PDF files externally
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AlwaysOpenPdfExternally
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AlwaysOpenPdfExternally
Mac/Linux preference name:
AlwaysOpenPdfExternally
Supported on:
  • Google Chrome (Linux) since version 55
  • Google Chrome (Mac) since version 55
  • Google Chrome (Windows) since version 55
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled turns the internal PDF viewer off in Google Chrome, treats PDF files as a download, and lets users open PDFs with the default application.

Setting the policy to Disabled means that unless users turns off the PDF plugin, it will open PDF files.

If you set the policy, users can't change it in Google Chrome. If not set, users can choose whether to open PDF externally or not.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AmbientAuthenticationInPrivateModesEnabled

Enable Ambient Authentication for profile types.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AmbientAuthenticationInPrivateModesEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AmbientAuthenticationInPrivateModesEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AmbientAuthenticationInPrivateModesEnabled
Mac/Linux preference name:
AmbientAuthenticationInPrivateModesEnabled
Supported on:
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Configuring this policy will allow/disallow ambient authentication for Incognito and Guest profiles in Google Chrome.

Ambient Authentication is http authentication with default credentials if explicit credentials are not provided via NTLM/Kerberos/Negotiate challenge/response schemes.

Setting the RegularOnly (value 0), allows ambient authentication for Regular sessions only. Incognito and Guest sessions wouldn't be allowed to ambiently authenticate.

Setting the IncognitoAndRegular (value 1), allows ambient authentication for Incognito and Regular sessions. Guest sessions wouldn't be allowed to ambiently authenticate.

Setting the GuestAndRegular (value 2), allows ambient authentication for Guest and Regular sessions. Incognito sessions wouldn't be allowed to ambiently authenticate.

Setting the All (value 3), allows ambient authentication for all sessions.

Note that, ambient authentication is always allowed on regular profiles.

In Google Chrome version 81 and later, if the policy is left not set, ambient authentication will be enabled in regular sessions only.

  • 0 = Enable ambient authentication in regular sessions only.
  • 1 = Enable ambient authentication in incognito and regular sessions.
  • 2 = Enable ambient authentication in guest and regular sessions.
  • 3 = Enable ambient authentication in regular, incognito and guest sessions.
Example value:
0x00000000 (Windows), 0 (Linux), 0 (Mac)
Windows (Intune):
<enabled/>
<data id="AmbientAuthenticationInPrivateModesEnabled" value="0"/>
Back to top

ApplicationLocaleValue

Application locale
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ApplicationLocaleValue
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ApplicationLocaleValue
Supported on:
  • Google Chrome (Windows) since version 8
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy specifies the locale Google Chrome uses.

Turning it off or leaving it unset means the locale will be the first valid locale from: 1) The user specified locale (if configured). 2) The system locale. 3) The fallback locale (en-US).

Example value:
"en"
Windows (Intune):
<enabled/>
<data id="ApplicationLocaleValue" value="en"/>
Back to top

AudioCaptureAllowed

Allow or deny audio capture
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AudioCaptureAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AudioCaptureAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AudioCaptureAllowed
Mac/Linux preference name:
AudioCaptureAllowed
Supported on:
  • Google Chrome (Linux) since version 25
  • Google Chrome (Mac) since version 25
  • Google Chrome (Windows) since version 25
  • Google ChromeOS (Google ChromeOS) since version 23
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the AudioCaptureAllowedUrls list, users get prompted for audio capture access.

Setting the policy to Disabled turns off prompts, and audio capture is only available to URLs set in the AudioCaptureAllowedUrls list.

Note: The policy affects all audio input (not just the built-in microphone).

Note for Google Chrome OS devices supporting Android apps:

For Android apps, this policy affects the microphone only. When this policy is set to true, the microphone is muted for all Android apps, with no exceptions.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

AudioCaptureAllowedUrls

URLs that will be granted access to audio capture devices without prompt
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AudioCaptureAllowedUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AudioCaptureAllowedUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AudioCaptureAllowedUrls
Mac/Linux preference name:
AudioCaptureAllowedUrls
Supported on:
  • Google Chrome (Linux) since version 29
  • Google Chrome (Mac) since version 29
  • Google Chrome (Windows) since version 29
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to audio capture devices without prompt

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AudioCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\Chrome\AudioCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AudioCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\ChromeOS\AudioCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Android/Linux:
[ "https://www.example.com/", "https://[*.]example.edu/" ]
Mac:
<array> <string>https://www.example.com/</string> <string>https://[*.]example.edu/</string> </array>
Windows (Intune):
<enabled/>
<data id="AudioCaptureAllowedUrlsDesc" value="1&#xF000;https://www.example.com/&#xF000;2&#xF000;https://[*.]example.edu/"/>
Back to top

AudioOutputAllowed

Allow playing audio
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AudioOutputAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 23
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset allows all supported audio outputs on the users' devices.

Setting the policy to Disabled allows no audio output while users are signed in.

Note: The policy affects all audio output, including audio accessibility features. Do not turn the policy off if a user requires a screen reader.

Example value:
0x00000000 (Windows)
Back to top

AudioProcessHighPriorityEnabled

Allow the audio process to run with priority above normal on Windows
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AudioProcessHighPriorityEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AudioProcessHighPriorityEnabled
Supported on:
  • Google Chrome (Windows) since version 90
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy controls the priority of the audio process on Windows. If this policy is enabled, the audio process will run with above normal priority. If this policy is disabled, the audio process will run with normal priority. If this policy is not set, the default configuration for the audio process will be used. This policy is intended as a temporary measure to give enterprises the ability to run audio with higher priority to address certain performance issues with audio capture. This policy will be removed in the future.

Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
Back to top

AudioSandboxEnabled

Allow the audio sandbox to run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AudioSandboxEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AudioSandboxEnabled
Mac/Linux preference name:
AudioSandboxEnabled
Supported on:
  • Google Chrome (Windows) since version 79
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy controls the audio process sandbox. If this policy is enabled, the audio process will run sandboxed. If this policy is disabled, the audio process will run unsandboxed and the WebRTC audio-processing module will run in the renderer process. This leaves users open to security risks related to running the audio subsystem unsandboxed. If this policy is not set, the default configuration for the audio sandbox will be used, which may differ per platform. This policy is intended to give enterprises flexibility to disable the audio sandbox if they use security software setups that interfere with the sandbox.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AutoFillEnabled (Deprecated)

Enable AutoFill
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutoFillEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutoFillEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutoFillEnabled
Mac/Linux preference name:
AutoFillEnabled
Android restriction name:
AutoFillEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated in M70, please use AutofillAddressEnabled and AutofillCreditCardEnabled instead.

Enables Google Chrome's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.

If you disable this setting, AutoFill will be inaccessible to users.

If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

AutoLaunchProtocolsFromOrigins

Define a list of protocols that can launch an external application from listed origins without prompting the user
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutoLaunchProtocolsFromOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutoLaunchProtocolsFromOrigins
Mac/Linux preference name:
AutoLaunchProtocolsFromOrigins
Supported on:
  • Google Chrome (Linux) since version 85
  • Google Chrome (Mac) since version 85
  • Google Chrome (Windows) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set a list of protocols, and for each protocol an associated list of allowed origin patterns, that can launch an external application without prompting the user. The trailing separator should not be included when listing the protocol, so list "skype" instead of "skype:" or "skype://".

If this policy is set, a protocol will only be permitted to launch an external application without prompting by policy if the protocol is listed, and the origin of the site trying to launch the protocol matches one of the origin patterns in that protocol's allowed_origins list. If either condition is false the external protocol launch prompt will not be omitted by policy.

If this policy is not set, no protocols can launch without a prompt by default. Users may opt out of prompts on a per-protocol/per-site basis unless the ExternalProtocolDialogShowAlwaysOpenCheckbox policy is set to Disabled. This policy has no impact on per-protocol/per-site prompt exemptions set by users.

The origin matching patterns use a similar format to those for the 'URLBlocklist' policy, which are documented at http://www.chromium.org/administrators/url-blocklist-filter-format.

However, origin matching patterns for this policy cannot contain "/path" or "@query" elements. Any pattern that does contain a "/path" or "@query" element will be ignored.

Schema:
{ "items": { "properties": { "allowed_origins": { "items": { "type": "string" }, "type": "array" }, "protocol": { "type": "string" } }, "required": [ "protocol", "allowed_origins" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AutoLaunchProtocolsFromOrigins = [ { "allowed_origins": [ "example.com", "http://www.example.com:8080" ], "protocol": "spotify" }, { "allowed_origins": [ "https://example.com", "https://.mail.example.com" ], "protocol": "teams" }, { "allowed_origins": [ "*" ], "protocol": "outlook" } ]
Android/Linux:
AutoLaunchProtocolsFromOrigins: [ { "allowed_origins": [ "example.com", "http://www.example.com:8080" ], "protocol": "spotify" }, { "allowed_origins": [ "https://example.com", "https://.mail.example.com" ], "protocol": "teams" }, { "allowed_origins": [ "*" ], "protocol": "outlook" } ]
Mac:
<key>AutoLaunchProtocolsFromOrigins</key> <array> <dict> <key>allowed_origins</key> <array> <string>example.com</string> <string>http://www.example.com:8080</string> </array> <key>protocol</key> <string>spotify</string> </dict> <dict> <key>allowed_origins</key> <array> <string>https://example.com</string> <string>https://.mail.example.com</string> </array> <key>protocol</key> <string>teams</string> </dict> <dict> <key>allowed_origins</key> <array> <string>*</string> </array> <key>protocol</key> <string>outlook</string> </dict> </array>
Windows (Intune):
<enabled/>
<data id="AutoLaunchProtocolsFromOrigins" value="{"protocol": "spotify", "allowed_origins": ["example.com", "http://www.example.com:8080"]}, {"protocol": "teams", "allowed_origins": ["https://example.com", "https://.mail.example.com"]}, {"protocol": "outlook", "allowed_origins": ["*"]}"/>
Back to top

AutoOpenAllowedForURLs

URLs where AutoOpenFileTypes can apply
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutoOpenAllowedForURLs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutoOpenAllowedForURLs
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutoOpenAllowedForURLs
Mac/Linux preference name:
AutoOpenAllowedForURLs
Supported on:
  • Google Chrome (Linux) since version 84
  • Google Chrome (Mac) since version 84
  • Google Chrome (Windows) since version 84
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

List of URLs specifying which urls AutoOpenFileTypes will apply to. This policy has no impact on automatically open values set by users.

If this policy is set, files will only automatically open by policy if the url is part of this set and the file type is listed in AutoOpenFileTypes. If either condition is false the download won't automatically open by policy.

If this policy isn't set, all downloads where the file type is in AutoOpenFileTypes will automatically open.

A URL pattern has to be formatted according to https://www.chromium.org/administrators/url-blocklist-filter-format.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AutoOpenAllowedForURLs\1 = "example.com" Software\Policies\Google\Chrome\AutoOpenAllowedForURLs\2 = "https://ssl.server.com" Software\Policies\Google\Chrome\AutoOpenAllowedForURLs\3 = "hosting.com/good_path" Software\Policies\Google\Chrome\AutoOpenAllowedForURLs\4 = "https://server:8080/path" Software\Policies\Google\Chrome\AutoOpenAllowedForURLs\5 = ".exact.hostname.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AutoOpenAllowedForURLs\1 = "example.com" Software\Policies\Google\ChromeOS\AutoOpenAllowedForURLs\2 = "https://ssl.server.com" Software\Policies\Google\ChromeOS\AutoOpenAllowedForURLs\3 = "hosting.com/good_path" Software\Policies\Google\ChromeOS\AutoOpenAllowedForURLs\4 = "https://server:8080/path" Software\Policies\Google\ChromeOS\AutoOpenAllowedForURLs\5 = ".exact.hostname.com"
Android/Linux:
[ "example.com", "https://ssl.server.com", "hosting.com/good_path", "https://server:8080/path", ".exact.hostname.com" ]
Mac:
<array> <string>example.com</string> <string>https://ssl.server.com</string> <string>hosting.com/good_path</string> <string>https://server:8080/path</string> <string>.exact.hostname.com</string> </array>
Windows (Intune):
<enabled/>
<data id="AutoOpenAllowedForURLsDesc" value="1&#xF000;example.com&#xF000;2&#xF000;https://ssl.server.com&#xF000;3&#xF000;hosting.com/good_path&#xF000;4&#xF000;https://server:8080/path&#xF000;5&#xF000;.exact.hostname.com"/>
Back to top

AutoOpenFileTypes

List of file types that should be automatically opened on download
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutoOpenFileTypes
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutoOpenFileTypes
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutoOpenFileTypes
Mac/Linux preference name:
AutoOpenFileTypes
Supported on:
  • Google Chrome (Linux) since version 84
  • Google Chrome (Mac) since version 84
  • Google Chrome (Windows) since version 84
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

List of file types that should be automatically opened on download. The leading separator should not be included when listing the file type, so list "txt" instead of ".txt".

Files with types that should be automatically opened will still be subject to the enabled safe browsing checks and won't be opened if they fail those checks.

If this policy isn't set, only file types that a user has already specified to automatically be opened will do so when downloaded.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AutoOpenFileTypes\1 = "exe" Software\Policies\Google\Chrome\AutoOpenFileTypes\2 = "txt"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AutoOpenFileTypes\1 = "exe" Software\Policies\Google\ChromeOS\AutoOpenFileTypes\2 = "txt"
Android/Linux:
[ "exe", "txt" ]
Mac:
<array> <string>exe</string> <string>txt</string> </array>
Windows (Intune):
<enabled/>
<data id="AutoOpenFileTypesDesc" value="1&#xF000;exe&#xF000;2&#xF000;txt"/>
Back to top

AutofillAddressEnabled

Enable AutoFill for addresses
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutofillAddressEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutofillAddressEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutofillAddressEnabled
Mac/Linux preference name:
AutofillAddressEnabled
Android restriction name:
AutofillAddressEnabled
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 69
  • Google Chrome (Android) since version 69
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset gives users control of Autofill for addresses in the UI.

Setting the policy to False means Autofill never suggests or fills address information, nor does it save additional address information that users submit while browsing the web.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

AutofillCreditCardEnabled

Enable AutoFill for credit cards
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutofillCreditCardEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutofillCreditCardEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutofillCreditCardEnabled
Mac/Linux preference name:
AutofillCreditCardEnabled
Android restriction name:
AutofillCreditCardEnabled
Supported on:
  • Google Chrome (Linux) since version 63
  • Google Chrome (Mac) since version 63
  • Google Chrome (Windows) since version 63
  • Google ChromeOS (Google ChromeOS) since version 63
  • Google Chrome (Android) since version 63
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset means users can control autofill suggestions for credit cards in the UI.

Setting the policy to False means autofill never suggests or fills credit card information, nor will it save additional credit card information that users might submit while browsing the web.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

AutoplayAllowed

Allow media autoplay
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutoplayAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutoplayAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutoplayAllowed
Mac/Linux preference name:
AutoplayAllowed
Supported on:
  • Google Chrome (Windows) since version 66
  • Google Chrome (Linux) since version 66
  • Google Chrome (Mac) since version 66
  • Google ChromeOS (Google ChromeOS) since version 66
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True lets Google Chrome autoplay media. Setting the policy to False stops Google Chrome from autoplaying media.

By default, Google Chrome doesn't autoplay media. But, for certain URL patterns, you can use the AutoplayAllowlist policy to change this setting.

If this policy changes while Google Chrome is running, it only applies to newly opened tabs.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

AutoplayAllowlist

Allow media autoplay on a allowlist of URL patterns
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\AutoplayAllowlist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\AutoplayAllowlist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\AutoplayAllowlist
Mac/Linux preference name:
AutoplayAllowlist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy lets videos play automatically (without user consent) with audio content in Google Chrome. If AutoplayAllowed policy is set to True, then this policy has no effect. If AutoplayAllowed is set to False, then any URL patterns set in this policy can still play. If this policy changes while Google Chrome is running, it only applies to newly opened tabs.

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\AutoplayAllowlist\1 = "https://www.example.com" Software\Policies\Google\Chrome\AutoplayAllowlist\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\AutoplayAllowlist\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\AutoplayAllowlist\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="AutoplayAllowlistDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

BackForwardCacheEnabled

Control the BackForwardCache feature.
Data type:
Boolean
Android restriction name:
BackForwardCacheEnabled
Supported on:
  • Google Chrome (Android) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

When enabled the BackForwardCache feature allows the use of the back-forward cache. When navigating away from a page, its current state (document tree, script, etc.) may be preserved in the back-forward cache. If the browser navigates back to the page, the page may be restored from the back-forward cache and displayed in the state it was in before being cached.

This feature might cause issues for some websites that do not expect this caching. In particular, some websites depend on the "unload" event being dispatched when the browser navigates away from the page. The "unload" event will not be dispatched if the page enters the back-forward cache.

If this policy is set to enabled or not set, the BackForwardCache feature will be enabled.

If this policy is set to disabled then the feature will be force disabled.

Example value:
true (Android)
Back to top

BackgroundModeEnabled

Continue running background apps when Google Chrome is closed
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BackgroundModeEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BackgroundModeEnabled
Mac/Linux preference name:
BackgroundModeEnabled
Supported on:
  • Google Chrome (Windows) since version 19
  • Google Chrome (Linux) since version 19
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled turns background mode on. In background mode, a Google Chrome process is started on OS sign-in and keeps running when the last browser window is closed, allowing background apps and the browsing session to remain active. The background process displays an icon in the system tray and can always be closed from there.

Setting the policy to Disabled turns background mode off.

If you set the policy, users can't change it in the browser settings. If unset, background mode is off at first, but users can change it.

Example value:
0x00000001 (Windows), true (Linux)
Windows (Intune):
<enabled/>
Back to top

BlockThirdPartyCookies

Block third party cookies
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BlockThirdPartyCookies
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BlockThirdPartyCookies
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BlockThirdPartyCookies
Mac/Linux preference name:
BlockThirdPartyCookies
Android restriction name:
BlockThirdPartyCookies
Supported on:
  • Google Chrome (Linux) since version 10
  • Google Chrome (Mac) since version 10
  • Google Chrome (Windows) since version 10
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 83
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled prevents webpage elements that aren't from the domain that's in the browser's address bar from setting cookies. Setting the policy to Disabled lets those elements set cookies and prevents users from changing this setting.

Leaving it unset turns third-party cookies on, but users can change this setting.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

BookmarkBarEnabled

Enable Bookmark Bar
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BookmarkBarEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BookmarkBarEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BookmarkBarEnabled
Mac/Linux preference name:
BookmarkBarEnabled
Supported on:
  • Google Chrome (Linux) since version 12
  • Google Chrome (Mac) since version 12
  • Google Chrome (Windows) since version 12
  • Google ChromeOS (Google ChromeOS) since version 12
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True displays a bookmark bar in Google Chrome. Setting the policy to False means users never see the bookmark bar.

If you set the policy, users can't change it. If not set, users decide whether to use this function.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

BrowserAddPersonEnabled

Enable add person in user manager
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserAddPersonEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserAddPersonEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BrowserAddPersonEnabled
Mac/Linux preference name:
BrowserAddPersonEnabled
Supported on:
  • Google Chrome (Linux) since version 39
  • Google Chrome (Mac) since version 39
  • Google Chrome (Windows) since version 39
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If this policy is set to true or not configured, Google Chrome and Lacros will allow to add a new person from the user manager.

If this policy is set to false, Google Chrome and Lacros will not allow adding a new person from the user manager.

Note: If this policy is not configured or set to true, but LacrosSecondaryProfilesAllowed is set to false, Lacros will not allow adding a new person from the user manager.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

BrowserGuestModeEnabled

Enable guest mode in browser
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserGuestModeEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserGuestModeEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BrowserGuestModeEnabled
Mac/Linux preference name:
BrowserGuestModeEnabled
Supported on:
  • Google Chrome (Linux) since version 38
  • Google Chrome (Mac) since version 38
  • Google Chrome (Windows) since version 38
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If this policy is set to true or not configured, Google Chrome and Lacros will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode.

If this policy is set to false, Google Chrome and Lacros will not allow guest profiles to be started.

Note: If this policy is not configured or set to true, but LacrosSecondaryProfilesAllowed is set to false, Lacros will not allow guest profiles to be started.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

BrowserGuestModeEnforced

Enforce browser guest mode
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserGuestModeEnforced
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserGuestModeEnforced
Mac/Linux preference name:
BrowserGuestModeEnforced
Supported on:
  • Google Chrome (Linux) since version 77
  • Google Chrome (Mac) since version 77
  • Google Chrome (Windows) since version 77
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled means Google Chrome enforces guest sessions and prevents profile sign-ins. Guest sign-ins are Google Chrome profiles where windows are in Incognito mode.

Setting the policy to Disabled, leaving it unset, or disabling browser Guest mode (through BrowserGuestModeEnabled) allows the use of new and existing profiles.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

BrowserLabsEnabled

Browser experiments icon in toolbar
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserLabsEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserLabsEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BrowserLabsEnabled
Mac/Linux preference name:
BrowserLabsEnabled
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
  • Google ChromeOS (Google ChromeOS) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving the policy unset means that users can access browser experimental features through an icon in the toolbar

Setting the policy to Disabled removes the browser experimental features icon from the toolbar.

chrome://flags and any other means of turning off and on browser features will still behave as expected regardless of whether this policy is Enabled or Disabled.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

BrowserLegacyExtensionPointsBlocked

Block Browser Legacy Extension Points
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserLegacyExtensionPointsBlocked
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserLegacyExtensionPointsBlocked
Supported on:
  • Google Chrome (Windows) since version 95
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset will permit Google Chrome to apply the additional extension point security mitigation to block legacy extension points in the Browser process.

Setting the policy to Disabled has a detrimental effect on Google Chrome's security and stability as unknown and potentially hostile code can load inside Google Chrome's browser process. Only turn off the policy if there are compatibility issues with third-party software that must run inside Google Chrome's browser process.

Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).

Example value:
0x00000000 (Windows)
Windows (Intune):
<disabled/>
Back to top

BrowserNetworkTimeQueriesEnabled

Allow queries to a Google time service
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserNetworkTimeQueriesEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserNetworkTimeQueriesEnabled
Mac/Linux preference name:
BrowserNetworkTimeQueriesEnabled
Supported on:
  • Google Chrome (Linux) since version 60
  • Google Chrome (Mac) since version 60
  • Google Chrome (Windows) since version 60
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset means Google Chrome send occasional queries to a Google server to retrieve an accurate timestamp.

Setting the policy to Disabled stops Google Chrome from sending these queries.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

BrowserSignin

Browser sign in settings
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserSignin
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserSignin
Mac/Linux preference name:
BrowserSignin
Android restriction name:
BrowserSignin
Supported on:
  • Google Chrome (Linux) since version 70
  • Google Chrome (Mac) since version 70
  • Google Chrome (Windows) since version 70
  • Google Chrome (Android) since version 70
  • Google Chrome (iOS) since version 90
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy controls the sign-in behavior of the browser. It allows you to specify if the user can sign in to Google Chrome with their account and use account related services like Google Chrome Sync.

If the policy is set to "Disable browser sign-in" then the user cannot sign in to the browser and use account-based services. In this case browser-level features like Google Chrome Sync cannot be used and will be unavailable. On iOS, if the user was signed in and the policy is set to "Disabled" they will be signed out immediately. On other platforms, they will be signed out the next time they run Google Chrome. On all platforms, their local profile data like bookmarks, passwords etc. will be preserved and still usable. The user will still be able to sign into and use Google web services like Gmail.

If the policy is set to "Enable browser sign-in," then the user is allowed to sign in to the browser. On all platforms except iOS, the user is automatically signed in to the browser when signed in to Google web services like Gmail. Being signed in to the browser means the user's account information will be kept by the browser. However, it does not mean that Google Chrome Sync will be turned on by default; the user must separately opt-in to use this feature. Enabling this policy will prevent the user from turning off the setting that allows browser sign-in. To control the availability of Google Chrome Sync, use the SyncDisabled policy.

If the policy is set to "Force browser sign-in" the user is presented with an account selection dialog and has to choose and sign in to an account to use the browser. This ensures that for managed accounts the policies associated with the account are applied and enforced. The default value of BrowserGuestModeEnabled will be set to disabled. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article: https://support.google.com/chrome/a/answer/7572556 . This option is not supported on Linux, Android or iOS. It will fall back to "Enable browser sign-in" if used.

If this policy is not set then the user can decide if they want to enable browser sign-in in the Google Chrome settings and use it as they see fit.

  • 0 = Disable browser sign-in
  • 1 = Enable browser sign-in
  • 2 = Force users to sign-in to use the browser
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="BrowserSignin" value="2"/>
Back to top

BrowserThemeColor

Configure the color of the browser's theme
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowserThemeColor
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowserThemeColor
Mac/Linux preference name:
BrowserThemeColor
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy allows admins to configure the color of Google Chrome's theme. The input string should be a valid hex color string matching the format "#RRGGBB".

Setting the policy to a valid hex color causes a theme based on that color to be automatically generated and applied to the browser. Users won't be able to change the theme set by the policy.

Leaving the policy unset lets users change their browser's theme as preferred.

Example value:
"#FFFFFF"
Windows (Intune):
<enabled/>
<data id="BrowserThemeColor" value="#FFFFFF"/>
Back to top

BrowsingDataLifetime

Browsing Data Lifetime Settings
Data type:
Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BrowsingDataLifetime
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BrowsingDataLifetime
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BrowsingDataLifetime
Mac/Linux preference name:
BrowsingDataLifetime
Android restriction name:
BrowsingDataLifetime
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
  • Google ChromeOS (Google ChromeOS) since version 89
  • Google Chrome (Android) since version 96
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Configures browsing data lifetime settings for Google Chrome. This policy allows admins to configure (per data-type) when data is deleted by the browser. This is useful for customers that work with sensitive customer data. The policy will only take effect if SyncDisabled is set to true.

The available data types are 'browsing_history', 'download_history', 'cookies_and_other_site_data', 'cached_images_and_files', 'password_signin', 'autofill', 'site_settings' and 'hosted_app_data'.

The browser will automatically remove data of selected types that is older than 'time_to_live_in_hours'. The minimum value that can be set is 1 hour.

The deletion of expired data will happen 15 seconds after the browser starts then every hour while the browser is running.

Schema:
{ "items": { "properties": { "data_types": { "items": { "enum": [ "browsing_history", "download_history", "cookies_and_other_site_data", "cached_images_and_files", "password_signin", "autofill", "site_settings", "hosted_app_data" ], "type": "string" }, "type": "array" }, "time_to_live_in_hours": { "minimum": 1, "type": "integer" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\BrowsingDataLifetime = [ { "data_types": [ "browsing_history" ], "time_to_live_in_hours": 24 }, { "data_types": [ "password_signin", "autofill" ], "time_to_live_in_hours": 12 } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\BrowsingDataLifetime = [ { "data_types": [ "browsing_history" ], "time_to_live_in_hours": 24 }, { "data_types": [ "password_signin", "autofill" ], "time_to_live_in_hours": 12 } ]
Android/Linux:
BrowsingDataLifetime: [ { "data_types": [ "browsing_history" ], "time_to_live_in_hours": 24 }, { "data_types": [ "password_signin", "autofill" ], "time_to_live_in_hours": 12 } ]
Mac:
<key>BrowsingDataLifetime</key> <array> <dict> <key>data_types</key> <array> <string>browsing_history</string> </array> <key>time_to_live_in_hours</key> <integer>24</integer> </dict> <dict> <key>data_types</key> <array> <string>password_signin</string> <string>autofill</string> </array> <key>time_to_live_in_hours</key> <integer>12</integer> </dict> </array>
Windows (Intune):
<enabled/>
<data id="BrowsingDataLifetime" value="{"time_to_live_in_hours": 24, "data_types": ["browsing_history"]}, {"time_to_live_in_hours": 12, "data_types": ["password_signin", "autofill"]}"/>
Back to top

BuiltInDnsClientEnabled

Use built-in DNS client
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\BuiltInDnsClientEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\BuiltInDnsClientEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\BuiltInDnsClientEnabled
Mac/Linux preference name:
BuiltInDnsClientEnabled
Android restriction name:
BuiltInDnsClientEnabled
Supported on:
  • Google Chrome (Android) since version 73
  • Google Chrome (Linux) since version 25
  • Google Chrome (Mac) since version 25
  • Google Chrome (Windows) since version 25
  • Google ChromeOS (Google ChromeOS) since version 73
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy controls which software stack is used to communicate with the DNS server: the Operating System DNS client, or Google Chrome's built-in DNS client. This policy does not affect which DNS servers are used: if, for example, the operating system is configured to use an enterprise DNS server, that same server would be used by the built-in DNS client. It also does not control if DNS-over-HTTPS is used; Google Chrome will always use the built-in resolver for DNS-over-HTTPS requests. Please see the DnsOverHttpsMode policy for information on controlling DNS-over-HTTPS.

If this policy is set to Enabled, the built-in DNS client will be used, if available.

If this policy is set to Disabled, the built-in DNS client will only be used when DNS-over-HTTPS is in use.

If this policy is left unset, the built-in DNS client will be enabled by default on macOS, Android (when neither Private DNS nor VPN are enabled) and Google Chrome OS.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

BuiltinCertificateVerifierEnabled

Determines whether the built-in certificate verifier will be used to verify server certificates
Data type:
Boolean
Mac/Linux preference name:
BuiltinCertificateVerifierEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 77 until version 83
  • Google Chrome (Linux) since version 79 until version 83
  • Google Chrome (Mac) since version 83
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

When this setting is enabled, Google Chrome will perform verification of server certificates using the built-in certificate verifier. When this setting is disabled, Google Chrome will perform verification of server certificates using the legacy certificate verifier provided by the platform. When this setting is not set, the built-in or the legacy certificate verifier may be used.

This policy is planned to be removed in Google Chrome for macOS version 107, when support for the legacy certificate verifier on macOS is planned to be removed.

Example value:
<false /> (Mac)
Back to top

CACertificateManagementAllowed

Allow users to manage installed CA certificates.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CACertificateManagementAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to All (0) or leaving it unset lets users edit trust settings for all CA certificates, remove user-imported certificates, and import certificates using Certificate Manager. Setting the policy to UserOnly (1) lets users manage only user-imported certificates, but not change trust settings of built-in certificates. Setting it to None (2) lets users view (not manage) CA certificates.

  • 0 = Allow users to manage all certificates
  • 1 = Allow users to manage user certificates
  • 2 = Disallow users from managing certificates
Example value:
0x00000001 (Windows)
Back to top

CECPQ2Enabled

CECPQ2 post-quantum key-agreement enabled for TLS
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CECPQ2Enabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CECPQ2Enabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CECPQ2Enabled
Mac/Linux preference name:
CECPQ2Enabled
Android restriction name:
CECPQ2Enabled
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
  • Google ChromeOS (Google ChromeOS) since version 91
  • Google Chrome (Android) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If this policy is not configured, or is set to enabled, then Google Chrome will follow the default rollout process for CECPQ2, a post-quantum key-agreement algorithm in TLS.

CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware. This policy can be set to False to disable CECPQ2 while networking issues are resolved.

This policy is a temporary measure and will be removed in future versions of Google Chrome.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

CORSNonWildcardRequestHeadersSupport

CORS non-wildcard request headers support
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CORSNonWildcardRequestHeadersSupport
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CORSNonWildcardRequestHeadersSupport
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CORSNonWildcardRequestHeadersSupport
Mac/Linux preference name:
CORSNonWildcardRequestHeadersSupport
Android restriction name:
CORSNonWildcardRequestHeadersSupport
Supported on:
  • Google Chrome (Linux) since version 97 until version 103
  • Google Chrome (Mac) since version 97 until version 103
  • Google Chrome (Windows) since version 97 until version 103
  • Google ChromeOS (Google ChromeOS) since version 97 until version 103
  • Google Chrome (Android) since version 97 until version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Configures support of CORS non-wildcard request headers.

Google Chrome version 97 introduces support for CORS non-wildcard request headers. When scripts make a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. See https://www.chromest atus.com/feature/5768642492891136 for more detail.

If this policy is not set, or set to True, Google Chrome will support the CORS non-wildcard request headers and behave as described above.

When this policy is set to False, chrome will allow the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.

This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 103.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

CaptivePortalAuthenticationIgnoresProxy

Captive portal authentication ignores proxy
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CaptivePortalAuthenticationIgnoresProxy
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 41
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled lets Google Chrome OS bypass any proxy for captive portal authentication. These authentication webpages, starting from the captive portal sign-in page until Chrome detects a successful internet connection, open in a separate window, ignoring all policy settings and restrictions for the current user. This policy only takes effect if a proxy is set up (by policy, extension, or the user in chrome://settings).

Setting the policy to Disabled or leaving it unset means any captive portal authentication pages are shown in a (regular) new browser tab, using the current user's proxy settings.

Example value:
0x00000001 (Windows)
Back to top

CertificateTransparencyEnforcementDisabledForCas

Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CertificateTransparencyEnforcementDisabledForCas
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForCas
Mac/Linux preference name:
CertificateTransparencyEnforcementDisabledForCas
Android restriction name:
CertificateTransparencyEnforcementDisabledForCas
Supported on:
  • Google Chrome (Linux) since version 67
  • Google Chrome (Mac) since version 67
  • Google Chrome (Windows) since version 67
  • Google ChromeOS (Google ChromeOS) since version 67
  • Google Chrome (Android) since version 67
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of subjectPublicKeyInfo hashes. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the hash must meet one of these conditions:

* It's of the server certificate's subjectPublicKeyInfo.

* It's of a subjectPublicKeyInfo that appears in a Certificate Authority (CA) certificate in the certificate chain. That CA certificate is constrained through the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName has an organizationName attribute.

* It's of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate has the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.

Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a slash, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.

Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas\2 = "sha256//////////////////////w=="
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForCas\2 = "sha256//////////////////////w=="
Android/Linux:
[ "sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w==" ]
Mac:
<array> <string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string> <string>sha256//////////////////////w==</string> </array>
Windows (Intune):
<enabled/>
<data id="CertificateTransparencyEnforcementDisabledForCasDesc" value="1&#xF000;sha256/AAAAAAAAAAAAAAAAAAAAAA==&#xF000;2&#xF000;sha256//////////////////////w=="/>
Back to top

CertificateTransparencyEnforcementDisabledForLegacyCas

Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CertificateTransparencyEnforcementDisabledForLegacyCas
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas
Mac/Linux preference name:
CertificateTransparencyEnforcementDisabledForLegacyCas
Android restriction name:
CertificateTransparencyEnforcementDisabledForLegacyCas
Supported on:
  • Google Chrome (Linux) since version 67
  • Google Chrome (Mac) since version 67
  • Google Chrome (Windows) since version 67
  • Google ChromeOS (Google ChromeOS) since version 67
  • Google Chrome (Android) since version 67
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of Legacy Certificate Authorities (CA) for certificate chains with a specified subjectPublicKeyInfo hash. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the subjectPublicKeyInfo hash must appear in a CA certificate recognized as a Legacy CA. A Legacy CA is publicly trusted by one or more operating systems supported by Google Chrome, but not Android Open Source Project or Google Chrome OS.

Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a slash and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.

Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas\2 = "sha256//////////////////////w=="
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas\2 = "sha256//////////////////////w=="
Android/Linux:
[ "sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w==" ]
Mac:
<array> <string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string> <string>sha256//////////////////////w==</string> </array>
Windows (Intune):
<enabled/>
<data id="CertificateTransparencyEnforcementDisabledForLegacyCasDesc" value="1&#xF000;sha256/AAAAAAAAAAAAAAAAAAAAAA==&#xF000;2&#xF000;sha256//////////////////////w=="/>
Back to top

CertificateTransparencyEnforcementDisabledForUrls

Disable Certificate Transparency enforcement for a list of URLs
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CertificateTransparencyEnforcementDisabledForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls
Mac/Linux preference name:
CertificateTransparencyEnforcementDisabledForUrls
Android restriction name:
CertificateTransparencyEnforcementDisabledForUrls
Supported on:
  • Google Chrome (Linux) since version 53
  • Google Chrome (Mac) since version 53
  • Google Chrome (Windows) since version 53
  • Google ChromeOS (Google ChromeOS) since version 53
  • Google Chrome (Android) since version 53
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy turns off Certificate Transparency disclosure requirements for the hostnames in the specified URLs. While making it harder to detect misissued certificates, hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed).

Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.

A URL pattern follows this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ). However, because the validity of certificates for a given hostname is independent of the scheme, port, or path, Google Chrome only considers the hostname portion of the URL. Wildcard hosts aren't supported.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls\1 = "example.com" Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls\2 = ".example.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls\1 = "example.com" Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls\2 = ".example.com"
Android/Linux:
[ "example.com", ".example.com" ]
Mac:
<array> <string>example.com</string> <string>.example.com</string> </array>
Windows (Intune):
<enabled/>
<data id="CertificateTransparencyEnforcementDisabledForUrlsDesc" value="1&#xF000;example.com&#xF000;2&#xF000;.example.com"/>
Back to top

ChromeCleanupEnabled

Enable Chrome Cleanup on Windows
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ChromeCleanupEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ChromeCleanupEnabled
Supported on:
  • Google Chrome (Windows) since version 68
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset means Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is allowed.

Setting the policy to Disabled means Chrome Cleanup won't periodically scan and manual triggering is disabled.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.

Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
Back to top

ChromeCleanupReportingEnabled

Control how Chrome Cleanup reports data to Google
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ChromeCleanupReportingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ChromeCleanupReportingEnabled
Supported on:
  • Google Chrome (Windows) since version 68
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled means if Chrome Cleanup detects unwanted software, it may, in line with policy set by SafeBrowsingExtendedReportingEnabled, report about the scan to Google. Chrome Cleanup asks users if they want the cleanup. It sends results to Google.

Setting the policy to Disabled means if Chrome Cleanup detects unwanted software, it won't report about the scan to Google, regardless of the value of SafeBrowsingExtendedReportingEnabled. Chrome Cleanup asks users if they want the cleanup. The results aren't reported to Google.

Leaving the policy unset means Chrome Cleanup may, in line with policy set by SafeBrowsingExtendedReportingEnabled, report about scans for detecting unwanted software to Google. Chrome Cleanup asks users if they want the cleanup and to share the results with Google to help with future unwanted software detection. These results have file metadata, automatically installed extensions, and registry keys, as described by the Chrome Privacy Whitepaper.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.

Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
Back to top

ChromeOsLockOnIdleSuspend

Enable lock when the device become idle or suspended
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ChromeOsLockOnIdleSuspend
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 9
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means Google Chrome OS asks users for a password to unlock the device when it becomes idle.

Setting the policy to Disabled means users are not asked for a password to unlock the device from sleep.

Leaving the policy unset lets the user choose whether to be prompted for a password to unlock the device from sleep.

Example value:
0x00000001 (Windows)
Back to top

ChromeOsMultiProfileUserBehavior

Control the user behavior in a multiprofile session
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ChromeOsMultiProfileUserBehavior
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 31
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Control the user behavior in a multiprofile session on Google Chrome OS devices.

If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.

If you set this setting, users cannot change or override it.

If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.

If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.

  • "unrestricted" = Allow enterprise user to be both primary and secondary (Default behavior for non-managed users)
  • "primary-only" = Allow enterprise user to be primary multiprofile user only (Default behavior for enterprise-managed users)
  • "not-allowed" = Do not allow enterprise user to be part of multiprofile (primary or secondary)
Note for Google Chrome OS devices supporting Android apps:

When multiple users are logged in, only the primary user can use Android apps.

Example value:
"unrestricted"
Back to top

ChromeVariations

Determine the availability of variations
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ChromeVariations
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ChromeVariations
Mac/Linux preference name:
ChromeVariations
Supported on:
  • Google Chrome (Linux) since version 83
  • Google Chrome (Mac) since version 83
  • Google Chrome (Windows) since version 83
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Configuring this policy allows to specify which variations are allowed to be applied in Google Chrome.

Variations provide a means for offering modifications to Google Chrome without shipping a new version of the browser by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.

Setting the VariationsEnabled (value 0), or leaving the policy not set allows all variations to be applied to the browser.

Setting the CriticalFixesOnly (value 1), allows only variations considered critical security or stability fixes to be applied to Google Chrome.

Setting the VariationsDisabled (value 2), prevent all variations from being applied to the browser. Please note that this mode can potentially prevent the Google Chrome developers from providing critical security fixes in a timely manner and is thus not recommended.

  • 0 = Enable all variations
  • 1 = Enable variations concerning critical fixes only
  • 2 = Disable all variations
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="ChromeVariations" value="1"/>
Back to top

ClearBrowsingDataOnExitList

Clear Browsing Data on Exit
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ClearBrowsingDataOnExitList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList
Mac/Linux preference name:
ClearBrowsingDataOnExitList
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
  • Google ChromeOS (Google ChromeOS) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Configures a list of browsing data types that should be deleted when the user closes all browser windows. The available data types are browsing history (browsing_history), download history (download_history), cookies (cookies_and_other_site_data), cache(cached_images_and_files), autofill (autofill), passwords (password_signin), site settings (site_settings) and hosted apps data (hosted_app_data). This policy does not take precedence over AllowDeletingBrowserHistory.

This policy requires the SyncDisabled policy to be set to true, otherwise it will be ignored. If this policy is set at platform level, Sync should be disabled at platform level. If this policy is set at user level, Sync should be disabled for that user in order for this policy to take effect.

If Google Chrome does not exit cleanly (for example, if the browser or the OS crashes), the browsing data will be cleared the next time the profile is loaded.

  • "browsing_history" = Browsing history
  • "download_history" = Download history
  • "cookies_and_other_site_data" = Cookies and other site data
  • "cached_images_and_files" = Cached images and files
  • "password_signin" = Password signin
  • "autofill" = Autofill
  • "site_settings" = Site settings
  • "hosted_app_data" = Hosted apps data
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\1 = "browsing_history" Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\2 = "download_history" Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\3 = "cookies_and_other_site_data" Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\4 = "cached_images_and_files" Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\5 = "password_signin" Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\6 = "autofill" Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\7 = "site_settings" Software\Policies\Google\Chrome\ClearBrowsingDataOnExitList\8 = "hosted_app_data"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\1 = "browsing_history" Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\2 = "download_history" Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\3 = "cookies_and_other_site_data" Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\4 = "cached_images_and_files" Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\5 = "password_signin" Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\6 = "autofill" Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\7 = "site_settings" Software\Policies\Google\ChromeOS\ClearBrowsingDataOnExitList\8 = "hosted_app_data"
Android/Linux:
[ "browsing_history", "download_history", "cookies_and_other_site_data", "cached_images_and_files", "password_signin", "autofill", "site_settings", "hosted_app_data" ]
Mac:
<array> <string>browsing_history</string> <string>download_history</string> <string>cookies_and_other_site_data</string> <string>cached_images_and_files</string> <string>password_signin</string> <string>autofill</string> <string>site_settings</string> <string>hosted_app_data</string> </array>
Windows (Intune):
<enabled/>
<data id="ClearBrowsingDataOnExitList" value=""browsing_history", "download_history", "cookies_and_other_site_data", "cached_images_and_files", "password_signin", "autofill", "site_settings", "hosted_app_data""/>
Back to top

ClickToCallEnabled

Enable the Click to Call Feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ClickToCallEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ClickToCallEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ClickToCallEnabled
Mac/Linux preference name:
ClickToCallEnabled
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in. For more information, see help center article: https://support.google.com/chrome/answer/9430554?hl=en.

If this policy is set to enabled, the capability of sending phone numbers to Android devices will be enabled for the Chrome user.

If this policy is set to disabled, the capability of sending phone numbers to Android devices will be disabled for the Chrome user.

If you set this policy, users cannot change or override it.

If this policy is left unset, the Click to Call feature is enabled by default.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ClientCertificateManagementAllowed

Allow users to manage installed client certificates.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ClientCertificateManagementAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 74
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 'All' (value 0) or leaving it unset lets users manage certificates. Setting the policy to 'None' (value 2) means users can only view (not manage) certificates.

Setting the policy to 'UserOnly' (value 1) lets users manage user certificates, but not device-wide certificates.

  • 0 = Allow users to manage all certificates
  • 1 = Allow users to manage user certificates
  • 2 = Disallow users from managing certificates
Example value:
0x00000001 (Windows)
Back to top

CloudManagementEnrollmentMandatory

Enable mandatory cloud management enrollment
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CloudManagementEnrollmentMandatory
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CloudManagementEnrollmentMandatory
Mac/Linux preference name:
CloudManagementEnrollmentMandatory
Supported on:
  • Google Chrome (Linux) since version 72
  • Google Chrome (Mac) since version 72
  • Google Chrome (Windows) since version 72
Supported features:
Dynamic Policy Refresh: No, Per Profile: No, Platform Only: Yes
Description:

Setting the policy to Enabled mandates Chrome Browser Cloud Management enrollment and blocks Google Chrome launch process if failed.

Setting the policy to Disabled or leaving it unset renders Chrome Browser Cloud Management optional and doesn't block Google Chrome launch process if failed.

Machine scope cloud policy enrollment on desktop uses this policy. See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

CloudManagementEnrollmentToken

The enrollment token of cloud policy
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CloudManagementEnrollmentToken
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CloudManagementEnrollmentToken
Mac/Linux preference name:
CloudManagementEnrollmentToken
Android restriction name:
CloudManagementEnrollmentToken
Supported on:
  • Google Chrome (Linux) since version 72
  • Google Chrome (Mac) since version 72
  • Google Chrome (Windows) since version 72
  • Google Chrome (iOS) since version 88
  • Google Chrome (Android) since version 97
Supported features:
Dynamic Policy Refresh: No, Per Profile: No, Platform Only: Yes
Description:

Setting the policy means Google Chrome tries to register itself with Chrome Browser Cloud Management. The value of this policy is an enrollment token you can retrieve from the Google Admin console.

See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.

Example value:
"37185d02-e055-11e7-80c1-9a214cf093ae"
Windows (Intune):
<enabled/>
<data id="CloudManagementEnrollmentToken" value="37185d02-e055-11e7-80c1-9a214cf093ae"/>
Back to top

CloudPolicyOverridesPlatformPolicy

Google Chrome cloud policy overrides Platform policy.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CloudPolicyOverridesPlatformPolicy
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CloudPolicyOverridesPlatformPolicy
Mac/Linux preference name:
CloudPolicyOverridesPlatformPolicy
Android restriction name:
CloudPolicyOverridesPlatformPolicy
Supported on:
  • Google Chrome (Linux) since version 75
  • Google Chrome (Mac) since version 75
  • Google Chrome (Windows) since version 75
  • Google Chrome (iOS) since version 88
  • Google Chrome (Android) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Metapolicy Type: Yes, Per Profile: No
Description:

Setting the policy to Enabled means cloud policy takes precedence if it conflicts with platform policy.

Setting the policy to Disabled or leaving it unset means platform policy takes precedence if it conflicts with cloud policy.

This mandatory policy affects machine scope cloud policies.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

CloudUserPolicyMerge

Enables merging of user cloud policies into machine-level policies
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CloudUserPolicyMerge
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CloudUserPolicyMerge
Mac/Linux preference name:
CloudUserPolicyMerge
Android restriction name:
CloudUserPolicyMerge
Supported on:
  • Google Chrome (Linux) since version 92
  • Google Chrome (Mac) since version 92
  • Google Chrome (Windows) since version 92
  • Google Chrome (Android) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Metapolicy Type: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled allows policies associated with a Google Workspace account to be merged into machine-level policies.

Only policies originating from secure users can be merged. A secure user is affiliated with the organization that manages their browser using Chrome Browser Cloud Management. All other user-level policies will always be ignored.

Policies that need to be merged also need to be set in either PolicyListMultipleSourceMergeList or PolicyDictionaryMultipleSourceMergeList. This policy will be ignored if neither of the two aforementioned policies is configured.

Leaving the policy unset or setting it to Disabled prevents user-level cloud policies from being merged with policies from any other sources.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

CloudUserPolicyOverridesCloudMachinePolicy

Allow user cloud policies to override Chrome Browser Cloud Management policies.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CloudUserPolicyOverridesCloudMachinePolicy
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CloudUserPolicyOverridesCloudMachinePolicy
Mac/Linux preference name:
CloudUserPolicyOverridesCloudMachinePolicy
Android restriction name:
CloudUserPolicyOverridesCloudMachinePolicy
Supported on:
  • Google Chrome (Linux) since version 96
  • Google Chrome (Mac) since version 96
  • Google Chrome (Windows) since version 96
  • Google Chrome (Android) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Metapolicy Type: Yes, Per Profile: No
Description:

Setting the policy to Enabled allows policies associated with a Google Workspace account to take precedence if they conflict with Chrome Browser Cloud Management policies.

Only policies originating from secure users can take precedence. A secure user is affiliated with the organization that manages their browser using Chrome Browser Cloud Management. All other user-level policies will have default precedence.

The policy can be combined with CloudPolicyOverridesPlatformPolicy. If both policies are enabled, user cloud policies will also take precedence over conflicting platform policies.

Leaving the policy unset or setting it to disabled causes user-level cloud policies to have default priority.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

CommandLineFlagSecurityWarningsEnabled

Enable security warnings for command-line flags
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\CommandLineFlagSecurityWarningsEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\CommandLineFlagSecurityWarningsEnabled
Mac/Linux preference name:
CommandLineFlagSecurityWarningsEnabled
Supported on:
  • Google Chrome (Linux) since version 76
  • Google Chrome (Mac) since version 76
  • Google Chrome (Windows) since version 76
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset means security warnings appear when potentially dangerous command-line flags are used to launch Chrome.

Setting the policy to Disabled prevents security warnings from appearing when Chrome is launched with potentially dangerous command-line flags.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ComponentUpdatesEnabled

Enable component updates in Google Chrome
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ComponentUpdatesEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ComponentUpdatesEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ComponentUpdatesEnabled
Mac/Linux preference name:
ComponentUpdatesEnabled
Supported on:
  • Google Chrome (Linux) since version 54
  • Google Chrome (Mac) since version 54
  • Google Chrome (Windows) since version 54
  • Google ChromeOS (Google ChromeOS) since version 54
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Enables component updates for all components in Google Chrome when not set or set to enabled.

If set to disabled, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code and is critical for the security of the browser will not be disabled. Examples of such components include the certificate revocation lists and subresource filters.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ContextualSearchEnabled

Enable Touch to Search
Data type:
Boolean
Android restriction name:
ContextualSearchEnabled
Supported on:
  • Google Chrome (Android) since version 40
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset makes Touch to Search available to the user, and they can turn the feature on or off.

Setting the policy to False turns Touch to Search off completely.

Example value:
true (Android)
Back to top

DNSInterceptionChecksEnabled

DNS interception checks enabled
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DNSInterceptionChecksEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DNSInterceptionChecksEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DNSInterceptionChecksEnabled
Mac/Linux preference name:
DNSInterceptionChecksEnabled
Supported on:
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy configures a local switch that can be used to disable DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.

This detection may not be necessary in an enterprise environment where the network configuration is known, since it causes some amount of DNS and HTTP traffic on start-up and each DNS configuration change.

When this policy is not set, or is enabled, the DNS interception checks are performed. When explicitly disabled, they're not.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DataLeakPreventionClipboardCheckSizeLimit

Set minimal size limit for data leak prevention clipboard restriction
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DataLeakPreventionClipboardCheckSizeLimit
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 93
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy sets the minimal data size (in bytes) of the data in the clipboard that will be checked against clipboard restriction rules defined in DataLeakPreventionRulesList policy. If not set, it defaults to 0 that means that all pastes from the clipboard will be checked according to the configured rules.

Example value:
0x00000032 (Windows)
Back to top

DataLeakPreventionReportingEnabled

Enable data leak prevention reporting
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DataLeakPreventionReportingEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy is a general switch for all rules defined in the DataLeakPreventionRulesList policy. Setting this policy to True will switch on real-time reporting of data leak prevention events. Setting this policy to False or leaving it unset will switch off the reporting. Rules defined with ALLOW level restrictions in DataLeakPreventionRulesList will not report events in both cases.

Example value:
0x00000001 (Windows)
Back to top

DataLeakPreventionRulesList

Sets a list of data leak prevention rules.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DataLeakPreventionRulesList
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: No, Per Profile: No
Description:

Configures a list of rules to prevent data leak on Google Chrome OS. Data leak can happen by copying and pasting data, transferring files, printing, screensharing, or taking screenshots ...etc.

Each rule consists of the following: - A list of sources defined as URLs. Any data in the sources will be considered confidential data, to which the restrictions will be applied. - A list of destinations defined as URLs or components, to which the confidential data is either allowed or disallowed to be shared. - A list of restrictions to be applied on the data of the sources.

Rules can be added to: - Control the clipboard data shared between the sources and the destinations. - Control taking screenshots of any of the sources. - Control printing of any of the sources. - Control the privacy screen when any of the sources is visible. - Control screen sharing of any of the sources.

The restriction level can be set to BLOCK, ALLOW, REPORT, WARN. - If the restriction level is set to BLOCK, the action won't be allowed. If DataLeakPreventionReportingEnabled is set to True, the blocked action will be reported to the admin. - If the restriction level is set to ALLOW, the action will be allowed. - If the restriction level is set to REPORT and DataLeakPreventionReportingEnabled is set to True, the action will be reported to the admin. - If the restriction level is set to WARN, a user will be warned and may choose to proceed with or cancel the action. If DataLeakPreventionReportingEnabled is set to True, showing the warning will be reported to the admin; proceeding with the action will also be reported.

Notes: - PRIVACY_SCREEN restriction doesn't block the ability to turn on privacy screen, but enforces it when the restriction class is set to BLOCK. - Destinations cannot be empty in case one of the restrictions is CLIPBOARD, but they don't make any difference for the remaining restrictions. - Format the URL patterns according to this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ).

If the policy is left not set, no restrictions will be applied.

Schema:
{ "items": { "properties": { "description": { "type": "string" }, "destinations": { "properties": { "components": { "items": { "enum": [ "ARC", "CROSTINI", "PLUGIN_VM" ], "type": "string" }, "type": "array" }, "urls": { "items": { "type": "string" }, "type": "array" } }, "type": "object" }, "name": { "type": "string" }, "restrictions": { "items": { "properties": { "class": { "enum": [ "CLIPBOARD", "SCREENSHOT", "PRINTING", "PRIVACY_SCREEN", "SCREEN_SHARE" ], "type": "string" }, "level": { "enum": [ "BLOCK", "ALLOW", "REPORT", "WARN" ], "type": "string" } }, "type": "object" }, "type": "array" }, "sources": { "properties": { "urls": { "items": { "type": "string" }, "type": "array" } }, "type": "object" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DataLeakPreventionRulesList = [ { "description": "Allow copy and paste for work purposes, block printing, enforce privacy screen, report screen sharing, and warn on screenshots and video capture", "destinations": { "urls": [ "salesforce.com", "gmail.com", "docs.google.com", "drive.google.com", "company.com" ] }, "name": "Support agent work flows", "restrictions": [ { "class": "CLIPBOARD", "level": "ALLOW" }, { "class": "SCREENSHOT", "level": "WARN" }, { "class": "PRINTING", "level": "BLOCK" }, { "class": "PRIVACY_SCREEN", "level": "BLOCK" }, { "class": "SCREEN_SHARE", "level": "REPORT" } ], "sources": { "urls": [ "salesforce.com", "gmail.com", "docs.google.com", "drive.google.com", "company.com" ] } }, { "description": "Block copy and paste from work flows to other sites and external drives", "destinations": { "components": [ "ARC", "CROSTINI", "PLUGIN_VM" ], "urls": [ "*" ] }, "name": "Non agent work flows", "restrictions": [ { "class": "CLIPBOARD", "level": "BLOCK" } ], "sources": { "urls": [ "salesforce.com", "gmail.com", "docs.google.com", "company.com" ] } } ]
Back to top

DefaultBrowserSettingEnabled

Set Google Chrome as Default Browser
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultBrowserSettingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DefaultBrowserSettingEnabled
Mac/Linux preference name:
DefaultBrowserSettingEnabled
Supported on:
  • Google Chrome (Windows 7) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Linux) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to True has Google Chrome always check whether it's the default browser on startup and, if possible, automatically register itself. Setting the policy to False stops Google Chrome from ever checking if it's the default and turns user controls off for this option.

Leaving the policy unset means Google Chrome lets users control whether it's the default and, if not, whether user notifications should appear.

Note: For Microsoft®Windows® administrators, turning this setting on only works for machines running Windows 7. For later versions, you must deploy a "default application associations" file that makes Google Chrome the handler for the https and http protocols (and, optionally, the ftp protocol and other file formats). See Chrome Help ( https://support.google.com/chrome?p=make_chrome_default_win ).

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DefaultDownloadDirectory

Set default download directory
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\Recommended\DefaultDownloadDirectory
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DefaultDownloadDirectory
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\Recommended\DefaultDownloadDirectory
Mac/Linux preference name:
DefaultDownloadDirectory
Supported on:
  • Google Chrome (Linux) since version 64
  • Google Chrome (Mac) since version 64
  • Google Chrome (Windows) since version 64
  • Google ChromeOS (Google ChromeOS) since version 64
Supported features:
Can Be Mandatory: No, Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy changes the default directory that Chrome downloads files to, but users can change the directory.

Leaving the policy unset means Chrome uses its platform-specific default directory.

This policy has no effect if the policy DownloadDirectory is set.

Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).

Example value:
"/home/${user_name}/Downloads"
Windows (Intune):
<enabled/>
<data id="DefaultDownloadDirectory" value="/home/${user_name}/Downloads"/>
Back to top

DefaultSearchProviderContextMenuAccessAllowed

Allow default search provider context menu search access
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DefaultSearchProviderContextMenuAccessAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DefaultSearchProviderContextMenuAccessAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DefaultSearchProviderContextMenuAccessAllowed
Mac/Linux preference name:
DefaultSearchProviderContextMenuAccessAllowed
Supported on:
  • Google Chrome (Linux) since version 85
  • Google Chrome (Mac) since version 85
  • Google Chrome (Windows) since version 85
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enables the use of a default search provider on the context menu.

If you set this policy to disabled the search context menu item that relies on your default search provider will not be available.

If this policy is set to enabled or not set, the context menu item for your default search provider will be available.

The policy value is only appled when the DefaultSearchProviderEnabled policy is enabled, and is not applicable otherwise.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DesktopSharingHubEnabled

Enable desktop sharing in the omnibox and 3-dot menu
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DesktopSharingHubEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DesktopSharingHubEnabled
Mac/Linux preference name:
DesktopSharingHubEnabled
Supported on:
  • Google Chrome (Windows) since version 93
  • Google Chrome (Linux) since version 93
  • Google Chrome (Mac) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset lets users share or save the current webpage using actions provided by the desktop sharing hub. The sharing hub is accessed through either an omnibox icon or the 3-dot menu.

Setting the policy to False removes the sharing icon from the omnibox and the entry from the 3-dot menu.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DeveloperToolsAvailability

Control where Developer Tools can be used
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DeveloperToolsAvailability
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DeveloperToolsAvailability
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeveloperToolsAvailability
Mac/Linux preference name:
DeveloperToolsAvailability
Supported on:
  • Google Chrome (Linux) since version 68
  • Google Chrome (Mac) since version 68
  • Google Chrome (Windows) since version 68
  • Google ChromeOS (Google ChromeOS) since version 68
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to 0 (the default) means you can access the developer tools and the JavaScript console, but not in the context of extensions installed by enterprise policy. Setting the policy to 1 means you can access the developer tools and the JavaScript console in all contexts, including that of extensions installed by enterprise policy. Setting the policy to 2 means you can't acess developer tools, and you can't inspect website elements.

This setting also turns off keyboard shortcuts and menu or context menu entries to open developer tools or the JavaScript console.

As of Google Chrome version 99, this setting also controls entry points for the 'View page source' feature. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access source viewing via keyboard shortcut or the context menu. To fully block source viewing, you must also add 'view-source:*' to the URLBlocklist policy.

  • 0 = Disallow usage of the Developer Tools on extensions installed by enterprise policy, allow usage of the Developer Tools in other contexts
  • 1 = Allow usage of the Developer Tools
  • 2 = Disallow usage of the Developer Tools
Note for Google Chrome OS devices supporting Android apps:

This policy also controls access to Android Developer Options. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access Developer Options. If you set this policy to another value or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.

Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="DeveloperToolsAvailability" value="2"/>
Back to top

DeveloperToolsDisabled (Deprecated)

Disable Developer Tools
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DeveloperToolsDisabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DeveloperToolsDisabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeveloperToolsDisabled
Mac/Linux preference name:
DeveloperToolsDisabled
Supported on:
  • Google Chrome (Linux) since version 9
  • Google Chrome (Mac) since version 9
  • Google Chrome (Windows) since version 9
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated in M68, please use DeveloperToolsAvailability instead.

Disables the Developer Tools and the JavaScript console.

If you enable this setting, the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.

Setting this option to disabled or leaving it not set allows the user to use the Developer Tools and the JavaScript console.

If the policy DeveloperToolsAvailability is set, the value of the policy DeveloperToolsDisabled is ignored.

Note for Google Chrome OS devices supporting Android apps:

This policy also controls access to Android Developer Options. If you set this policy to true, users cannot access Developer Options. If you set this policy to false or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

DeviceAllowMGSToStoreDisplayProperties

Allow Managed guest session to persist display properties
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAllowMGSToStoreDisplayProperties
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes
Description:

If this policy is disabled or unset, all display settings that were set in Managed guest session will be reset as soon as the session finishes. If this policy is set to True, display properties will persist after exiting the managed guest session.

Example value:
0x00000001 (Windows)
Back to top

DeviceAllowedBluetoothServices

Only allow connection to the Bluetooth services in the list
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: Yes
Description:

This policy allows admins to configure Bluetooth services that Google Chrome OS is allowed to connect to.

When this policy is set, Google Chrome OS only allows users to connect to the specified Bluetooth services with an exception when the list is empty which means any service is allowed to use. UUIDs reserved by the Bluetooth SIG can be represented as '0xABCD' or 'ABCD'. Custom UUIDs can be represented as 'AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE'. UUIDs are case insensitive. Leaving this policy unset lets users connect to any Bluetooth service.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\1 = "0x111E" Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\2 = "0x110B" Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\3 = "0x1203" Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\4 = "0x1108" Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\5 = "0x110C" Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\6 = "0x110E" Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\7 = "0x110F" Software\Policies\Google\ChromeOS\DeviceAllowedBluetoothServices\8 = "0x1200"
Back to top

DeviceAttributesAllowedForOrigins

Allow origins to query for device attributes
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceAttributesAllowedForOrigins
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to allow some origins of force-installed web applications to get device attributes (e.g. serial number, hostname) by using Device Attributes API.

Device Attributes API is a list of web APIs, please see https://wicg.github.io/WebApiDevice/device_attributes. They are only available to origins which correspond to force-installed web applications via WebAppInstallForceList or the one configured in the Kiosk session.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceAttributesAllowedForOrigins\1 = "https://www.google.com" Software\Policies\Google\ChromeOS\DeviceAttributesAllowedForOrigins\2 = "https://www.example.com"
Back to top

DeviceChromeVariations

Determine the availability of variations on Google Chrome OS
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceChromeVariations
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 83
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Configuring this policy allows to specify which variations are allowed to be applied on an enterprise-managed Google Chrome OS device.

Variations provide a means for offering modifications to Google Chrome OS without shipping a new version by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.

Setting the VariationsEnabled (value 0), or leaving the policy not set allows all variations to be applied to Google Chrome OS.

Setting the CriticalFixesOnly (value 1), allows only variations considered critical security or stability fixes to be applied to Google Chrome OS.

Setting the VariationsDisabled (value 2), will prevent all variations from being applied to the browser on the login screen. Please note that this mode can potentially prevent the Google Chrome OS developers from providing critical security fixes in a timely manner and is thus not recommended.

  • 0 = Enable all variations
  • 1 = Enable variations concerning critical fixes only
  • 2 = Disable all variations
Example value:
0x00000001 (Windows)
Back to top

DeviceDebugPacketCaptureAllowed

Allow debug network packet captures
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceDebugPacketCaptureAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allow network packet captures on device for debugging.

If the policy is set to true or left unset, user will be able to perform network packet captures on device. If set to false, network packet capture won't be available on the device.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Example value:
0x00000000 (Windows)
Back to top

DeviceEncryptedReportingPipelineEnabled

Enable the Encrypted Reporting Pipeline
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes
Description:

Setting the policy to True or leaving it unset allows for events, telemetry and info to be reported to the Encrypted Reporting Pipeline. Setting the policy to False disables the Encrypted Reporting Pipeline.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Back to top

DeviceI18nShortcutsEnabled

Allows enabling/disabling international shortcut keys remaps
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceI18nShortcutsEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy controls whether the improved international keyboard shortcut mapping is enabled. This feature ensures keyboard shortcuts work consistently with international keyboard layouts and deprecate legacy shortcuts.

If this policy is disabled, improved international keyboards shortcuts are disabled. If this policy is enabled, improved international keyboards shortcuts are enabled. If unset, this policy is enabled for managed devices and enabled for consumer-owned devices. Note this is only a temporarily policy to allow managed users to still be able to use deprecated legacy shortcuts. This policy will deprecate after customized keyboard shortcuts are available.

Example value:
0x00000001 (Windows)
Back to top

DeviceLocalAccountManagedSessionEnabled (Deprecated)

Allow managed session on device
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLocalAccountManagedSessionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Note that this policy is deprecated and will be removed in Google Chrome OS version 88. Public sessions are no longer supported. Please use DeviceLocalAccounts to configure managed-guest sessions instead. If this policy is set to false, managed guest session will behave as documented in https://support.google.com/chrome/a/answer/3017014 - the standard "Public Session".

If this policy is set to true or left unset, managed guest session will take on "Managed Session" behaviour which lifts many of the restrictions that are in place for regular "Public Sessions".

If this policy is set, the user cannot change or override it.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenPrimaryMouseButtonSwitch

Switch the primary mouse button to the right button on the login screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenPrimaryMouseButtonSwitch
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes
Description:

Switch the primary mouse button to the right button on the login screen.

If this policy is set to enabled, the right button of the mouse will always be the primary key on the login screen.

If this policy is set to disabled, the left button of the mouse will always be the primary key on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the left button of the mouse will be the primary key on the login screen initially, but can be switched by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

DeviceLoginScreenWebUsbAllowDevicesForUrls

Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceLoginScreenWebUsbAllowDevicesForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs on the login screen. Each item in the list requires both devices and urls fields for the policy to be valid. Each item in the devices field can have a vendor_id and product_id field. Omitting the vendor_id field will create a policy matching any device. Omitting the product_id field will create a policy matching any device with the given vendor ID. A policy which has a product_id field without a vendor_id field is invalid.

The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' feature-policy header should be used to grant access. The URL must be valid, otherwise the policy is ignored.

Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatiblity in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requsting URL will be ignored entirely.

Leaving the policy unset puts the global default value in use for all sites (no automatic access).

Schema:
{ "items": { "properties": { "devices": { "items": { "properties": { "product_id": { "type": "integer" }, "vendor_id": { "type": "integer" } }, "type": "object" }, "type": "array" }, "urls": { "items": { "type": "string" }, "type": "array" } }, "required": [ "devices", "urls" ], "type": "object" }, "type": "array" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceLoginScreenWebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com" ] } ]
Back to top

DevicePciPeripheralDataAccessEnabled

Enable Thunderbolt/USB4 peripheral data access
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePciPeripheralDataAccessEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

If this policy is disabled user will not be able to fully connect their Thunderbolt/USB4 peripheral device through PCIe tunneling.

If this policy is enabled, user will be able to fully connect their Thunderbolt/USB4 peripheral device through PCIe tunneling.

If policy is left unset, defaults to false and the user will be able to select whichever state (true/false) for this setting.

Example value:
0x00000000 (Windows)
Back to top

DevicePowerwashAllowed

Allow the device to request powerwash
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DevicePowerwashAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 77
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset lets a device trigger powerwash.

Setting the policy to Disabled doesn't let a device trigger powerwash. An exception to still allow a powerwash can occur if TPMFirmwareUpdateSettings is set to a value that lets the TPM firmware update, but it hasn't updated yet.

Example value:
0x00000001 (Windows)
Back to top

DeviceRebootOnUserSignout

Force device reboot when user sign out
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceRebootOnUserSignout
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 76
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy, when set to ArcSession, forces the device to reboot when a user sign out if Android has started. This policy, when set to ArcSessionOrVMStart, forces the device to reboot when a user sign out if Android or a VM has started. When set to Always, it forces the device to reboot on every user sign out. If left unset, it has no effect and no reboot is forced on user sign out. The same applies if set to Never. This policy has effect only for unaffiliated users.

  • 1 = Do not reboot on user sign out.
  • 2 = Reboot on user sign out if Android has started.
  • 3 = Always reboot on user sign out.
  • 4 = Reboot on user sign out if Android or a VM has started.
Example value:
0x00000002 (Windows)
Back to top

DeviceReleaseLtsTag

Allow device to receive LTS updates
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceReleaseLtsTag
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes
Description:

If this policy is set to "lts" it allows the device to receive LTS (long term support) updates.

Example value:
"lts"
Back to top

DeviceRestrictedManagedGuestSessionEnabled

Restricted managed guest sessions
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceRestrictedManagedGuestSessionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

The policy only applies to managed guest sessions. It has to be enabled for Imprivata's shared workstation mode to allow in-session user switches. Setting the policy to True will forcefully override certain policies for features, which persist sensitive user data and are not handled by the clean-up mechanism used for in-session user switches with Imprivata shared workstation mode. Setting the policy to False or leaving it unset will not override any policies.

Example value:
0x00000001 (Windows)
Back to top

DeviceScheduledReboot

Set custom schedule to reboot kiosk devices
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceScheduledReboot
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows setting a custom schedule to reboot devices. The policy currently applies only to devices which have enabled auto-launch app in the Kiosk session. Once set to True, the device will reboot to the schedule. The policy must be removed to cancel any more scheduled reboots.

Schema:
{ "properties": { "day_of_month": { "description": "Day of month [1-31] when the reboot should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'MONTHLY'. If this is more than the maximum number of days in a given month then the last day of the month will be chosen.", "maximum": 31, "minimum": 1, "type": "integer" }, "day_of_week": { "$ref": "WeekDay", "description": "Day of week when the reboot should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'WEEKLY'." }, "frequency": { "description": "Frequency at which the reboot should recur.", "enum": [ "DAILY", "WEEKLY", "MONTHLY" ], "type": "string" }, "reboot_time": { "$ref": "Time", "description": "Time when the reboot should happen, interpreted in the device's local time zone." } }, "required": [ "reboot_time", "frequency" ], "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DeviceScheduledReboot = { "day_of_month": 11, "day_of_week": "TUESDAY", "frequency": "WEEKLY", "reboot_time": { "hour": 22, "minute": 30 } }
Back to top

DeviceScheduledUpdateCheck

Set custom schedule to check for updates
Data type:
Dictionary
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows setting a custom schedule to check for updates. This applies to all users, and to all interfaces on the device. Once set, the device will check for updates according to the schedule. The policy must be removed to cancel any more scheduled update checks.

Schema:
{ "properties": { "day_of_month": { "description": "Day of month [1-31] when the update check should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'MONTHLY'. If this is more than the maximum number of days in a given month then the last day of the month will be chosen.", "maximum": 31, "minimum": 1, "type": "integer" }, "day_of_week": { "$ref": "WeekDay", "description": "Day of week when the update check should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'WEEKLY'." }, "frequency": { "description": "Frequency with which the update check should recur.", "enum": [ "DAILY", "WEEKLY", "MONTHLY" ], "type": "string" }, "update_check_time": { "$ref": "Time", "description": "Time when the update check should happen, interpreted in the device's local time zone." } }, "required": [ "update_check_time", "frequency" ], "type": "object" }
Back to top

DeviceSystemWideTracingEnabled

Allow collection of system-wide performance trace
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DeviceSystemWideTracingEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This setting allows to collect a system-wide performance trace using the system tracing service.

If this policy is disabled, the user cannot collect a system-wide trace using the system tracing service. If this policy is enabled, the user can collect a system-wide trace using system tracing service. If unset, this policy is disabled for managed devices and enabled for consumer-owned devices. Note that setting this policy to disabled only disables system-wide trace collection. Browser trace collection is unaffected by this policy.

Example value:
0x00000001 (Windows)
Back to top

Disable3DAPIs

Disable support for 3D graphics APIs
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\Disable3DAPIs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\Disable3DAPIs
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\Disable3DAPIs
Mac/Linux preference name:
Disable3DAPIs
Supported on:
  • Google Chrome (Linux) since version 9
  • Google Chrome (Mac) since version 9
  • Google Chrome (Windows) since version 9
  • Google ChromeOS (Google ChromeOS) since version 11
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True (or setting HardwareAccelerationModeEnabled to False) prevents webpages from accessing the WebGL API, and plugins can't use the Pepper 3D API.

Setting the policy to False or leaving it unset lets webpages use the WebGL API and plugins use the Pepper 3D API, but the browser's default settings might still require command line arguments to use these APIs.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

DisableSafeBrowsingProceedAnyway

Disable proceeding from the Safe Browsing warning page
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DisableSafeBrowsingProceedAnyway
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DisableSafeBrowsingProceedAnyway
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DisableSafeBrowsingProceedAnyway
Mac/Linux preference name:
DisableSafeBrowsingProceedAnyway
Android restriction name:
DisableSafeBrowsingProceedAnyway
Supported on:
  • Google Chrome (Linux) since version 22
  • Google Chrome (Mac) since version 22
  • Google Chrome (Windows) since version 22
  • Google ChromeOS (Google ChromeOS) since version 22
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled prevents users from proceeding past the warning page the Safe Browsing service shows to the malicious site. This policy only prevents users from proceeding on Safe Browsing warnings such as malware and phishing, not for SSL certificate-related issues such as invalid or expired certificates.

Setting the policy to Disabled or leaving it unset means users can choose to proceed to the flagged site after the warning appears.

See more about Safe Browsing ( https://developers.google.com/safe-browsing ).

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DisableScreenshots

Disable taking screenshots
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DisableScreenshots
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DisableScreenshots
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DisableScreenshots
Mac/Linux preference name:
DisableScreenshots
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 22
  • Google Chrome (Linux) since version 22
  • Google Chrome (Mac) since version 22
  • Google Chrome (Windows) since version 22
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to True disallows screenshots taken with keyboard shortcuts or extension APIs. Setting the policy to False allows screenshots.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DisabledSchemes (Deprecated)

Disable URL protocol schemes
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DisabledSchemes
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DisabledSchemes
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DisabledSchemes
Mac/Linux preference name:
DisabledSchemes
Supported on:
  • Google Chrome (Linux) since version 12
  • Google Chrome (Mac) since version 12
  • Google Chrome (Windows) since version 12
  • Google ChromeOS (Google ChromeOS) since version 12
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, please use URLBlocklist instead.

Disables the listed protocol schemes in Google Chrome.

URLs using a scheme from this list will not load and can not be navigated to.

If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\DisabledSchemes\1 = "file" Software\Policies\Google\Chrome\DisabledSchemes\2 = "https"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\DisabledSchemes\1 = "file" Software\Policies\Google\ChromeOS\DisabledSchemes\2 = "https"
Android/Linux:
[ "file", "https" ]
Mac:
<array> <string>file</string> <string>https</string> </array>
Windows (Intune):
<enabled/>
<data id="DisabledSchemesDesc" value="1&#xF000;file&#xF000;2&#xF000;https"/>
Back to top

DiskCacheDir

Set disk cache directory
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DiskCacheDir
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DiskCacheDir
Mac/Linux preference name:
DiskCacheDir
Supported on:
  • Google Chrome (Linux) since version 13
  • Google Chrome (Mac) since version 13
  • Google Chrome (Windows) since version 13
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy has Google Chrome use the directory you provide for storing cached files on the disk—whether or not users specify the --disk-cache-dir flag.

If not set, Google Chrome uses the default cache directory, but users can change that setting with the --disk-cache-dir command line flag.

Google Chrome manages the contents of a volume's root directory. So to avoid data loss or other errors, do not set this policy to the root directory or any directory used for other purposes. See the variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).

Example value:
"${user_home}/Chrome_cache"
Windows (Intune):
<enabled/>
<data id="DiskCacheDir" value="${user_home}/Chrome_cache"/>
Back to top

DiskCacheSize

Set disk cache size in bytes
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DiskCacheSize
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DiskCacheSize
Mac/Linux preference name:
DiskCacheSize
Supported on:
  • Google Chrome (Linux) since version 17
  • Google Chrome (Mac) since version 17
  • Google Chrome (Windows) since version 17
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to None has Google Chrome use the default cache size for storing cached files on the disk. Users can't change it.

If you set the policy, Google Chrome uses the cache size you provide—whether or not users specify the --disk-cache-size flag. (Values below a few megabytes are rounded up.)

If not set, Google Chrome uses the default size. Users can change that setting using the --disk-cache-size flag.

Note: The value specified in this policy is used as a hint to various cache subsystems in the browser. Therefore the actual total disk consumption of all caches will be higher but within the same order of magnitude as the value specified.

Example value:
0x06400000 (Windows), 104857600 (Linux), 104857600 (Mac)
Windows (Intune):
<enabled/>
<data id="DiskCacheSize" value="104857600"/>
Back to top

DisplayCapturePermissionsPolicyEnabled

Specifies whether the display-capture permissions-policy is checked or skipped.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DisplayCapturePermissionsPolicyEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DisplayCapturePermissionsPolicyEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DisplayCapturePermissionsPolicyEnabled
Mac/Linux preference name:
DisplayCapturePermissionsPolicyEnabled
Supported on:
  • Google Chrome (Linux) since version 94
  • Google Chrome (Mac) since version 94
  • Google Chrome (Windows) since version 94
  • Google ChromeOS (Google ChromeOS) since version 94
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

The display-capture permissions-policy gates access to getDisplayMedia(), as per this spec: https://www.w3.org/TR/screen-capture/#feature-policy-integration. However, if this policy is Disabled, this requirement is not enforced, and getDisplayMedia() is allowed from contexts that would otherwise be forbidden. This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 100. It is intended to unblock Enterprise users whose application is non-spec compliant, but needs time to be fixed.

When enabled or not set, sites can only call getDisplayMedia() from contexts which are allowlisted by the display-capture permissions-policy.

When disabled, sites can call getDisplayMedia() even from contexts which are not allowlisted by the display-capture permissions policy. Note that other restrictions may still apply.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DnsOverHttpsMode

Controls the mode of DNS-over-HTTPS
Data type:
String [Android:choice, Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DnsOverHttpsMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DnsOverHttpsMode
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DnsOverHttpsMode
Mac/Linux preference name:
DnsOverHttpsMode
Android restriction name:
DnsOverHttpsMode
Supported on:
  • Google Chrome (Android) since version 85
  • Google ChromeOS (Google ChromeOS) since version 78
  • Google Chrome (Linux) since version 78
  • Google Chrome (Mac) since version 78
  • Google Chrome (Windows) since version 78
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls the mode of the DNS-over-HTTPS resolver. Please note that this policy will only set the default mode for each query. The mode may be overridden for special types of queries such as requests to resolve a DNS-over-HTTPS server hostname.

The "off" mode will disable DNS-over-HTTPS.

The "automatic" mode will send DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available and may fallback to sending insecure queries on error.

The "secure" mode will only send DNS-over-HTTPS queries and will fail to resolve on error.

On Android Pie and above, if DNS-over-TLS is active, Google Chrome will not send insecure DNS requests.

If this policy is unset the browser may send DNS-over-HTTPS requests to a resolver associated with the user's configured system resolver.

  • "off" = Disable DNS-over-HTTPS
  • "automatic" = Enable DNS-over-HTTPS with insecure fallback
  • "secure" = Enable DNS-over-HTTPS without insecure fallback
Example value:
"off"
Windows (Intune):
<enabled/>
<data id="DnsOverHttpsMode" value="off"/>
Back to top

DnsOverHttpsTemplates

Specify URI template of desired DNS-over-HTTPS resolver
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DnsOverHttpsTemplates
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DnsOverHttpsTemplates
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DnsOverHttpsTemplates
Mac/Linux preference name:
DnsOverHttpsTemplates
Android restriction name:
DnsOverHttpsTemplates
Supported on:
  • Google Chrome (Android) since version 85
  • Google ChromeOS (Google ChromeOS) since version 80
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.

If the DnsOverHttpsMode is set to "secure" then this policy must be set and not empty.

If the DnsOverHttpsMode is set to "automatic" and this policy is set then the URI templates specified will be used; if this policy is unset then hardcoded mappings will be used to attempt to upgrade the user's current DNS resolver to a DoH resolver operated by the same provider.

If the URI template contains a dns variable, requests to the resolver will use GET; otherwise requests will use POST.

Incorrectly formatted templates will be ignored.

Example value:
"https://dns.example.net/dns-query{?dns}"
Windows (Intune):
<enabled/>
<data id="DnsOverHttpsTemplates" value="https://dns.example.net/dns-query{?dns}"/>
Back to top

DownloadBubbleEnabled

Enable download bubble UI
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DownloadBubbleEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DownloadBubbleEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DownloadBubbleEnabled
Mac/Linux preference name:
DownloadBubbleEnabled
Supported on:
  • Google Chrome (Linux) since version 102
  • Google Chrome (Mac) since version 102
  • Google Chrome (Windows) since version 102
  • Google ChromeOS (Google ChromeOS) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset shows the new download bubble UI in Google Chrome.

Setting the policy to Disabled means Google Chrome keeps showing the old download shelf UI.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

DownloadDirectory

Set download directory
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DownloadDirectory
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DownloadDirectory
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DownloadDirectory
Mac/Linux preference name:
DownloadDirectory
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 35
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy sets up the directory Chrome uses for downloading files. It uses the provided directory, whether or not users specify one or turned on the flag to be prompted for download location every time.

This policy overrides the DefaultDownloadDirectory policy.

Leaving the policy unset means Chrome uses the default download directory, and users can change it.

Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps. Android apps always use the default downloads directory and cannot access any files downloaded by Google Chrome OS into a non-default downloads directory.

Example value:
"/home/${user_name}/Downloads"
Windows (Intune):
<enabled/>
<data id="DownloadDirectory" value="/home/${user_name}/Downloads"/>
Back to top

DownloadRestrictions

Allow download restrictions
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\DownloadRestrictions
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\DownloadRestrictions
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\DownloadRestrictions
Mac/Linux preference name:
DownloadRestrictions
Supported on:
  • Google Chrome (Linux) since version 61
  • Google Chrome (Mac) since version 61
  • Google Chrome (Windows) since version 61
  • Google ChromeOS (Google ChromeOS) since version 61
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy means users can't bypass download security decisions.

There are many types of download warnings within Chrome, which roughly break down into these categories (learn more about Safe Browsing verdicts https://support.google.com/chrome/?p=ib_download_blocked):

* Malicious, as flagged by the Safe Browsing server * Uncommon or unwanted, as flagged by the Safe Browsing server * A dangerous file type (e.g. all SWF downloads and many EXE downloads)

Setting the policy blocks different subsets of these, depending on it's value:

0: No special restrictions. Default.

1: Blocks malicious files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.

2: Blocks malicious files flagged by the Safe Browsing server AND Blocks uncommon or unwanted files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.

3: Blocks all downloads. Not recommended, except for special use cases.

4: Blocks malicious files flagged by the Safe Browsing server, does not block dangerous file types. Recommended.

Note: These restrictions apply to downloads triggered from webpage content, as well as the Download link... menu option. They don't apply to the download of the currently displayed page or to saving as PDF from the printing options. Read more about Safe Browsing ( https://developers.google.com/safe-browsing ).

  • 0 = No special restrictions. Default.
  • 1 = Block malicious downloads and dangerous file types.
  • 2 = Block malicious downloads, uncommon or unwanted downloads and dangerous file types.
  • 3 = Block all downloads.
  • 4 = Block malicious downloads. Recommended.
Example value:
0x00000004 (Windows), 4 (Linux), 4 (Mac)
Windows (Intune):
<enabled/>
<data id="DownloadRestrictions" value="4"/>
Back to top

EasyUnlockAllowed

Allow Smart Lock to be used
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EasyUnlockAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 38
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If you enable this setting, users will be allowed to use Smart Lock if the requirements for the feature are satisfied.

If you disable this setting, users will not be allowed to use Smart Lock.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:
0x00000001 (Windows)
Back to top

EcheAllowed

Allow Eche to be enabled.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EcheAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 99
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users will be able to launch the Eche application, for example by clicking on a Phone Hub notification.

If this setting is disabled, users will not be able to launch the Eche application.

If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.

Example value:
0x00000000 (Windows)
Back to top

EditBookmarksEnabled

Enable or disable bookmark editing
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\EditBookmarksEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\EditBookmarksEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EditBookmarksEnabled
Mac/Linux preference name:
EditBookmarksEnabled
Android restriction name:
EditBookmarksEnabled
Supported on:
  • Google Chrome (Linux) since version 12
  • Google Chrome (Mac) since version 12
  • Google Chrome (Windows) since version 12
  • Google ChromeOS (Google ChromeOS) since version 12
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset lets users add, remove, or modify bookmarks.

Setting the policy to False means users can't add, remove, or modify bookmarks. They can still use existing bookmarks.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

EmojiSuggestionEnabled

Enable Emoji Suggestion
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EmojiSuggestionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy enables Google Chrome OS to suggest emojis when users type text with their virtual or physical keyboards. If this policy is set to true, the feature will be enabled, and users will be able to change it. This policy is defaulted to false, no emoji will be suggested and users cannot override it.

Example value:
0x00000000 (Windows)
Back to top

EnableExperimentalPolicies

Enables experimental policies
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\EnableExperimentalPolicies
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\EnableExperimentalPolicies
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EnableExperimentalPolicies
Mac/Linux preference name:
EnableExperimentalPolicies
Android restriction name:
EnableExperimentalPolicies
Android WebView restriction name:
com.android.browser:EnableExperimentalPolicies
Supported on:
  • Google Chrome (Linux) since version 85
  • Google Chrome (Mac) since version 85
  • Google Chrome (Windows) since version 85
  • Google ChromeOS (Google ChromeOS) since version 85
  • Google Chrome (Android) since version 85
  • Android System WebView (Android) since version 85
  • Google Chrome (iOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows Google Chrome to load experimental policies.

WARNING: Experimental policies are unsupported and subject to change or be removed without notice in future version of the browser!

An experimental policy may not be finished or still have known or unknown defects. It may be changed or even removed without any notification. By enabling experimental policies, you could lose browser data or compromise your security or privacy.

If a policy is not in the list and it's not officially released, its value will be ignored on Beta and Stable channel.

If a policy is in the list and it's not officially released, its value will be applied.

This policy has no effect on already released policies.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\EnableExperimentalPolicies\1 = "ExtensionInstallAllowlist" Software\Policies\Google\Chrome\EnableExperimentalPolicies\2 = "ExtensionInstallBlocklist"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\EnableExperimentalPolicies\1 = "ExtensionInstallAllowlist" Software\Policies\Google\ChromeOS\EnableExperimentalPolicies\2 = "ExtensionInstallBlocklist"
Android/Linux:
[ "ExtensionInstallAllowlist", "ExtensionInstallBlocklist" ]
Mac:
<array> <string>ExtensionInstallAllowlist</string> <string>ExtensionInstallBlocklist</string> </array>
Windows (Intune):
<enabled/>
<data id="EnableExperimentalPoliciesDesc" value="1&#xF000;ExtensionInstallAllowlist&#xF000;2&#xF000;ExtensionInstallBlocklist"/>
Back to top

EnableOnlineRevocationChecks

Enable online OCSP/CRL checks
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\EnableOnlineRevocationChecks
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\EnableOnlineRevocationChecks
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EnableOnlineRevocationChecks
Mac/Linux preference name:
EnableOnlineRevocationChecks
Supported on:
  • Google Chrome (Linux) since version 19
  • Google Chrome (Mac) since version 19
  • Google Chrome (Windows) since version 19
  • Google ChromeOS (Google ChromeOS) since version 19
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to True means online OCSP/CRL checks are performed.

Setting the policy to False or leaving it unset means Google Chrome won't perform online revocation checks in Google Chrome 19 and later.

Note: OCSP/CRL checks provide no effective security benefit.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

EnableSyncConsent

Enable displaying Sync Consent during sign-in
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EnableSyncConsent
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 66
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls if Sync Consent can be shown to the user during first sign-in. It should be set to false if Sync Consent is never needed for the user. If set to false, Sync Consent will not be displayed. If set to true or unset, Sync Consent can be displayed.

Example value:
0x00000000 (Windows)
Back to top

EnterpriseHardwarePlatformAPIEnabled

Enables managed extensions to use the Enterprise Hardware Platform API
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\EnterpriseHardwarePlatformAPIEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\EnterpriseHardwarePlatformAPIEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\EnterpriseHardwarePlatformAPIEnabled
Mac/Linux preference name:
EnterpriseHardwarePlatformAPIEnabled
Android restriction name:
EnterpriseHardwarePlatformAPIEnabled
Supported on:
  • Google Chrome (Linux) since version 71
  • Google Chrome (Mac) since version 71
  • Google Chrome (Windows) since version 71
  • Google ChromeOS (Google ChromeOS) since version 71
  • Google Chrome (Android) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True lets extensions installed by enterprise policy use the Enterprise Hardware Platform API.

Setting the policy to False or leaving it unset prevents extensions from using this API.

Note: This policy also applies to component extensions, such as the Hangout Services extension.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ExemptDomainFileTypePairsFromFileTypeDownloadWarnings

Disable download file type extension-based warnings for specified file types on domains
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
Mac/Linux preference name:
ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
Supported on:
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

You can enable this policy to create a dictionary of file type extensions with a corresponding list of domains that will be exempted from file type extension-based download warnings. This lets enterprise administrators block file type extension-based download warnings for files that are associated with a listed domain. For example, if the "jnlp" extension is associated with "website1.com", users would not see a warning when downloading "jnlp" files from "website1.com", but see a download warning when downloading "jnlp" files from "website2.com".

Files with file type extensions specified for domains identified by this policy will still be subject to non-file type extension-based security warnings such as mixed-content download warnings and Safe Browsing warnings.

If you disable this policy or don't configure it, file types that trigger extension-based download warnings will show warnings to the user.

If you enable this policy:

* The URL pattern should be formatted according to https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * The file type extension entered must be in lower-cased ASCII. The leading separator should not be included when listing the file type extension, so list "jnlp" should be used instead of ".jnlp".

Example:

The following example value would prevent file type extension-based download warnings on swf, exe, and jnlp extensions for *.example.com domains. It will show the user a file type extension-based download warning on any other domain for exe and jnlp files, but not for swf files.

[ { "file_extension": "jnlp", "domains": ["example.com"] }, { "file_extension": "exe", "domains": ["example.com"] }, { "file_extension": "swf", "domains": ["*"] } ]

Note that while the preceding example shows the suppression of file type extension-based download warnings for "swf" files for all domains, applying suppression of such warnings for all domains for any dangerous file type extension is not recommended due to security concerns. It is shown in the example merely to demonstrate the ability to do so.

If this policy is enabled alongside DownloadRestrictions and DownloadRestrictions is set to block dangerous file types, download blocks determined by DownloadRestrictions take precedence. For example, if this policy is set to enable "exe" extension downloads from "website1.com", and DownloadRestrictions is set to block malicious downloads and dangerous file types, then "exe" extension downloads will still be blocked in all domains. If DownloadRestrictions is not set to block dangerous file types, then file types specified in this policy will be exempted from file-type extension-based download warnings in the specified domains. Read more about DownloadRestrictions (https://chromeenterprise.google/policies/?policy=DownloadRestrictions).

Schema:
{ "items": { "id": "DomainFiletypePair", "properties": { "domains": { "items": { "type": "string" }, "type": "array" }, "file_extension": { "type": "string" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExemptDomainFileTypePairsFromFileTypeDownloadWarnings = [ { "domains": [ "https://example.com", "example2.com" ], "file_extension": "jnlp" }, { "domains": [ "*" ], "file_extension": "swf" } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExemptDomainFileTypePairsFromFileTypeDownloadWarnings = [ { "domains": [ "https://example.com", "example2.com" ], "file_extension": "jnlp" }, { "domains": [ "*" ], "file_extension": "swf" } ]
Android/Linux:
ExemptDomainFileTypePairsFromFileTypeDownloadWarnings: [ { "domains": [ "https://example.com", "example2.com" ], "file_extension": "jnlp" }, { "domains": [ "*" ], "file_extension": "swf" } ]
Mac:
<key>ExemptDomainFileTypePairsFromFileTypeDownloadWarnings</key> <array> <dict> <key>domains</key> <array> <string>https://example.com</string> <string>example2.com</string> </array> <key>file_extension</key> <string>jnlp</string> </dict> <dict> <key>domains</key> <array> <string>*</string> </array> <key>file_extension</key> <string>swf</string> </dict> </array>
Windows (Intune):
<enabled/>
<data id="ExemptDomainFileTypePairsFromFileTypeDownloadWarnings" value="{"file_extension": "jnlp", "domains": ["https://example.com", "example2.com"]}, {"file_extension": "swf", "domains": ["*"]}"/>
Back to top

ExplicitlyAllowedNetworkPorts

Explicitly allowed network ports
Data type:
List of strings [Android:multi-select]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExplicitlyAllowedNetworkPorts
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ExplicitlyAllowedNetworkPorts
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExplicitlyAllowedNetworkPorts
Mac/Linux preference name:
ExplicitlyAllowedNetworkPorts
Android restriction name:
ExplicitlyAllowedNetworkPorts
Android WebView restriction name:
com.android.browser:ExplicitlyAllowedNetworkPorts
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
  • Google Chrome (Android) since version 91
  • Google ChromeOS (Google ChromeOS) since version 91
  • Android System WebView (Android) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

There is a list of restricted ports built into Google Chrome. Connections to these ports will fail. This setting permits bypassing that list. The value is a comma-separated list of zero or more ports that outgoing connections will be permitted on.

Ports are restricted to prevent Google Chrome being used as a vector to exploit various network vulnerabilities. Setting this policy may expose your network to attacks. This policy is intended as a temporary workaround for errors with code "ERR_UNSAFE_PORT" while migrating a service running on a blocked port to a standard port (ie. port 80 or 443).

Malicious websites can easily detect that this policy is set, and for what ports, and use that information to target attacks.

Each port here is labelled with a date that it can be unblocked until. After that date the port will be restricted regardless of this setting.

Leaving the value empty or unset means that all restricted ports will be blocked. If there is a mixture of valid and invalid values, the valid ones will be applied.

This policy overrides the "--explicitly-allowed-ports" command-line option.

  • "554" = port 554 (can be unblocked until 2021/10/15)
  • "10080" = port 10080 (can be unblocked until 2022/04/01)
  • "6566" = port 6566 (can be unblocked until 2021/10/15)
  • "989" = port 989 (can be unblocked until 2022/02/01)
  • "990" = port 990 (can be unblocked until 2022/02/01)
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ExplicitlyAllowedNetworkPorts\1 = "10080"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExplicitlyAllowedNetworkPorts\1 = "10080"
Android/Linux:
[ "10080" ]
Mac:
<array> <string>10080</string> </array>
Windows (Intune):
<enabled/>
<data id="ExplicitlyAllowedNetworkPorts" value=""10080""/>
Back to top

ExtensionInstallEventLoggingEnabled

Log events for policy based extension installs
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True sends reports of key, policy-triggered extension installation events to Google. Setting the policy to False means no events are captured. If the policy is unset, default value is set to True.

Back to top

ExternalProtocolDialogShowAlwaysOpenCheckbox

Show an "Always open" checkbox in external protocol dialog.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ExternalProtocolDialogShowAlwaysOpenCheckbox
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ExternalProtocolDialogShowAlwaysOpenCheckbox
Mac/Linux preference name:
ExternalProtocolDialogShowAlwaysOpenCheckbox
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

This policy controls whether or not the "Always open" checkbox is shown on external protocol launch confirmation prompts.

If this policy is set to True or not set, when an external protocol confirmation is shown, the user can select "Always allow" to skip all future confirmation prompts for the protocol on this site.

If this policy is set to False, the "Always allow" checkbox is not displayed and the user will be prompted each time an external protocol is invoked.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ExternalStorageDisabled

Disable mounting of external storage
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExternalStorageDisabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 22
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True makes all types of external storage media (USB flash drives, external hard drives, SD and other memory cards, optical storage) unavailable in the file browser. Setting the policy to False or leaving it unset means users can use external storage on their device.

Note: The policy doesn't affect Google Drive and internal storage. Users can still access files saved in the Downloads folder.

Example value:
0x00000001 (Windows)
Back to top

ExternalStorageReadOnly

Treat external storage devices as read-only
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ExternalStorageReadOnly
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 54
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True prevents users from writing to external storage devices.

Unless external storage is blocked, if you set ExternalStorageReadOnly to False or leave it unset, users can create and modify files of physically writable, external storage devices. (You can block external storage by setting ExternalStorageDisable to True.)

Example value:
0x00000001 (Windows)
Back to top

FastPairEnabled

Enable Fast Pair (fast Bluetooth pairing)
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FastPairEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting this policy will force Fast Pair to be enabled or disabled. Fast Pair is a new Bluetooth pairing flow that links paired peripherals with a GAIA account. This allows other ChromeOS (and Android) devices signed in with the same GAIA account to pair automatically. If unset, the default value is disabled for enterprise users and enabled for non managed accounts.

Example value:
0x00000001 (Windows)
Back to top

FetchKeepaliveDurationSecondsOnShutdown

Fetch keepalive duration on Shutdown
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\FetchKeepaliveDurationSecondsOnShutdown
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\FetchKeepaliveDurationSecondsOnShutdown
Mac/Linux preference name:
FetchKeepaliveDurationSecondsOnShutdown
Supported on:
  • Google Chrome (Linux) since version 90
  • Google Chrome (Mac) since version 90
  • Google Chrome (Windows) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls the duration (in seconds) allowed for keepalive requests on browser shutdown.

When specified, browser shutdown can be blocked up to the specified seconds, to process keepalive (https://fetch.spec.whatwg.org/#request-keepalive-flag) requests.

The default value (0) means this feature is disabled.

Restrictions:
  • Minimum:0
  • Maximum:5
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="FetchKeepaliveDurationSecondsOnShutdown" value="1"/>
Back to top

FloatingWorkspaceEnabled

Enable Floating Workspace Service
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FloatingWorkspaceEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled will launch browser windows from current user's last used device automatically upon login. Setting the policy to Disabled or leaving it unset will let full restore settings determine what to be launched upon login.

Example value:
0x00000001 (Windows)
Back to top

ForceBrowserSignin (Deprecated)

Enable force sign in for Google Chrome
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForceBrowserSignin
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForceBrowserSignin
Mac/Linux preference name:
ForceBrowserSignin
Android restriction name:
ForceBrowserSignin
Supported on:
  • Google Chrome (Windows) since version 64
  • Google Chrome (Mac) since version 66
  • Google Chrome (Android) since version 65
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy is deprecated, consider using BrowserSignin instead.

If this policy is set to true, user has to sign in to Google Chrome with their profile before using the browser. And the default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article.

If this policy is set to false or not configured, user can use the browser without sign in to Google Chrome.

Example value:
0x00000000 (Windows), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

ForceEphemeralProfiles

Ephemeral profile
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForceEphemeralProfiles
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForceEphemeralProfiles
Mac/Linux preference name:
ForceEphemeralProfiles
Supported on:
  • Google Chrome (Linux) since version 32
  • Google Chrome (Mac) since version 32
  • Google Chrome (Windows) since version 32
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.

In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.

If the user has enabled sync all this data is preserved in their sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.

If the policy is set to disabled or left not set signing in leads to regular profiles.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ForceGoogleSafeSearch

Force Google SafeSearch
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForceGoogleSafeSearch
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForceGoogleSafeSearch
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ForceGoogleSafeSearch
Mac/Linux preference name:
ForceGoogleSafeSearch
Android restriction name:
ForceGoogleSafeSearch
Supported on:
  • Google Chrome (Linux) since version 41
  • Google Chrome (Mac) since version 41
  • Google Chrome (Windows) since version 41
  • Google ChromeOS (Google ChromeOS) since version 41
  • Google Chrome (Android) since version 41
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means SafeSearch in Google Search is always active, and users can't change this setting.

Setting the policy to Disabled or leaving it unset means SafeSearch in Google Search is not enforced.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

ForceLogoutUnauthenticatedUserEnabled

Force logout the user when their account becomes unauthenticated
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Force logout the user when their primary account's authentication token becomes invalid. This policy can protect the user from access to restricted content on Google web properties. If this policy is set to True, the user will be logged out as soon as their authentication token becomes invalid and attempts to restore this token fail. If this policy is set to False or unset, the user can continue working in an unauthenticated state.

Back to top

ForceMajorVersionToMinorPositionInUserAgent

Freeze User-Agent string major version at 99
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForceMajorVersionToMinorPositionInUserAgent
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForceMajorVersionToMinorPositionInUserAgent
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ForceMajorVersionToMinorPositionInUserAgent
Mac/Linux preference name:
ForceMajorVersionToMinorPositionInUserAgent
Android restriction name:
ForceMajorVersionToMinorPositionInUserAgent
Android WebView restriction name:
com.android.browser:ForceMajorVersionToMinorPositionInUserAgent
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 99
  • Google Chrome (Linux) since version 99
  • Google Chrome (Mac) since version 99
  • Google Chrome (Windows) since version 99
  • Google Chrome (Android) since version 99
  • Android System WebView (Android) since version 99
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls whether the User-Agent string major version should be frozen at 99.

The User-Agent request header lets websites identify the application, operating system, vendor, and/or version of the requesting user agent. Some websites make assumptions about how this header is formatted and may encounter issues with version strings that include three digits in the major position (e.g. 100.0.0.0).

Setting the policy to 'Default' or leaving it unset will default to browser settings for the User-Agent string major version. If set to 'ForceDisabled', the User-Agent string will not freeze the major version. If set to 'ForceEnabled', the User-Agent string will always report the major version as 99 and include the browser's major version in the minor position. For example, browser version 101.0.0.0 would send a User-Agent request header that reports version 99.101.0.0.

This policy is temporary and will be deprecated in the future. Note that if this policy and User-Agent Reduction are both enabled, the User-Agent version string will always be 99.0.0.0.

  • 0 = Default to browser settings for User-Agent string version.
  • 1 = The User-Agent string will not freeze the major version.
  • 2 = The User-Agent string will freeze the major version as 99 and include the browser's major version in the minor position.
Example value:
0x00000000 (Windows), 0 (Linux), 0 (Android), 0 (Mac)
Windows (Intune):
<enabled/>
<data id="ForceMajorVersionToMinorPositionInUserAgent" value="0"/>
Back to top

ForceMaximizeOnFirstRun

Maximize the first browser window on first run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ForceMaximizeOnFirstRun
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 43
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to True means Chrome maximizes the first window shown on first run.

Setting the policy to False or leaving it unset means that Chrome might maximize the first window, depending on the screen size.

Example value:
0x00000001 (Windows)
Back to top

ForceSafeSearch (Deprecated)

Force SafeSearch
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForceSafeSearch
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForceSafeSearch
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ForceSafeSearch
Mac/Linux preference name:
ForceSafeSearch
Android restriction name:
ForceSafeSearch
Supported on:
  • Google Chrome (Linux) since version 25
  • Google Chrome (Mac) since version 25
  • Google Chrome (Windows) since version 25
  • Google ChromeOS (Google ChromeOS) since version 25
  • Google Chrome (Android) since version 30
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, please use ForceGoogleSafeSearch and ForceYouTubeRestrict instead. This policy is ignored if either the ForceGoogleSafeSearch, the ForceYouTubeRestrict or the (deprecated) ForceYouTubeSafetyMode policies are set.

Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Moderate Restricted Mode on YouTube.

If you enable this setting, SafeSearch in Google Search and Moderate Restricted Mode YouTube is always active.

If you disable this setting or do not set a value, SafeSearch in Google Search and Restricted Mode in YouTube is not enforced.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

ForceYouTubeRestrict

Force minimum YouTube Restricted Mode
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForceYouTubeRestrict
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForceYouTubeRestrict
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ForceYouTubeRestrict
Mac/Linux preference name:
ForceYouTubeRestrict
Android restriction name:
ForceYouTubeRestrict
Supported on:
  • Google Chrome (Linux) since version 55
  • Google Chrome (Mac) since version 55
  • Google Chrome (Windows) since version 55
  • Google ChromeOS (Google ChromeOS) since version 55
  • Google Chrome (Android) since version 55
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy enforces a minimum Restricted mode on YouTube and prevents users from picking a less restricted mode. If you set it to:

* Strict, Strict Restricted mode on YouTube is always active.

* Moderate, the user may only pick Moderate Restricted mode and Strict Restricted mode on YouTube, but can't turn off Restricted mode.

* Off or if no value is set, Restricted mode on YouTube isn't enforced by Chrome. External policies such as YouTube policies might still enforce Restricted mode.

  • 0 = Do not enforce Restricted Mode on YouTube
  • 1 = Enforce at least Moderate Restricted Mode on YouTube
  • 2 = Enforce Strict Restricted Mode for YouTube
Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.

Example value:
0x00000000 (Windows), 0 (Linux), 0 (Android), 0 (Mac)
Windows (Intune):
<enabled/>
<data id="ForceYouTubeRestrict" value="0"/>
Back to top

ForceYouTubeSafetyMode (Deprecated)

Force YouTube Safety Mode
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForceYouTubeSafetyMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForceYouTubeSafetyMode
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ForceYouTubeSafetyMode
Mac/Linux preference name:
ForceYouTubeSafetyMode
Android restriction name:
ForceYouTubeSafetyMode
Supported on:
  • Google Chrome (Linux) since version 41
  • Google Chrome (Mac) since version 41
  • Google Chrome (Windows) since version 41
  • Google ChromeOS (Google ChromeOS) since version 41
  • Google Chrome (Android) since version 41
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated. Consider using ForceYouTubeRestrict, which overrides this policy and allows more fine-grained tuning.

Forces YouTube Moderate Restricted Mode and prevents users from changing this setting.

If this setting is enabled, Restricted Mode on YouTube is always enforced to be at least Moderate.

If this setting is disabled or no value is set, Restricted Mode on YouTube is not enforced by Google Chrome. External policies such as YouTube policies might still enforce Restricted Mode, though.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

ForcedLanguages

Configure the content and order of preferred languages
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ForcedLanguages
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ForcedLanguages
Mac/Linux preference name:
ForcedLanguages
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy allows admins to configure the order of the preferred languages in Google Chrome's settings.

The order of the list will appear in the same order under the "Order languages based on your preference" section in chrome://settings/languages. Users won't be able to remove or reorder languages set by the policy, but will be able to add languages underneath those set by the policy. Users will also have full control over the browser's UI language and translation/spell check settings, unless enforced by other policies.

Leaving the policy unset lets users manipulate the entire list of preferred languages.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ForcedLanguages\1 = "en-US"
Android/Linux:
[ "en-US" ]
Mac:
<array> <string>en-US</string> </array>
Windows (Intune):
<enabled/>
<data id="ForcedLanguagesDesc" value="1&#xF000;en-US"/>
Back to top

FullRestoreEnabled

Enable the full restore feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FullRestoreEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to enable the full restore feature. If this policy is true, apps and app windows will be restored or not restored after a crash or reboot based on the restore app setting. If this policy is false, only browser windows are automatcially launched.

Example value:
0x00000001 (Windows)
Back to top

FullscreenAlertEnabled

Enable fullscreen alert
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FullscreenAlertEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Specifies whether the fullscreen alert should be shown when the device returns from sleep or dark screen.

When the policy is unset or set to True, an alert will be shown to remind the users to exit fullscreen before entering password. When the policy is set to False, no alert would be shown.

Example value:
0x00000000 (Windows)
Back to top

FullscreenAllowed

Allow fullscreen mode
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\FullscreenAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\FullscreenAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\FullscreenAllowed
Mac/Linux preference name:
FullscreenAllowed
Supported on:
  • Google Chrome (Windows) since version 31
  • Google Chrome (Linux) since version 31
  • Google ChromeOS (Google ChromeOS) since version 31
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset means that, with appropriate permissions, users, apps, and extensions can enter Fullscreen mode (in which only web content appears).

Setting the policy to False means users, apps, and extensions can't enter Fullscreen mode.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android apps. They will be able to enter fullscreen mode even if this policy is set to False.

Example value:
0x00000001 (Windows), true (Linux)
Windows (Intune):
<enabled/>
Back to top

GaiaLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\GaiaLockScreenOfflineSigninTimeLimitDays
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

While logging in through the lock screen, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).

When this policy is set to -2, it will match the value of the login screen offline signin time limit which comes from GaiaOfflineSigninTimeLimitDays.

When the policy is unset, or set to a value of -1, it will not enforce online authentication on the lock screen and will allow the user to use offline authentication unless a different reason than this policy enforces an online authentication.

If the policy is set to a value of 0, online authentication will always be required.

When this policy is set to any other value, it specifies the number of days since the last online authentication after which the user must use online authentication again in the next login through the lock screen.

This policy affects users who authenticated using GAIA without SAML.

The policy value should be specified in days.

Restrictions:
  • Minimum:-2
  • Maximum:365
Example value:
0x00000020 (Windows)
Back to top

GetDisplayMediaSetSelectAllScreensAllowedForUrls

Enables auto-select for multi screen captures
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\GetDisplayMediaSetSelectAllScreensAllowedForUrls
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

The getDisplayMediaSet API allows web applications to capture multiple surfaces at once. This policy unlocks the autoSelectAllScreens property for web applications at defined origins. If the autoSelectAllScreens property is defined in a getDisplayMediaSet request, all screen surfaces are automatically captured without requiring explicit user permission. If the policy is not set, autoSelectAllScreens is not available for any web application.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\GetDisplayMediaSetSelectAllScreensAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\GetDisplayMediaSetSelectAllScreensAllowedForUrls\2 = "[*.]example.edu"
Back to top

GhostWindowEnabled

Enable the ghost window feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\GhostWindowEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to enable the ghost window feature. If this policy is true, ARC ghost windows will be created before ARC boots after a crash or reboot based on the restore app setting. If this policy is false, there is no ghost window created before ARC boots. Arc apps are restored after ARC boots

Example value:
0x00000001 (Windows)
Back to top

GloballyScopeHTTPAuthCacheEnabled

Enable globally scoped HTTP auth cache
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\GloballyScopeHTTPAuthCacheEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\GloballyScopeHTTPAuthCacheEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\GloballyScopeHTTPAuthCacheEnabled
Mac/Linux preference name:
GloballyScopeHTTPAuthCacheEnabled
Supported on:
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy configures a single global per profile cache with HTTP server authentication credentials.

If this policy is unset or disabled, the browser will use the default behavior of cross-site auth, which as of version 80, will be to scope HTTP server authentication credentials by top-level site, so if two sites use resources from the same authenticating domain, credentials will need to be provided independently in the context of both sites. Cached proxy credentials will be reused across sites.

If the policy is enabled, HTTP auth credentials entered in the context of one site will automatically be used in the context of another.

Enabling this policy leaves sites open to some types of cross-site attacks, and allows users to be tracked across sites even without cookies by adding entries to the HTTP auth cache using credentials embedded in URLs.

This policy is intended to give enterprises depending on the legacy behavior a chance to update their login procedures, and will be removed in the future.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

HSTSPolicyBypassList

List of names that will bypass the HSTS policy check
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HSTSPolicyBypassList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\HSTSPolicyBypassList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\HSTSPolicyBypassList
Mac/Linux preference name:
HSTSPolicyBypassList
Android restriction name:
HSTSPolicyBypassList
Supported on:
  • Google Chrome (Linux) since version 78
  • Google Chrome (Mac) since version 78
  • Google Chrome (Windows) since version 78
  • Google Chrome (Android) since version 78
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy specifies a list of hostnames that bypass preloaded HSTS upgrades from http to https.

Only single-label hostnames are allowed in this policy, and this policy only applies to "static" HSTS-preloaded entries (for instance, "app", "new", "search", "play"). This policy does not prevent HSTS upgrades for servers that have "dynamically" requested HSTS upgrades using a Strict-Transport-Security response header.

Supplied hostnames must be canonicalized: Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific single-label hostnames specified, not to subdomains of those names.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\HSTSPolicyBypassList\1 = "meet"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\HSTSPolicyBypassList\1 = "meet"
Android/Linux:
[ "meet" ]
Mac:
<array> <string>meet</string> </array>
Windows (Intune):
<enabled/>
<data id="HSTSPolicyBypassListDesc" value="1&#xF000;meet"/>
Back to top

HardwareAccelerationModeEnabled

Use hardware acceleration when available
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HardwareAccelerationModeEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\HardwareAccelerationModeEnabled
Mac/Linux preference name:
HardwareAccelerationModeEnabled
Supported on:
  • Google Chrome (Linux) since version 46
  • Google Chrome (Mac) since version 46
  • Google Chrome (Windows) since version 46
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset turns on hardware acceleration, if available.

Setting the policy to Disabled turns off hardware acceleration.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

HeadlessMode

Control use of the Headless Mode
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HeadlessMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\HeadlessMode
Mac/Linux preference name:
HeadlessMode
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
Supported features:
Dynamic Policy Refresh: No, Per Profile: No, Platform Only: Yes
Description:

Setting this policy to Enabled or leaving the policy unset allows use of the headless mode. Setting this policy to Disabled denies use of the headless mode.

  • 1 = Allow use of the Headless Mode
  • 2 = Do not allow use of the Headless Mode
Example value:
0x00000002 (Windows), 2 (Linux), 2 (Mac)
Windows (Intune):
<enabled/>
<data id="HeadlessMode" value="2"/>
Back to top

HideWebStoreIcon

Hide the web store from the New Tab Page and app launcher
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HideWebStoreIcon
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\HideWebStoreIcon
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\HideWebStoreIcon
Mac/Linux preference name:
HideWebStoreIcon
Supported on:
  • Google Chrome (Linux) since version 26
  • Google Chrome (Mac) since version 26
  • Google Chrome (Windows) since version 26
  • Google ChromeOS (Google ChromeOS) since version 68
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Hide the Chrome Web Store app and footer link from the New Tab Page and Google Chrome OS app launcher.

When this policy is set to true, the icons are hidden.

When this policy is set to false or is not configured, the icons are visible.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

HistoryClustersVisible

Show Journeys on the Chrome history page
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HistoryClustersVisible
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\HistoryClustersVisible
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\HistoryClustersVisible
Mac/Linux preference name:
HistoryClustersVisible
Supported on:
  • Google Chrome (Linux) since version 97
  • Google Chrome (Mac) since version 97
  • Google Chrome (Windows) since version 97
  • Google ChromeOS (Google ChromeOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls the visibility of Journeys on the Chrome history page.

If the policy is set to Enabled, Journeys will be visible at chrome://history/journeys.

If the policy is set to Disabled, Journeys will not be visible at chrome://history/journeys.

If the policy is left unset, Journeys will be visible at chrome://history/journeys by default and users can change the visibility of Journeys.

Please note, if ComponentUpdatesEnabled policy is set to Disabled, but HistoryClustersVisible is set to Enabled or unset, Journeys will still be available at chrome://history/journeys, but may be absent from the omnibox, and less relevant to the user.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

HttpsOnlyMode

Allow HTTPS-Only Mode to be enabled
Data type:
String [Android:choice, Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\HttpsOnlyMode
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\HttpsOnlyMode
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\HttpsOnlyMode
Mac/Linux preference name:
HttpsOnlyMode
Android restriction name:
HttpsOnlyMode
Supported on:
  • Google Chrome (Linux) since version 94
  • Google Chrome (Mac) since version 94
  • Google Chrome (Windows) since version 94
  • Google ChromeOS (Google ChromeOS) since version 94
  • Google Chrome (Android) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls whether users can enable HTTPS-Only Mode in Settings. HTTPS-Only Mode upgrades all navigations to HTTPS. If this setting is not set or set to allowed, users will be allowed to enable HTTPS-Only Mode. If this setting is set to disallowed, users will not be allowed to enable HTTPS-Only Mode. Force enabling HTTPS-Only Mode is not currently supported.

  • "allowed" = Allow users to enable HTTPS-Only Mode
  • "disallowed" = Do not allow users to enable HTTPS-Only Mode
  • "force_enabled" = Force enable HTTPS-Only Mode (not supported yet)
Example value:
"disallowed"
Windows (Intune):
<enabled/>
<data id="HttpsOnlyMode" value="disallowed"/>
Back to top

ImportAutofillFormData

Import autofill form data from default browser on first run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImportAutofillFormData
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ImportAutofillFormData
Mac/Linux preference name:
ImportAutofillFormData
Supported on:
  • Google Chrome (Linux) since version 39
  • Google Chrome (Mac) since version 39
  • Google Chrome (Windows) since version 39
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled imports autofill form data from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no autofill form data is imported on first run.

Users can trigger an import dialog and the autofill form data checkbox will be checked or unchecked to match this policy's value.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ImportBookmarks

Import bookmarks from default browser on first run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImportBookmarks
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ImportBookmarks
Mac/Linux preference name:
ImportBookmarks
Supported on:
  • Google Chrome (Linux) since version 15
  • Google Chrome (Mac) since version 15
  • Google Chrome (Windows) since version 15
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled imports bookmarks from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no bookmarks are imported on first run.

Users can trigger an import dialog and the bookmarks checkbox will be checked or unchecked to match this policy's value.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ImportHistory

Import browsing history from default browser on first run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImportHistory
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ImportHistory
Mac/Linux preference name:
ImportHistory
Supported on:
  • Google Chrome (Linux) since version 15
  • Google Chrome (Mac) since version 15
  • Google Chrome (Windows) since version 15
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled imports browsing history from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no browsing history is imported on first run.

Users can trigger an import dialog and the browsing history checkbox will be checked or unchecked to match this policy's value.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ImportHomepage

Import of homepage from default browser on first run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImportHomepage
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ImportHomepage
Mac/Linux preference name:
ImportHomepage
Supported on:
  • Google Chrome (Linux) since version 15
  • Google Chrome (Mac) since version 15
  • Google Chrome (Windows) since version 15
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled imports the homepage from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the homepage isn't imported on first run.

Users can trigger an import dialog and the homepage checkbox will be checked or unchecked to match this policy's value.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ImportSavedPasswords

Import saved passwords from default browser on first run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImportSavedPasswords
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ImportSavedPasswords
Mac/Linux preference name:
ImportSavedPasswords
Supported on:
  • Google Chrome (Linux) since version 15
  • Google Chrome (Mac) since version 15
  • Google Chrome (Windows) since version 15
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled imports saved passwords from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no saved passwords are imported on first run.

Users can trigger an import dialog and the saved passwords checkbox will be checked or unchecked to match this policy's value.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ImportSearchEngine

Import search engines from default browser on first run
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ImportSearchEngine
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ImportSearchEngine
Mac/Linux preference name:
ImportSearchEngine
Supported on:
  • Google Chrome (Linux) since version 15
  • Google Chrome (Mac) since version 15
  • Google Chrome (Windows) since version 15
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled imports the default search engine from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the default search engine isn't imported on first run.

Users can trigger an import dialog and the default search engine checkbox will be checked or unchecked to match this policy's value.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

IncognitoEnabled (Deprecated)

Enable Incognito mode
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\IncognitoEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\IncognitoEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IncognitoEnabled
Mac/Linux preference name:
IncognitoEnabled
Android restriction name:
IncognitoEnabled
Supported on:
  • Google Chrome (Linux) since version 11
  • Google Chrome (Mac) since version 11
  • Google Chrome (Windows) since version 11
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated. Please, use IncognitoModeAvailability instead. Enables Incognito mode in Google Chrome.

If this setting is enabled or not configured, users can open web pages in incognito mode.

If this setting is disabled, users cannot open web pages in incognito mode.

If this policy is left not set, this will be enabled and the user will be able to use incognito mode.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

IncognitoModeAvailability

Incognito mode availability
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\IncognitoModeAvailability
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\IncognitoModeAvailability
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IncognitoModeAvailability
Mac/Linux preference name:
IncognitoModeAvailability
Android restriction name:
IncognitoModeAvailability
Supported on:
  • Google Chrome (Linux) since version 14
  • Google Chrome (Mac) since version 14
  • Google Chrome (Windows) since version 14
  • Google ChromeOS (Google ChromeOS) since version 14
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Specifies whether the user may open pages in Incognito mode in Google Chrome.

If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.

If 'Disabled' is selected, pages may not be opened in Incognito mode.

If 'Forced' is selected, pages may be opened ONLY in Incognito mode. Note that 'Forced' does not work for Android-on-Chrome

Note: On iOS, if the policy is changed during a session, it will only take effect on relaunch.

  • 0 = Incognito mode available
  • 1 = Incognito mode disabled
  • 2 = Incognito mode forced
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="IncognitoModeAvailability" value="1"/>
Back to top

InsecureFormsWarningsEnabled

Enable warnings for insecure forms
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\InsecureFormsWarningsEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\InsecureFormsWarningsEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\InsecureFormsWarningsEnabled
Mac/Linux preference name:
InsecureFormsWarningsEnabled
Android restriction name:
InsecureFormsWarningsEnabled
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Android) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls the treatment for insecure forms (forms that submit over HTTP) embedded in secure (HTTPS) sites in the browser. If the policy is enabled or unset, a full page warning will be shown when an insecure form is submitted. Additionally, a warning bubble will be shown next to the form fields when they are focused, and autofill will be disabled for those forms. If the policy is disabled, warnings will not be shown for insecure forms, and autofill will work normally.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

InsecurePrivateNetworkRequestsAllowed

Specifies whether to allow websites to make requests to more-private network endpoints in an insecure manner
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\InsecurePrivateNetworkRequestsAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\InsecurePrivateNetworkRequestsAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\InsecurePrivateNetworkRequestsAllowed
Mac/Linux preference name:
InsecurePrivateNetworkRequestsAllowed
Android restriction name:
InsecurePrivateNetworkRequestsAllowed
Android WebView restriction name:
com.android.browser:InsecurePrivateNetworkRequestsAllowed
Supported on:
  • Google Chrome (Linux) since version 92
  • Google Chrome (Mac) since version 92
  • Google Chrome (Windows) since version 92
  • Google ChromeOS (Google ChromeOS) since version 92
  • Google Chrome (Android) since version 92
  • Android System WebView (Android) since version 92
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls whether websites are allowed to make requests to more-private network endpoints in an insecure manner.

When this policy is set to true, all Private Network Access checks are disabled for all origins. This may allow attackers to perform CSRF attacks on private network servers.

When this policy is either not set or set to false, the default behavior for requests to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests, PrivateNetworkAccessSendPreflights, and PrivateNetworkAccessRespectPreflightResults feature flags, which may be set by field trials or on the command line.

This policy relates to the Private Network Access specification. See https://wicg.github.io/private-network-access/ for more details.

A network endpoint is more private than another if: 1) Its IP address is localhost and the other is not. 2) Its IP address is private and the other is public. In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.

When this policy is set to true, websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Policy atomic group:
This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PrivateNetworkRequestSettings
Back to top

InsecurePrivateNetworkRequestsAllowedForUrls

Allow the listed sites to make requests to more-private network endpoints in an insecure manner.
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\InsecurePrivateNetworkRequestsAllowedForUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\InsecurePrivateNetworkRequestsAllowedForUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\InsecurePrivateNetworkRequestsAllowedForUrls
Mac/Linux preference name:
InsecurePrivateNetworkRequestsAllowedForUrls
Android restriction name:
InsecurePrivateNetworkRequestsAllowedForUrls
Android WebView restriction name:
com.android.browser:InsecurePrivateNetworkRequestsAllowedForUrls
Supported on:
  • Google Chrome (Linux) since version 92
  • Google Chrome (Mac) since version 92
  • Google Chrome (Windows) since version 92
  • Google ChromeOS (Google ChromeOS) since version 92
  • Google Chrome (Android) since version 92
  • Android System WebView (Android) since version 92
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

List of URL patterns. Requests initiated from websites served by matching origins are not subject to Private Network Access checks.

If unset, this policy behaves as if set to the empty list.

For origins not covered by the patterns specified here, the global default value will be used either from the InsecurePrivateNetworkRequestsAllowed policy, if it is set, or the user's personal configuration otherwise.

For detailed information on valid URL patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\InsecurePrivateNetworkRequestsAllowedForUrls\1 = "http://www.example.com:8080" Software\Policies\Google\Chrome\InsecurePrivateNetworkRequestsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\InsecurePrivateNetworkRequestsAllowedForUrls\1 = "http://www.example.com:8080" Software\Policies\Google\ChromeOS\InsecurePrivateNetworkRequestsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:
[ "http://www.example.com:8080", "[*.]example.edu" ]
Mac:
<array> <string>http://www.example.com:8080</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="InsecurePrivateNetworkRequestsAllowedForUrlsDesc" value="1&#xF000;http://www.example.com:8080&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

InsightsExtensionEnabled

Enable insights extension for reporting usage metrics
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\InsightsExtensionEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

The insights extension reports user internet download and upload speed, user idle time, and application insights.

If the policy is set to enabled, the insights extension will be installed and report metrics.

If the policy is not set or set to disabled, then the insights extension will not be installed and will not report metrics.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the reporting done by Android.

Example value:
0x00000000 (Windows)
Back to top

InstantTetheringAllowed

Allow Instant Tethering to be used.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\InstantTetheringAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 60
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users will be allowed to use Instant Tethering, which allows their Google phone to share its mobile data with their device.

If this setting is disabled, users will not be allowed to use Instant Tethering.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:
0x00000001 (Windows)
Back to top

IntensiveWakeUpThrottlingEnabled

Control the IntensiveWakeUpThrottling feature.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\IntensiveWakeUpThrottlingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\IntensiveWakeUpThrottlingEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IntensiveWakeUpThrottlingEnabled
Mac/Linux preference name:
IntensiveWakeUpThrottlingEnabled
Android restriction name:
IntensiveWakeUpThrottlingEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 85
  • Google Chrome (Linux) since version 85
  • Google Chrome (Mac) since version 85
  • Google Chrome (Windows) since version 85
  • Google Chrome (Android) since version 85
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

When enabled the IntensiveWakeUpThrottling feature causes Javascript timers in background tabs to be aggressively throttled and coalesced, running no more than once per minute after a page has been backgrounded for 5 minutes or more.

This is a web standards compliant feature, but it may break functionality on some websites by causing certain actions to be delayed by up to a minute. However, it results in significant CPU and battery savings when enabled. See https://bit.ly/30b1XR4 for more details.

If this policy is set to enabled then the feature will be force enabled, and users will not be able to override this.

If this policy is set to disabled then the feature will be force disabled, and users will not be able to override this.

If this policy is left unset then the feature will be controlled by its own internal logic, which can be manually configured by users.

Note that the policy is applied per renderer process, with the most recent value of the policy setting in force when a renderer process starts. A full restart is required to ensure that all loaded tabs receive a consistent policy setting. It is harmless for processes to be running with different values of this policy.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

IntranetRedirectBehavior

Intranet Redirection Behavior
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\IntranetRedirectBehavior
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\IntranetRedirectBehavior
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IntranetRedirectBehavior
Mac/Linux preference name:
IntranetRedirectBehavior
Supported on:
  • Google Chrome (Linux) since version 88
  • Google Chrome (Mac) since version 88
  • Google Chrome (Windows) since version 88
  • Google ChromeOS (Google ChromeOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy configures behavior for intranet redirection via DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.

If this policy is not set, the browser will use the default behavior of DNS interception checks and intranet redirect suggestions. In M88, they are enabled by default but will be disabled by default in the future release.

DNSInterceptionChecksEnabled is a related policy that may also disable DNS interception checks; this policy is a more flexible version which may separately control intranet redirection infobars and may be expanded in the future. If either DNSInterceptionChecksEnabled or this policy requests to disable interception checks, the checks will be disabled.

  • 0 = Use default browser behavior.
  • 1 = Disable DNS interception checks and did-you-mean "http://intranetsite/" infobars.
  • 2 = Disable DNS interception checks; allow did-you-mean "http://intranetsite/" infobars.
  • 3 = Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="IntranetRedirectBehavior" value="1"/>
Back to top

IsolateOrigins

Enable Site Isolation for specified origins
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\IsolateOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\IsolateOrigins
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\IsolateOrigins
Mac/Linux preference name:
IsolateOrigins
Supported on:
  • Google Chrome (Linux) since version 63
  • Google Chrome (Mac) since version 63
  • Google Chrome (Windows) since version 63
  • Google ChromeOS (Google ChromeOS) since version 63
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com.

Since Google Chrome 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.

Note that all sites (i.e., scheme plus eTLD+1, such as https://example.com) are already isolated by default on Desktop platforms, as noted in the SitePerProcess policy. This IsolateOrigins policy is useful to isolate specific origins at a finer granularity (e.g., https://a.example.com).

Also note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.

Setting the policy to off or leaving it unset lets users change this setting.

Note: For Android, use the IsolateOriginsAndroid policy instead.

Example value:
"https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com"
Windows (Intune):
<enabled/>
<data id="IsolateOrigins" value="https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com"/>
Back to top

IsolateOriginsAndroid

Enable Site Isolation for specified origins on Android devices
Data type:
String
Android restriction name:
IsolateOriginsAndroid
Supported on:
  • Google Chrome (Android) since version 68
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process on Android. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com. Note that Android isolates certain sensitive sites by default starting in Google Chrome version 77, and this policy extends that mode to isolate specific additional origins.

Since Google Chrome 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.

Note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.

Setting the policy to Disabled turns off any form of site isolation, including isolation of sensitive sites and field trials of IsolateOriginsAndroid, SitePerProcessAndroid, and other site isolation modes. Users can still turn on IsolateOrigins manually, through the command line flag.

Leaving the policy unset lets users change this setting.

Note: Isolating too many sites on Android may cause performance problems, especially on low-memory devices. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To apply the policy on non-Android platforms, use IsolateOrigins.

Example value:
"https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com"
Back to top

JavascriptEnabled (Deprecated)

Enable JavaScript
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\JavascriptEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\JavascriptEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\JavascriptEnabled
Mac/Linux preference name:
JavascriptEnabled
Android restriction name:
JavascriptEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, please use DefaultJavaScriptSetting instead.

Can be used to disabled JavaScript in Google Chrome.

If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.

If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

KeepFullscreenWithoutNotificationUrlAllowList

List of URLs which are allowed to remain in full screen mode without showing a notification
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\KeepFullscreenWithoutNotificationUrlAllowList
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 99
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Configure a list of URLs that are allowed to stay in full screen mode without showing a notification when the device returns from the lock screen.

Normally, full screen mode is turned off when returning from the lock screen in order to reduce the risk of phishing attacks. This policy allows to specify URLs that will be considered trusted sources which are permitted to continue full screen mode on unlock. It is set by specifying a list of URL patterns formatted according to this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ). E.g., it is possible to always keep full screen mode on unlock and disable the notifications altogether by specifying the wildcard character * matching all URLs.

Setting this policy to an empty list or leaving it unset means no URLs are allowed to continue full screen mode without a notification.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\KeepFullscreenWithoutNotificationUrlAllowList\1 = "*"
Back to top

KeyPermissions

Key Permissions
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\KeyPermissions
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 45
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy grants access to corporate keys to extensions or Android applications. Keys are designated for corporate usage only if they're generated using the chrome.enterprise.platformKeys API on a managed account. Users can't grant or withdraw access to corporate keys to or from extensions or Android applications.

By default, an extension or an Android applications can't use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to False for it. Only if allowCorporateKeyUsage is set to True for an extension or an Android application can it use any platform key marked for corporate usage to sign arbitrary data. Only grant this permission if the extension or the Android application is trusted to secure access to the key against attackers.

Note for Google Chrome OS devices supporting Android apps:

Corporate keys can be used by Android applications that are installed and listed in this policy.

Schema:
{ "additionalProperties": { "properties": { "allowCorporateKeyUsage": { "description": "If set to true, this extension can use all keys that are designated for corporate usage to sign arbitrary data. If set to false, it cannot access any such keys and the user cannot grant such permission either. As an exception, an extension can access such a key exactly once if the same extension generated that key.", "type": "boolean" } }, "type": "object" }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\KeyPermissions = { "com.example.app": { "allowCorporateKeyUsage": true }, "com.example.app2": { "allowCorporateKeyUsage": false }, "extension1": { "allowCorporateKeyUsage": true }, "extension2": { "allowCorporateKeyUsage": false } }
Back to top

LacrosAvailability

Make the Lacros browser available
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LacrosAvailability
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This setting provides several availability options for the Lacros browser.

If the policy is set to user_choice, the user can enable Lacros and make it primary.

If the policy is set to lacros_disallowed, the user cannot use Lacros.

If the policy is set to side_by_side, Lacros is enabled but is not the primary browser.

If the policy is set to lacros_primary, Lacros is enabled and is the primary browser.

If the policy is unset, the default is lacros_disallowed for enterprise-managed users and user_choice for non-managed users.

In the future it will be possible to make Lacros the only available browser in Google Chrome OS with lacros_only value.

  • "user_choice" = Allow users to enable Lacros and make it the primary browser
  • "lacros_disallowed" = Prevent users from using Lacros
  • "side_by_side" = Enable Lacros
  • "lacros_primary" = Enable Lacros and make it the primary browser
  • "lacros_only" = Make Lacros the only available browser (not implemented yet)
Example value:
"lacros_primary"
Back to top

LacrosSecondaryProfilesAllowed

Allow users to create and use secondary profiles, and use guest mode in the Lacros browser
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LacrosSecondaryProfilesAllowed
Supported on:
  • Google Chrome (Linux) since version 91 until version 92
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This setting allows users to create and use secondary profiles, and use guest mode in the Lacros browser.

Similar to both BrowserAddPersonEnabled and BrowserGuestModeEnabled, if this policy is set to false or unset, the user cannot create or use secondary profiles, and use guest mode. Previously created secondary profiles, if any, will be unavailable.

If this policy is set to true, the user can create and use secondary profiles, and use guest mode.

Note: If this policy is set to true but BrowserAddPersonEnabled is set to false, the user cannot create secondary profiles. The same for BrowserGuestModeEnabled and guest mode.

Example value:
0x00000001 (Windows)
Back to top

LensCameraAssistedSearchEnabled

Allow Google Lens camera assisted search
Data type:
Boolean
Android restriction name:
LensCameraAssistedSearchEnabled
Supported on:
  • Google Chrome (Android) since version 91
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Leaving the policy unset or setting it to Enabled allows users to search with their cameras using Google Lens. Setting the policy to Disabled means users can't see the Google Lens button in the search box when Google Lens camera assisted search is supported.

Example value:
true (Android)
Back to top

LensRegionSearchEnabled

Allow Google Lens region search menu item to be shown in context menu if supported.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\LensRegionSearchEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\LensRegionSearchEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LensRegionSearchEnabled
Mac/Linux preference name:
LensRegionSearchEnabled
Supported on:
  • Google Chrome (Linux) since version 94
  • Google Chrome (Mac) since version 94
  • Google Chrome (Windows) since version 94
  • Google ChromeOS (Google ChromeOS) since version 94
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Leaving the policy unset or setting it to Enabled allows users to view and use the Google Lens region search menu item in the context menu. Setting the policy to Disabled means users will not see the Google Lens region search menu item in the context menu when Google Lens region search is supported.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

LockScreenMediaPlaybackEnabled

Allows users to play media when the device is locked
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LockScreenMediaPlaybackEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset displays media controls on the lock screen if users lock the device when media is playing.

Setting the policy to Disabled turns media controls on the lock screen off.

Example value:
0x00000001 (Windows)
Back to top

LoginDisplayPasswordButtonEnabled

Show the display password button on the login and lock screen
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LoginDisplayPasswordButtonEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

When enabled, this feature shows a button on the login and lock screen that allows the password to be displayed. It is represented as an eye icon on the password textfield. The button is absent when the feature is disabled.

Example value:
0x00000000 (Windows)
Back to top

LookalikeWarningAllowlistDomains

Suppress lookalike domain warnings on domains
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\LookalikeWarningAllowlistDomains
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\LookalikeWarningAllowlistDomains
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\LookalikeWarningAllowlistDomains
Mac/Linux preference name:
LookalikeWarningAllowlistDomains
Android restriction name:
LookalikeWarningAllowlistDomains
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Android) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy prevents the display of lookalike URL warnings on the sites listed. These warnings are typically shown on sites that Google Chrome believes might be trying to spoof another site the user is familiar with.

If the policy is enabled and set to one or more domains, no lookalike warnings pages will be shown when the user visits pages on that domain.

If the policy is not set, or set to an empty list, warnings may appear on any site the user visits.

A hostname can be allowed with a complete host match, or any domain match. For example, a URL like "https://foo.example.com/bar" may have warnings suppressed if this list includes either "foo.example.com" or "example.com".

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\LookalikeWarningAllowlistDomains\1 = "foo.example.com" Software\Policies\Google\Chrome\LookalikeWarningAllowlistDomains\2 = "example.org"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\LookalikeWarningAllowlistDomains\1 = "foo.example.com" Software\Policies\Google\ChromeOS\LookalikeWarningAllowlistDomains\2 = "example.org"
Android/Linux:
[ "foo.example.com", "example.org" ]
Mac:
<array> <string>foo.example.com</string> <string>example.org</string> </array>
Windows (Intune):
<enabled/>
<data id="LookalikeWarningAllowlistDomainsDesc" value="1&#xF000;foo.example.com&#xF000;2&#xF000;example.org"/>
Back to top

ManagedAccountsSigninRestriction

Add restrictions on managed accounts
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ManagedAccountsSigninRestriction
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ManagedAccountsSigninRestriction
Mac/Linux preference name:
ManagedAccountsSigninRestriction
Supported on:
  • Google Chrome (Linux) since version 94
  • Google Chrome (Mac) since version 94
  • Google Chrome (Windows) since version 94
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

If this policy is set to 'primary_account', after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account. If this policy is set to 'primary_account_keep_existing_data', after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account with an option to keep any existing browsing data. This option is supported on Chrome 102 and higher version.

If this policy is set to 'primary_account_strict', after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account. This profile will not allow any secondary accounts. If this policy is set to 'primary_account_strict_keep_existing_data' after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account with an option to keep any existing browsing data. This profile will not allow any secondary accounts. This option is supported on Chrome 102 and higher version.

If this policy is set to 'none' or not set, managed accounts have no restrictions. This may result in a managed account being a secondary account, which disables its ability to receive policies set on the account by the admin.

If this policy is set at the device level, all accounts in the browser are subjected to the policy. If this policy is set at an account level, only that account is affected in the browser.

  • "primary_account" = A Managed account must be a primary account and importing existing browsing data is allowed at the time of profile creation
  • "primary_account_strict" = A Managed account must be a primary account and have no secondary accounts and importing existing browsing data is allowed at the time of profile creation
  • "none" = No restrictions on managed accounts
  • "primary_account_keep_existing_data" = A Managed account must be a primary account and the user can import existing data at the time of its creation
  • "primary_account_strict_keep_existing_data" = A Managed account must be a primary account and have no secondary accounts and the user can import existing data at the time of its creation
Example value:
"primary_account"
Windows (Intune):
<enabled/>
<data id="ManagedAccountsSigninRestriction" value="primary_account"/>
Back to top

ManagedBookmarks

Managed Bookmarks
Data type:
Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ManagedBookmarks
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ManagedBookmarks
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ManagedBookmarks
Mac/Linux preference name:
ManagedBookmarks
Android restriction name:
ManagedBookmarks
Supported on:
  • Google Chrome (Android) since version 30
  • Google Chrome (Linux) since version 37
  • Google Chrome (Mac) since version 37
  • Google Chrome (Windows) since version 37
  • Google ChromeOS (Google ChromeOS) since version 37
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy sets up a list of bookmarks where each one is a dictionary with the keys "name" and "url". These keys hold the bookmark's name and target. Admins can set up a subfolder by defining a bookmark without a "url" key, but with an additional "children" key. This key also has a list of bookmarks, some of which can also be folders. Chrome amends incomplete URLs as if they were submitted through the address bar. For example, "google.com" becomes "https://google.com/".

Users can't change the folders the bookmarks are placed in (though they can hide it from the bookmark bar). The default folder name for managed bookmarks is "Managed bookmarks" but it can be changed by adding a new sub-dictionary to the policy with a single key named "toplevel_name" with the desired folder name as its value. Managed bookmarks are not synced to the user account and extensions can't modify them.

Schema:
{ "items": { "id": "BookmarkType", "properties": { "children": { "items": { "$ref": "BookmarkType" }, "type": "array" }, "name": { "type": "string" }, "toplevel_name": { "type": "string" }, "url": { "type": "string" } }, "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ManagedBookmarks = [ { "toplevel_name": "My managed bookmarks folder" }, { "name": "Google", "url": "google.com" }, { "name": "Youtube", "url": "youtube.com" }, { "children": [ { "name": "Chromium", "url": "chromium.org" }, { "name": "Chromium Developers", "url": "dev.chromium.org" } ], "name": "Chrome links" } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ManagedBookmarks = [ { "toplevel_name": "My managed bookmarks folder" }, { "name": "Google", "url": "google.com" }, { "name": "Youtube", "url": "youtube.com" }, { "children": [ { "name": "Chromium", "url": "chromium.org" }, { "name": "Chromium Developers", "url": "dev.chromium.org" } ], "name": "Chrome links" } ]
Android/Linux:
ManagedBookmarks: [ { "toplevel_name": "My managed bookmarks folder" }, { "name": "Google", "url": "google.com" }, { "name": "Youtube", "url": "youtube.com" }, { "children": [ { "name": "Chromium", "url": "chromium.org" }, { "name": "Chromium Developers", "url": "dev.chromium.org" } ], "name": "Chrome links" } ]
Mac:
<key>ManagedBookmarks</key> <array> <dict> <key>toplevel_name</key> <string>My managed bookmarks folder</string> </dict> <dict> <key>name</key> <string>Google</string> <key>url</key> <string>google.com</string> </dict> <dict> <key>name</key> <string>Youtube</string> <key>url</key> <string>youtube.com</string> </dict> <dict> <key>children</key> <array> <dict> <key>name</key> <string>Chromium</string> <key>url</key> <string>chromium.org</string> </dict> <dict> <key>name</key> <string>Chromium Developers</string> <key>url</key> <string>dev.chromium.org</string> </dict> </array> <key>name</key> <string>Chrome links</string> </dict> </array>
Windows (Intune):
<enabled/>
<data id="ManagedBookmarks" value="{"toplevel_name": "My managed bookmarks folder"}, {"name": "Google", "url": "google.com"}, {"name": "Youtube", "url": "youtube.com"}, {"name": "Chrome links", "children": [{"name": "Chromium", "url": "chromium.org"}, {"name": "Chromium Developers", "url": "dev.chromium.org"}]}"/>
Back to top

ManagedConfigurationPerOrigin

Sets managed configuration values to websites to specific origins
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ManagedConfigurationPerOrigin
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ManagedConfigurationPerOrigin
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ManagedConfigurationPerOrigin
Mac/Linux preference name:
ManagedConfigurationPerOrigin
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
  • Google ChromeOS (Google ChromeOS) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy defines the return value of Managed Configuration API for given origin.

Managed configuration API is a key-value configuration that can be accessed via navigator.managed.getManagedConfiguration() javascript call. This API is only available to origins which correspond to force-installed web applications via WebAppInstallForceList.

Schema:
{ "items": { "properties": { "managed_configuration_hash": { "type": "string" }, "managed_configuration_url": { "type": "string" }, "origin": { "type": "string" } }, "required": [ "origin", "managed_configuration_url", "managed_configuration_hash" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ManagedConfigurationPerOrigin = [ { "managed_configuration_hash": "asd891jedasd12ue9h", "managed_configuration_url": "https://gstatic.google.com/configuration.json", "origin": "https://www.google.com" }, { "managed_configuration_hash": "djio12easd89u12aws", "managed_configuration_url": "https://gstatic.google.com/configuration2.json", "origin": "https://www.example.com" } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ManagedConfigurationPerOrigin = [ { "managed_configuration_hash": "asd891jedasd12ue9h", "managed_configuration_url": "https://gstatic.google.com/configuration.json", "origin": "https://www.google.com" }, { "managed_configuration_hash": "djio12easd89u12aws", "managed_configuration_url": "https://gstatic.google.com/configuration2.json", "origin": "https://www.example.com" } ]
Android/Linux:
ManagedConfigurationPerOrigin: [ { "managed_configuration_hash": "asd891jedasd12ue9h", "managed_configuration_url": "https://gstatic.google.com/configuration.json", "origin": "https://www.google.com" }, { "managed_configuration_hash": "djio12easd89u12aws", "managed_configuration_url": "https://gstatic.google.com/configuration2.json", "origin": "https://www.example.com" } ]
Mac:
<key>ManagedConfigurationPerOrigin</key> <array> <dict> <key>managed_configuration_hash</key> <string>asd891jedasd12ue9h</string> <key>managed_configuration_url</key> <string>https://gstatic.google.com/configuration.json</string> <key>origin</key> <string>https://www.google.com</string> </dict> <dict> <key>managed_configuration_hash</key> <string>djio12easd89u12aws</string> <key>managed_configuration_url</key> <string>https://gstatic.google.com/configuration2.json</string> <key>origin</key> <string>https://www.example.com</string> </dict> </array>
Windows (Intune):
<enabled/>
<data id="ManagedConfigurationPerOrigin" value="{"origin": "https://www.google.com", "managed_configuration_url": "https://gstatic.google.com/configuration.json", "managed_configuration_hash": "asd891jedasd12ue9h"}, {"origin": "https://www.example.com", "managed_configuration_url": "https://gstatic.google.com/configuration2.json", "managed_configuration_hash": "djio12easd89u12aws"}"/>
Back to top

ManagedGuestSessionPrivacyWarningsEnabled

Reduce Managed-guest session auto-launch notifications
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ManagedGuestSessionPrivacyWarningsEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls the privacy warning of the managed-guest session on Google Chrome OS.

If this policy is set to False, the privacy warnings on the login screen and the auto-launch notification inside the managed-guest session will get deactivated.

This policy should not be used for devices used by the general public.

If the policy is set to True or not set, the privacy warning notification in the auto-launched managed-guest session will be pinned until the user dismisses it.

Example value:
0x00000000 (Windows)
Back to top

MaxConnectionsPerProxy

Maximal number of concurrent connections to the proxy server
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\MaxConnectionsPerProxy
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\MaxConnectionsPerProxy
Mac/Linux preference name:
MaxConnectionsPerProxy
Supported on:
  • Google Chrome (Linux) since version 14
  • Google Chrome (Mac) since version 14
  • Google Chrome (Windows) since version 14
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy specifies the maximal number of simultaneous connections to the proxy server. Some proxy servers can't handle a high number of concurrent connections per client, which is solved by setting this policy to a lower value. The value should be lower than 100 and higher than 6. Some web apps are known to consume many connections with hanging GETs, so setting a value below 32 may lead to browser networking hangs if there are too many web apps with hanging connections open. Lower below the default at your own risk.

Leaving the policy unset means a default of 32 is used.

Example value:
0x00000020 (Windows), 32 (Linux), 32 (Mac)
Windows (Intune):
<enabled/>
<data id="MaxConnectionsPerProxy" value="32"/>
Back to top

MaxInvalidationFetchDelay

Maximum fetch delay after a policy invalidation
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\MaxInvalidationFetchDelay
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\MaxInvalidationFetchDelay
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\MaxInvalidationFetchDelay
Mac/Linux preference name:
MaxInvalidationFetchDelay
Supported on:
  • Google Chrome (Linux) since version 30
  • Google Chrome (Mac) since version 30
  • Google Chrome (Windows) since version 30
  • Google ChromeOS (Google ChromeOS) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service. Valid values range from 1,000 (1 second) to 300,000 (5 minutes). Values outside this range will be clamped to the respective boundary.

Leaving the policy unset means Google Chrome uses the default value of 10 seconds.

Restrictions:
  • Minimum:1000
  • Maximum:300000
Example value:
0x00002710 (Windows), 10000 (Linux), 10000 (Mac)
Windows (Intune):
<enabled/>
<data id="MaxInvalidationFetchDelay" value="10000"/>
Back to top

MediaRecommendationsEnabled

Enable Media Recommendations
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\MediaRecommendationsEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\MediaRecommendationsEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\MediaRecommendationsEnabled
Mac/Linux preference name:
MediaRecommendationsEnabled
Supported on:
  • Google Chrome (Linux) since version 87
  • Google Chrome (Mac) since version 87
  • Google Chrome (Windows) since version 87
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

By default the browser will show media recommendations that are personalized to the user. Setting this policy to Disabled will result in these recommendations being hidden from the user. Setting this policy to Enabled or leaving it unset will result in the media recommendations being shown to the user.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

MediaRouterCastAllowAllIPs

Allow Google Cast to connect to Cast devices on all IP addresses.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\MediaRouterCastAllowAllIPs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\MediaRouterCastAllowAllIPs
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\MediaRouterCastAllowAllIPs
Mac/Linux preference name:
MediaRouterCastAllowAllIPs
Supported on:
  • Google Chrome (Linux) since version 67
  • Google Chrome (Mac) since version 67
  • Google Chrome (Windows) since version 67
  • Google ChromeOS (Google ChromeOS) since version 67
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Unless EnableMediaRouter is set to Disabled, setting MediaRouterCastAllowAllIPs to Enabled connects Google Cast to Cast devices on all IP addresses, not just RFC1918/RFC4193 private addresses.

Setting the policy to Disabled connects Google Cast to Cast devices only on RFC1918/RFC4193.

Leaving the policy unset connects Google Cast to Cast devices only on RFC1918/RFC4193, unless the CastAllowAllIPs feature is turned on.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

MetricsReportingEnabled

Enable reporting of usage and crash-related data
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\MetricsReportingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\MetricsReportingEnabled
Mac/Linux preference name:
MetricsReportingEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: No, Per Profile: No
Description:

When this policy is enabled, anonymous reporting of usage and crash-related data about Chrome to Google is enabled by default. Users will still be able to change this setting in the Chrome settings.

When this policy is disabled, anonymous reporting is disabled and no usage or crash data is sent to Google. Users won't be able to change this setting.

When this policy isn't set, users can choose the anonymous reporting behavior at installation or first run, and can later change the setting in the Chrome settings.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain or Windows 10 Pro or Enterprise instances that are enrolled for device management, and macOS instances that are managed via MDM or joined to a domain via MCX.

(For Google Chrome OS, see DeviceMetricsReportingEnabled.)

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

NTPCardsVisible

Show cards on the New Tab Page
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NTPCardsVisible
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\NTPCardsVisible
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NTPCardsVisible
Mac/Linux preference name:
NTPCardsVisible
Supported on:
  • Google Chrome (Linux) since version 88
  • Google Chrome (Mac) since version 88
  • Google Chrome (Windows) since version 88
  • Google ChromeOS (Google ChromeOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls the visibility of cards on the New Tab Page. Cards surface entry points to launch common user journeys based on the user's browsing behavior.

If the policy is set to Enabled, the New Tab Page will show cards if content is available.

If the policy is set to Disabled, the New Tab Page won't show cards.

If the policy is not set, the user can control the card visibility. The default is visible.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

NTPContentSuggestionsEnabled

Show content suggestions on the New Tab page
Data type:
Boolean
Android restriction name:
NTPContentSuggestionsEnabled
Supported on:
  • Google Chrome (Android) since version 54
  • Google Chrome (iOS) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset displays autogenerated content suggestions on the New Tab page, based on the user's browsing history, interests, or location.

Setting the policy to False prevents autogenerated content suggestions from appearing on the New Tab page.

Example value:
true (Android)
Back to top

NTPCustomBackgroundEnabled

Allow users to customize the background on the New Tab page
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NTPCustomBackgroundEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\NTPCustomBackgroundEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NTPCustomBackgroundEnabled
Mac/Linux preference name:
NTPCustomBackgroundEnabled
Supported on:
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If the policy is set to false, the New Tab page won't allow users to customize the background. Any existing custom background will be permanently removed even if the policy is set to true later.

If the policy is set to true or unset, users can customize the background on the New Tab page.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

NTPMiddleSlotAnnouncementVisible

Show the middle slot announcement on the New Tab Page
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NTPMiddleSlotAnnouncementVisible
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\NTPMiddleSlotAnnouncementVisible
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NTPMiddleSlotAnnouncementVisible
Mac/Linux preference name:
NTPMiddleSlotAnnouncementVisible
Supported on:
  • Google Chrome (Linux) since version 99
  • Google Chrome (Mac) since version 99
  • Google Chrome (Windows) since version 99
  • Google ChromeOS (Google ChromeOS) since version 99
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls the visibility of the middle slot announcement on the New Tab Page.

If the policy is set to Enabled, the New Tab Page will show the middle slot announcement if it is available.

If the policy is set to Disabled, the New Tab Page will not show the middle slot announcement even if it is available.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

NearbyShareAllowed

Allow Nearby Share to be enabled.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NearbyShareAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users will be allowed to opt in to Nearby Share, which allows them to send and receive files from people closeby.

If this setting is disabled, users will not be allowed to opt in to Nearby Share.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:
0x00000001 (Windows)
Back to top

NetworkPredictionOptions

Enable network prediction
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NetworkPredictionOptions
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\NetworkPredictionOptions
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NetworkPredictionOptions
Mac/Linux preference name:
NetworkPredictionOptions
Android restriction name:
NetworkPredictionOptions
Supported on:
  • Google Chrome (Linux) since version 38
  • Google Chrome (Mac) since version 38
  • Google Chrome (Windows) since version 38
  • Google ChromeOS (Google ChromeOS) since version 38
  • Google Chrome (Android) since version 38
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy controls network prediction in Google Chrome. It controls DNS prefetching, TCP, and SSL preconnection and prerendering of webpages.

If you set the policy, users can't change it. Leaving it unset turns on network prediction, but the user can change it.

  • 0 = Predict network actions on any network connection
  • 1 = Predict network actions on any network that is not cellular. (Deprecated in 50, removed in 52. After 52, if value 1 is set, it will be treated as 0 - predict network actions on any network connection.)
  • 2 = Do not predict network actions on any network connection
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="NetworkPredictionOptions" value="1"/>
Back to top

NetworkServiceSandboxEnabled

Enable the network service sandbox
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\NetworkServiceSandboxEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\NetworkServiceSandboxEnabled
Supported on:
  • Google Chrome (Windows) since version 96
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This policy controls whether or not the network service process runs sandboxed. If this policy is enabled, the network service process will run sandboxed. If this policy is disabled, the network service process will run unsandboxed. This leaves users open to additional security risks related to running the network service unsandboxed. If this policy is not set, the default configuration for the network sandbox will be used. This may vary depending on Google Chrome release, currently running field trials, and platform. This policy is intended to give enterprises flexibility to disable the network sandbox if they use third party software that interferes with the network service sandbox.

Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
Back to top

NoteTakingAppsLockScreenAllowlist

The list of note-taking apps allowed on the Google Chrome OS lock screen
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\NoteTakingAppsLockScreenAllowlist
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies the apps that users can turn on as a note-taking app on the Google Chrome OS lock screen.

If the preferred app is on the lock screen, a UI element for launching the preferred note-taking app appears on the screen. When launched, the app can create a window on top of the lock screen and create notes in this context. The app can import created notes to the primary user session, when the session is unlocked. Only Google Chrome note-taking apps are supported on the lock screen.

Setting the policy means users can turn on an app on the lock screen if the app's extension ID is in the policy list value. So, setting it to an empty list will turn off note-taking on the lock screen. The policy with an app ID doesn't necessarily mean that users can turn the app on as a note-taking app on the lock screen. For example, on Google Chrome 61, the set of available apps is also restricted by the platform.

Leaving the policy unset amounts to no restrictions on the set of apps users can enable on the lock screen imposed by the policy.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\NoteTakingAppsLockScreenAllowlist\1 = "abcdefghabcdefghabcdefghabcdefgh"
Back to top

OpenNetworkConfiguration

User-level network configuration
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\OpenNetworkConfiguration
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 16
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy allows pushing network configuration per-user for each Google Chrome device. The network configuration is a JSON-formatted string, as defined by the Open Network Configuration format.

Note for Google Chrome OS devices supporting Android apps:

Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.

Expanded schema description:
https://chromium.googlesource.com/chromium/src/+/HEAD/components/onc/docs/onc_spec.md
Example value:
"{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}", "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false, "Security": "None", "AutoConnect": true } } ] }"
Back to top

OptimizationGuideFetchingEnabled (Deprecated)

Enable Optimization Guide Fetching
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\OptimizationGuideFetchingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\OptimizationGuideFetchingEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\OptimizationGuideFetchingEnabled
Mac/Linux preference name:
OptimizationGuideFetchingEnabled
Android restriction name:
OptimizationGuideFetchingEnabled
Supported on:
  • Google Chrome (Android) since version 101 until version 103
  • Google Chrome (Linux) since version 101 until version 103
  • Google Chrome (Mac) since version 101 until version 103
  • Google Chrome (Windows) since version 101 until version 103
  • Google ChromeOS (Google ChromeOS) since version 101 until version 103
  • Google Chrome (iOS) since version 101 until version 103
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset will enable the fetching of page load metadata and machine learning models that enhance the browsing experience. Setting the policy to Disabled may cause some features to not work appropriately.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

OriginAgentClusterDefaultEnabled

Allows origin-keyed agent clustering by default.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\OriginAgentClusterDefaultEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\OriginAgentClusterDefaultEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\OriginAgentClusterDefaultEnabled
Mac/Linux preference name:
OriginAgentClusterDefaultEnabled
Supported on:
  • Google Chrome (Linux) since version 100
  • Google Chrome (Mac) since version 100
  • Google Chrome (Windows) since version 100
  • Google ChromeOS (Google ChromeOS) since version 100
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy allows origin-keyed agent clustering by default.

The Origin-Agent-Cluster: HTTP header controls whether a document is isolated in an origin-keyed agent cluster, or in a site-keyed agent cluster. This has security implications since an origin-keyed agent cluster allows isolating documents by origin. The developer-visible consequence of this is that the document.domain accessor can no longer be set.

The default behaviour - when no Origin-Agent-Cluster: header has been set - changes in M106 from site-keyed to origin-keyed. If this policy is enabled or not set, the browser will follow this new default from that version on. If this policy is disabled this change is reversed and documents without Origin-Agent-Cluster: headers will be assigned to site-keyed agent clusters. As a consequence, the document.domain accessor remains settable by default. This matches the legacy behaviour.

See https://developer.chrome.com/blog/immutable-document-domain/ for additional details.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

OverrideSecurityRestrictionsOnInsecureOrigin

Origins or hostname patterns for which restrictions on insecure origins should not apply
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\OverrideSecurityRestrictionsOnInsecureOrigin
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\OverrideSecurityRestrictionsOnInsecureOrigin
Mac/Linux preference name:
OverrideSecurityRestrictionsOnInsecureOrigin
Android restriction name:
OverrideSecurityRestrictionsOnInsecureOrigin
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 69
  • Google Chrome (Android) since version 69
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy specifies a list of origins (URLs) or hostname patterns (such as *.example.com) for which security restrictions on insecure origins won't apply. Organizations can specify origins for legacy applications that can't deploy TLS or set up a staging server for internal web development, so developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy also prevents the origin from being labeled "Not Secure" in the address bar.

Setting a list of URLs in this policy amounts to setting the command-line flag --unsafely-treat-insecure-origin-as-secure to a comma-separated list of the same URLs. The policy overrides the command-line flag and UnsafelyTreatInsecureOriginAsSecure, if present.

For more information on secure contexts, see Secure Contexts ( https://www.w3.org/TR/secure-contexts ).

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin\1 = "http://testserver.example.com/" Software\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin\2 = "*.example.org"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\OverrideSecurityRestrictionsOnInsecureOrigin\1 = "http://testserver.example.com/" Software\Policies\Google\ChromeOS\OverrideSecurityRestrictionsOnInsecureOrigin\2 = "*.example.org"
Android/Linux:
[ "http://testserver.example.com/", "*.example.org" ]
Mac:
<array> <string>http://testserver.example.com/</string> <string>*.example.org</string> </array>
Windows (Intune):
<enabled/>
<data id="OverrideSecurityRestrictionsOnInsecureOriginDesc" value="1&#xF000;http://testserver.example.com/&#xF000;2&#xF000;*.example.org"/>
Back to top

PaymentMethodQueryEnabled

Allow websites to query for available payment methods.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PaymentMethodQueryEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\PaymentMethodQueryEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PaymentMethodQueryEnabled
Mac/Linux preference name:
PaymentMethodQueryEnabled
Android restriction name:
PaymentMethodQueryEnabled
Supported on:
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
  • Google ChromeOS (Google ChromeOS) since version 80
  • Google Chrome (Android) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Allows you to set whether websites are allowed to check if the user has payment methods saved.

If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.

If the setting is enabled or not set then websites are allowed to check if the user has payment methods saved.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

PdfAnnotationsEnabled

Enable PDF Annotations
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PdfAnnotationsEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls if the PDF viewer in Google Chrome can annotate PDFs.

When this policy is not set, or is set to true, then the PDF viewer will be able to annotate PDFs.

When this policy is set to false, then the PDF viewer will not be able to annotate PDFs.

Example value:
0x00000000 (Windows)
Back to top

PhoneHubAllowed

Allow Phone Hub to be enabled.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PhoneHubAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users will be allowed to opt in to Phone Hub, which allows them to interact with their phone on a ChromeOS device.

If this setting is disabled, users will not be allowed to opt in to Phone Hub.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:
0x00000001 (Windows)
Back to top

PhoneHubNotificationsAllowed

Allow Phone Hub notifications to be enabled.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PhoneHubNotificationsAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users who have already opted in to Phone Hub, will be able to send/receive their phone's notifications on ChromeOS.

If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.

If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.

Example value:
0x00000001 (Windows)
Back to top

PhoneHubTaskContinuationAllowed

Allow Phone Hub task continuation to be enabled.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PhoneHubTaskContinuationAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users who have already opted in to Phone Hub, will be able to continue tasks such as viewing their phone's webpages on ChromeOS.

If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.

If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.

Example value:
0x00000001 (Windows)
Back to top

PinnedLauncherApps

List of pinned apps to show in the launcher
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PinnedLauncherApps
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 20
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy fixes which application identifiers Google Chrome OS shows as pinned apps in the launcher bar, and users can't change them.

Specify Chrome apps by their ID, such as pjkljhegncpnkpknbcohdijeoejaedia; Android apps by their package name, such as com.google.android.gm; and web apps by the URL used in WebAppInstallForceList, such as https://google.com/maps.

Leaving it unset lets users change the list of pinned apps in the launcher.

Note for Google Chrome OS devices supporting Android apps:

This policy can also be used to pin Android apps.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PinnedLauncherApps\1 = "pjkljhegncpnkpknbcohdijeoejaedia" Software\Policies\Google\ChromeOS\PinnedLauncherApps\2 = "com.google.android.gm" Software\Policies\Google\ChromeOS\PinnedLauncherApps\3 = "https://google.com/maps"
Back to top

PolicyAtomicGroupsEnabled

Enables the concept of policy atomic groups
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PolicyAtomicGroupsEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\PolicyAtomicGroupsEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PolicyAtomicGroupsEnabled
Mac/Linux preference name:
PolicyAtomicGroupsEnabled
Supported on:
  • Google Chrome (Linux) since version 78
  • Google Chrome (Mac) since version 78
  • Google Chrome (Windows) since version 78
  • Google ChromeOS (Google ChromeOS) since version 78
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means policies coming from an atomic group that don't share the source with the highest priority from that group get ignored.

Setting the policy to Disabled means no policy is ignored because of its source. Policies are ignored only if there's a conflict, and the policy doesn't have the highest priority.

If this policy is set from a cloud source, it can't target a specific user.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

PolicyDictionaryMultipleSourceMergeList

Allow merging dictionary policies from different sources
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PolicyDictionaryMultipleSourceMergeList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\PolicyDictionaryMultipleSourceMergeList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PolicyDictionaryMultipleSourceMergeList
Mac/Linux preference name:
PolicyDictionaryMultipleSourceMergeList
Supported on:
  • Google Chrome (Linux) since version 76
  • Google Chrome (Mac) since version 76
  • Google Chrome (Windows) since version 76
  • Google ChromeOS (Google ChromeOS) since version 76
Supported features:
Dynamic Policy Refresh: Yes, Metapolicy Type: Yes, Per Profile: Yes
Description:

Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level. This merging is in the first level keys of the dictionary from each source. The key coming from the highest priority source takes precedence.

Use the wildcard character '*' to allow merging of all supported dictionary policies.

If a policy is in the list and there's conflict between sources with:

* The same scopes and level: The values merge into a new policy dictionary.

* Different scopes or level: The policy with the highest priority applies.

If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.

  • "ContentPackManualBehaviorURLs" = Managed user manual exception URLs
  • "DeviceLoginScreenPowerManagement" = Power management on the login screen
  • "ExtensionSettings" = Extension management settings
  • "KeyPermissions" = Key Permissions
  • "PowerManagementIdleSettings" = Power management settings when the user becomes idle
  • "ScreenBrightnessPercent" = Screen brightness percent
  • "ScreenLockDelays" = Screen lock delays
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\PolicyDictionaryMultipleSourceMergeList\1 = "ExtensionSettings"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PolicyDictionaryMultipleSourceMergeList\1 = "ExtensionSettings"
Android/Linux:
[ "ExtensionSettings" ]
Mac:
<array> <string>ExtensionSettings</string> </array>
Windows (Intune):
<enabled/>
<data id="PolicyDictionaryMultipleSourceMergeList" value=""ExtensionSettings""/>
Back to top

PolicyListMultipleSourceMergeList

Allow merging list policies from different sources
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PolicyListMultipleSourceMergeList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\PolicyListMultipleSourceMergeList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PolicyListMultipleSourceMergeList
Mac/Linux preference name:
PolicyListMultipleSourceMergeList
Android restriction name:
PolicyListMultipleSourceMergeList
Supported on:
  • Google Chrome (Linux) since version 75
  • Google Chrome (Mac) since version 75
  • Google Chrome (Windows) since version 75
  • Google ChromeOS (Google ChromeOS) since version 75
  • Google Chrome (Android) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Metapolicy Type: Yes, Per Profile: Yes
Description:

Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level.

Use the wildcard character '*' to allow merging of all list policies.

If a policy is in the list and there's conflict between sources with:

* The same scopes and level: The values merge into a new policy list.

* Different scopes or level: The policy with the highest priority applies.

If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\PolicyListMultipleSourceMergeList\1 = "ExtensionInstallAllowlist" Software\Policies\Google\Chrome\PolicyListMultipleSourceMergeList\2 = "ExtensionInstallBlocklist"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\PolicyListMultipleSourceMergeList\1 = "ExtensionInstallAllowlist" Software\Policies\Google\ChromeOS\PolicyListMultipleSourceMergeList\2 = "ExtensionInstallBlocklist"
Android/Linux:
[ "ExtensionInstallAllowlist", "ExtensionInstallBlocklist" ]
Mac:
<array> <string>ExtensionInstallAllowlist</string> <string>ExtensionInstallBlocklist</string> </array>
Windows (Intune):
<enabled/>
<data id="PolicyListMultipleSourceMergeListDesc" value="1&#xF000;ExtensionInstallAllowlist&#xF000;2&#xF000;ExtensionInstallBlocklist"/>
Back to top

PolicyRefreshRate

Refresh rate for user policy
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PolicyRefreshRate
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\PolicyRefreshRate
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PolicyRefreshRate
Mac/Linux preference name:
PolicyRefreshRate
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google Chrome (iOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies the period in milliseconds at which the device management service is queried for user policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.

Leaving the policy unset uses the default value of 3 hours.

Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).

Restrictions:
  • Minimum:1800000
  • Maximum:86400000
Example value:
0x0036ee80 (Windows), 3600000 (Linux), 3600000 (Mac)
Windows (Intune):
<enabled/>
<data id="PolicyRefreshRate" value="3600000"/>
Back to top

PrimaryMouseButtonSwitch

Switch the primary mouse button to the right button
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PrimaryMouseButtonSwitch
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 81
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Switch the primary mouse button to the right button.

If this policy is set to enabled, the right button of the mouse will always be the primary key.

If this policy is set to disabled, the left button of the mouse will always be the primary key.

If you set this policy, users cannot change or override it.

If this policy is left unset, the left button of the mouse will be the primary key initially, but can be switched by the user anytime.

Example value:
0x00000001 (Windows)
Back to top

ProfilePickerOnStartupAvailability

Profile picker availability on startup
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ProfilePickerOnStartupAvailability
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ProfilePickerOnStartupAvailability
Mac/Linux preference name:
ProfilePickerOnStartupAvailability
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Specifies whether the profile picker is enabled, disabled or forced at the browser startup.

By default the profile picker is not shown if the browser starts in guest or incognito mode, a profile directory and/or urls are specified by command line, an app is explicitly requested to open, the browser was launched by a native notification, there is only one profile available or the policy ForceBrowserSignin is set to true.

If 'Enabled' (0) is selected or the policy is left unset, the profile picker will be shown at startup by default, but users will be able to enable/disable it.

If 'Disabled' (1) is selected, the profile picker will never be shown, and users will not be able to change the setting.

If 'Forced' (2) is selected, the profile picker cannot be suppressed by the user. The profile picker will be shown even if there is only one profile available.

  • 0 = Profile picker available at startup
  • 1 = Profile picker disabled at startup
  • 2 = Profile picker forced at startup
Example value:
0x00000000 (Windows), 0 (Linux), 0 (Mac)
Windows (Intune):
<enabled/>
<data id="ProfilePickerOnStartupAvailability" value="0"/>
Back to top

PromotionalTabsEnabled

Enable showing full-tab promotional content
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PromotionalTabsEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\PromotionalTabsEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PromotionalTabsEnabled
Mac/Linux preference name:
PromotionalTabsEnabled
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to True or leaving it unset lets Google Chrome show users product information as full-tab content.

Setting the policy to False prevents Google Chrome from showing product information as full-tab content.

Setting the policy controls the presentation of the welcome pages that help users sign in to Google Chrome, set Google Chrome as users' default browser, or otherwise inform them of product features.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

PromptForDownloadLocation

Ask where to save each file before downloading
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\PromptForDownloadLocation
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\PromptForDownloadLocation
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\PromptForDownloadLocation
Mac/Linux preference name:
PromptForDownloadLocation
Android restriction name:
PromptForDownloadLocation
Supported on:
  • Google Chrome (Linux) since version 64
  • Google Chrome (Mac) since version 64
  • Google Chrome (Windows) since version 64
  • Google ChromeOS (Google ChromeOS) since version 64
  • Google Chrome (Android) since version 92
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means users are asked where to save each file before downloading. Setting the policy to Disabled has downloads start immediately, and users aren't asked where to save the file.

Leaving the policy unset lets users change this setting.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

ProxySettings

Proxy settings
Data type:
Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ProxySettings
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ProxySettings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ProxySettings
Mac/Linux preference name:
ProxySettings
Android restriction name:
ProxySettings
Supported on:
  • Google Chrome (Linux) since version 18
  • Google Chrome (Mac) since version 18
  • Google Chrome (Windows) since version 18
  • Google ChromeOS (Google ChromeOS) since version 18
  • Google Chrome (Android) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy configures the proxy settings for Chrome and ARC-apps, which ignore all proxy-related options specified from the command line.

Leaving the policy unset lets users choose their proxy settings.

Setting the ProxySettings policy accepts the following fields: * ProxyMode, which lets you specify the proxy server Chrome uses and prevents users from changing proxy settings * ProxyPacUrl, a URL to a proxy .pac file * ProxyPacMandatory, which prevents the network stack from falling back to direct connections with invalid or unavailable PAC script * ProxyServer, a URL of the proxy server * ProxyBypassList, a list of hosts for which the proxy will be bypassed

The ProxyServerMode field is deprecated in favor of the ProxyMode field.

For ProxyMode, if you choose the value: * direct, a proxy is never used and all other fields are ignored. * system, the systems's proxy is used and all other fields are ignored. * auto_detect, all other fields are ignored. * fixed_servers, the ProxyServer and ProxyBypassList fields are used. * pac_script, the ProxyPacUrl, ProxyPacMandatory and ProxyBypassList fields are used.

Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).

Note for Google Chrome OS devices supporting Android apps:

Only a subset of proxy configuration options are made available to Android apps. Android apps may voluntarily choose to use the proxy. You cannot force them to use a proxy.

Schema:
{ "properties": { "ProxyBypassList": { "type": "string" }, "ProxyMode": { "enum": [ "direct", "auto_detect", "pac_script", "fixed_servers", "system" ], "type": "string" }, "ProxyPacMandatory": { "type": "boolean" }, "ProxyPacUrl": { "type": "string" }, "ProxyServer": { "type": "string" }, "ProxyServerMode": { "$ref": "ProxyServerMode" } }, "type": "object" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\ProxySettings = { "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyMode": "fixed_servers", "ProxyServer": "123.123.123.123:8080" }
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ProxySettings = { "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyMode": "fixed_servers", "ProxyServer": "123.123.123.123:8080" }
Android/Linux:
ProxySettings: { "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyMode": "fixed_servers", "ProxyServer": "123.123.123.123:8080" }
Mac:
<key>ProxySettings</key> <dict> <key>ProxyBypassList</key> <string>https://www.example1.com,https://www.example2.com,https://internalsite/</string> <key>ProxyMode</key> <string>fixed_servers</string> <key>ProxyServer</key> <string>123.123.123.123:8080</string> </dict>
Windows (Intune):
<enabled/>
<data id="ProxySettings" value=""ProxyMode": "fixed_servers", "ProxyServer": "123.123.123.123:8080", "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/""/>
Back to top

QuicAllowed

Allow QUIC protocol
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\QuicAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\QuicAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuicAllowed
Mac/Linux preference name:
QuicAllowed
Supported on:
  • Google Chrome (Linux) since version 43
  • Google Chrome (Mac) since version 43
  • Google Chrome (Windows) since version 43
  • Google ChromeOS (Google ChromeOS) since version 43
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset allows the use of QUIC protocol in Google Chrome.

Setting the policy to Disabled disallows the use of QUIC protocol.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

RelaunchHeadsUpPeriod

Set the time of the first user relaunch notification
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RelaunchHeadsUpPeriod
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 76
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows you to set the time period, in milliseconds, between the first notification that a Google Chrome OS device must be restarted to apply a pending update and the end of the time period specified by the RelaunchNotificationPeriod policy.

If not set, the default period of 259200000 milliseconds (three days) is used for Google Chrome OS devices.

Restrictions:
  • Minimum:3600000
Example value:
0x05265c00 (Windows)
Back to top

RelaunchNotification

Notify a user that a browser relaunch or device restart is recommended or required
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RelaunchNotification
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RelaunchNotification
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RelaunchNotification
Mac/Linux preference name:
RelaunchNotification
Supported on:
  • Google Chrome (Linux) since version 66
  • Google Chrome (Mac) since version 66
  • Google Chrome (Windows) since version 66
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Notify users that Google Chrome must be relaunched or Google Chrome OS must be restarted to apply a pending update.

This policy setting enables notifications to inform the user that a browser relaunch or device restart is recommended or required. If not set, Google Chrome indicates to the user that a relaunch is needed via subtle changes to its menu, while Google Chrome OS indicates such via a notification in the system tray. If set to 'Recommended', a recurring warning will be shown to the user that a relaunch is recommended. The user can dismiss this warning to defer the relaunch. If set to 'Required', a recurring warning will be shown to the user indicating that a browser relaunch will be forced once the notification period passes. The default period is seven days for Google Chrome and four days for Google Chrome OS, and may be configured via the RelaunchNotificationPeriod policy setting.

The user's session is restored following the relaunch/restart.

  • 1 = Show a recurring prompt to the user indicating that a relaunch is recommended
  • 2 = Show a recurring prompt to the user indicating that a relaunch is required
Example value:
0x00000001 (Windows), 1 (Linux), 1 (Mac)
Windows (Intune):
<enabled/>
<data id="RelaunchNotification" value="1"/>
Back to top

RelaunchNotificationPeriod

Set the time period for update notifications
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RelaunchNotificationPeriod
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RelaunchNotificationPeriod
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RelaunchNotificationPeriod
Mac/Linux preference name:
RelaunchNotificationPeriod
Supported on:
  • Google Chrome (Linux) since version 67
  • Google Chrome (Mac) since version 67
  • Google Chrome (Windows) since version 67
  • Google ChromeOS (Google ChromeOS) since version 67
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows you to set the time period, in milliseconds, over which users are notified that Google Chrome must be relaunched or that a Google Chrome OS device must be restarted to apply a pending update.

Over this time period, the user will be repeatedly informed of the need for an update. For Google Chrome OS devices, a restart notification appears in the system tray according to the RelaunchHeadsUpPeriod policy. For Google Chrome browsers, the app menu changes to indicate that a relaunch is needed once one third of the notification period passes. This notification changes color once two thirds of the notification period passes, and again once the full notification period has passed. The additional notifications enabled by the RelaunchNotification policy follow this same schedule.

If not set, the default period of 604800000 milliseconds (one week) is used.

Restrictions:
  • Minimum:3600000
Example value:
0x240c8400 (Windows), 604800000 (Linux), 604800000 (Mac)
Windows (Intune):
<enabled/>
<data id="RelaunchNotificationPeriod" value="604800000"/>
Back to top

RelaunchWindow

Set the time interval for relaunch
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RelaunchWindow
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RelaunchWindow
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RelaunchWindow
Mac/Linux preference name:
RelaunchWindow
Supported on:
  • Google Chrome (Linux) since version 93
  • Google Chrome (Mac) since version 93
  • Google Chrome (Windows) since version 93
  • Google ChromeOS (Google ChromeOS) since version 93
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Specify a target time window for the end of the relaunch notification period.

Users are notified of the need for a browser relaunch or device restart based on the RelaunchNotification and RelaunchNotificationPeriod policy settings. Browsers and devices are forcibly restarted at the end of the notification period when the RelaunchNotification policy is set to 'Required'. This RelaunchWindow policy can be used to defer the end of the notification period so that it falls within a specific time window.

If this policy is not set, the default target time window for Google Chrome OS is between 2 AM and 4 AM. The default target time window for Google Chrome is the whole day (i.e., the end of the notification period is never deferred).

Note: Though the policy can accept multiple items in entries, all but the first item are ignored. Warning: Setting this policy may delay application of software updates.

Schema:
{ "properties": { "entries": { "items": { "properties": { "duration_mins": { "description": "Time period (minutes) that specifies the length of the relaunch window.", "maximum": 1440, "minimum": 1, "type": "integer" }, "start": { "description": "Time interpreted in local wall-clock 24h format.", "id": "Time", "properties": { "hour": { "maximum": 23, "minimum": 0, "type": "integer" }, "minute": { "maximum": 59, "minimum": 0, "type": "integer" } }, "required": [ "hour", "minute" ], "type": "object" } }, "required": [ "start", "duration_mins" ], "type": "object" }, "type": "array" } }, "type": "object" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\RelaunchWindow = { "entries": [ { "duration_mins": 240, "start": { "hour": 2, "minute": 15 } } ] }
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\RelaunchWindow = { "entries": [ { "duration_mins": 240, "start": { "hour": 2, "minute": 15 } } ] }
Android/Linux:
RelaunchWindow: { "entries": [ { "duration_mins": 240, "start": { "hour": 2, "minute": 15 } } ] }
Mac:
<key>RelaunchWindow</key> <dict> <key>entries</key> <array> <dict> <key>duration_mins</key> <integer>240</integer> <key>start</key> <dict> <key>hour</key> <integer>2</integer> <key>minute</key> <integer>15</integer> </dict> </dict> </array> </dict>
Windows (Intune):
<enabled/>
<data id="RelaunchWindow" value=""entries": [{"start": {"hour": 2, "minute": 15}, "duration_mins": 240}]"/>
Back to top

RemoteDebuggingAllowed

Allow remote debugging
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RemoteDebuggingAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RemoteDebuggingAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RemoteDebuggingAllowed
Mac/Linux preference name:
RemoteDebuggingAllowed
Supported on:
  • Google Chrome (Linux) since version 93
  • Google Chrome (Mac) since version 93
  • Google Chrome (Windows) since version 93
  • Google ChromeOS (Google ChromeOS) since version 93
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Controls whether users may use remote debugging.

If this policy is set to Enabled or not set, users may use remote debugging by specifying --remote-debugging-port and --remote-debugging-pipe command line switches.

If this policy is set to Disabled, users are not allowed to use remote debugging.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

RendererCodeIntegrityEnabled

Enable Renderer Code Integrity
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RendererCodeIntegrityEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RendererCodeIntegrityEnabled
Supported on:
  • Google Chrome (Windows) since version 78
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset turns Renderer Code Integrity on.

Setting the policy to Disabled has a detrimental effect on Google Chrome's security and stability as unknown and potentially hostile code can load inside Google Chrome's renderer processes. Only turn off the policy if there are compatibility issues with third-party software that must run inside Google Chrome's renderer processes.

Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).

Example value:
0x00000000 (Windows)
Windows (Intune):
<disabled/>
Back to top

ReportCrostiniUsageEnabled

Report information about usage of Linux apps
Data type:
Boolean
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If Linux app support is on, setting the policy to Enabled sends information about Linux apps usage back to the server.

Setting the policy to Disabled or leaving it unset means no usage information is reported.

Back to top

RequireOnlineRevocationChecksForLocalAnchors

Require online OCSP/CRL checks for local trust anchors
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RequireOnlineRevocationChecksForLocalAnchors
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RequireOnlineRevocationChecksForLocalAnchors
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RequireOnlineRevocationChecksForLocalAnchors
Mac/Linux preference name:
RequireOnlineRevocationChecksForLocalAnchors
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 30
  • Google Chrome (Linux) since version 30
  • Google Chrome (Windows) since version 30
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to True means Google Chrome always performs revocation checking for successfully validated server certificates signed by locally installed CA certificates. If Google Chrome can't get revocation status information, Google Chrome treats these certificates as revoked (hard-fail).

Setting the policy to False or leaving it unset means Google Chrome uses existing online revocation-checking settings.

Example value:
0x00000000 (Windows), false (Linux)
Windows (Intune):
<disabled/>
Back to top

RestrictAccountsToPatterns

Restrict accounts that are visible in Google Chrome
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Android restriction name:
RestrictAccountsToPatterns
Supported on:
  • Google Chrome (Android) since version 65
  • Google Chrome (iOS) since version 97
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Contains a list of patterns which are used to control the visibility of accounts in Google Chrome.

Each Google account on the device will be compared to patterns stored in this policy to determine the account visibility in Google Chrome. The account will be visible if its name matches any pattern on the list. Otherwise, the account will be hidden.

Use the wildcard character '*' to match zero or more arbitrary characters. The escape character is '\', so to match actual '*' or '\' characters, put a '\' in front of them.

If this policy is not set, all Google accounts on the device will be visible in Google Chrome.

Example value:
Android/Linux:
[ "*@example.com", "user@managedchrome.com" ]
Back to top

RestrictSigninToPattern

Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RestrictSigninToPattern
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RestrictSigninToPattern
Mac/Linux preference name:
RestrictSigninToPattern
Supported on:
  • Google Chrome (Linux) since version 21
  • Google Chrome (Mac) since version 21
  • Google Chrome (Windows) since version 21
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Contains a regular expression which is used to determine which Google accounts can be set as browser primary accounts in Google Chrome (i.e. the account that is chosen during the Sync opt-in flow).

An appropriate error is displayed if a user tries to set a browser primary account with a username that does not match this pattern.

If this policy is left not set or blank, then the user can set any Google account as a browser primary account in Google Chrome.

Example value:
".*@example\.com"
Windows (Intune):
<enabled/>
<data id="RestrictSigninToPattern" value=".*@example\\.com"/>
Back to top

RestrictedManagedGuestSessionExtensionCleanupExemptList

Configure the list of extension IDs exempt from the restricted managed guest session clean-up procedure
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\RestrictedManagedGuestSessionExtensionCleanupExemptList
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

The policy only applies to managed guest sessions. Setting the policy specifies a list of extension IDs that are exempt from the restricted managed guest session clean-up procedure (see DeviceRestrictedManagedGuestSessionEnabled). Leaving the policy unset means no extensions are exempt from the reset procedure.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\RestrictedManagedGuestSessionExtensionCleanupExemptList\1 = "abcdefghijklmnopabcdefghijklmnop" Software\Policies\Google\ChromeOS\RestrictedManagedGuestSessionExtensionCleanupExemptList\2 = "bcdefghijklmnopabcdefghijklmnopa"
Back to top

RoamingProfileLocation

Set the roaming profile directory
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RoamingProfileLocation
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RoamingProfileLocation
Mac/Linux preference name:
RoamingProfileLocation
Supported on:
  • Google Chrome (Windows) since version 57
  • Google Chrome (Mac) since version 88
  • Google Chrome (Linux) since version 88
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Configures the directory that Google Chrome will use for storing the roaming copy of the profiles.

If you set this policy, Google Chrome will use the provided directory to store the roaming copy of the profiles if the RoamingProfileSupportEnabled policy has been enabled. If the RoamingProfileSupportEnabled policy is disabled or left unset the value stored in this policy is not used.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

On non-Windows platforms, this policy must be set for roaming profiles to work.

On Windows, if this policy is left unset, the default roaming profile path will be used.

Example value:
"${roaming_app_data}\chrome-profile"
Windows (Intune):
<enabled/>
<data id="RoamingProfileLocation" value="${roaming_app_data}\\chrome-profile"/>
Back to top

RoamingProfileSupportEnabled

Enable the creation of roaming copies for Google Chrome profile data
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\RoamingProfileSupportEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\RoamingProfileSupportEnabled
Mac/Linux preference name:
RoamingProfileSupportEnabled
Supported on:
  • Google Chrome (Windows) since version 57
  • Google Chrome (Mac) since version 88
  • Google Chrome (Linux) since version 88
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

If you enable this setting, the settings stored in Google Chrome profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the RoamingProfileLocation policy. Enabling this policy disables cloud sync.

If this policy is disabled or left not set only the regular local profiles will be used.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SSLErrorOverrideAllowed

Allow proceeding from the SSL warning page
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SSLErrorOverrideAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SSLErrorOverrideAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SSLErrorOverrideAllowed
Mac/Linux preference name:
SSLErrorOverrideAllowed
Android restriction name:
SSLErrorOverrideAllowed
Supported on:
  • Google Chrome (Linux) since version 44
  • Google Chrome (Mac) since version 44
  • Google Chrome (Windows) since version 44
  • Google ChromeOS (Google ChromeOS) since version 44
  • Google Chrome (Android) since version 44
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset lets users click through warning pages Google Chrome shows when users navigate to sites that have SSL errors.

Setting the policy to Disabled prevent users from clicking through any warning pages.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SSLErrorOverrideAllowedForOrigins

Allow proceeding from the SSL warning page on specific origins
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SSLErrorOverrideAllowedForOrigins
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SSLErrorOverrideAllowedForOrigins
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SSLErrorOverrideAllowedForOrigins
Mac/Linux preference name:
SSLErrorOverrideAllowedForOrigins
Android restriction name:
SSLErrorOverrideAllowedForOrigins
Supported on:
  • Google Chrome (Linux) since version 90
  • Google Chrome (Mac) since version 90
  • Google Chrome (Windows) since version 90
  • Google ChromeOS (Google ChromeOS) since version 90
  • Google Chrome (Android) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If SSLErrorOverrideAllowed is Disabled, setting the policy lets you set a list of origin patterns that specify the sites where a user can click through warning pages Google Chrome shows when users navigate to sites that have SSL errors. Users will not be able to click through SSL warning pages on origins that are not on this list.

If SSLErrorOverrideAllowed is Enabled or unset, this policy does nothing.

Leaving the policy unset means SSLErrorOverrideAllowed applies for all sites.

For detailed information on valid input patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy. This policy only matches based on origin, so any path in the URL pattern is ignored.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SSLErrorOverrideAllowedForOrigins\1 = "https://www.example.com" Software\Policies\Google\Chrome\SSLErrorOverrideAllowedForOrigins\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SSLErrorOverrideAllowedForOrigins\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\SSLErrorOverrideAllowedForOrigins\2 = "[*.]example.edu"
Android/Linux:
[ "https://www.example.com", "[*.]example.edu" ]
Mac:
<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>
Windows (Intune):
<enabled/>
<data id="SSLErrorOverrideAllowedForOriginsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;[*.]example.edu"/>
Back to top

SSLVersionMin

Minimum SSL version enabled
Data type:
String [Android:choice, Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SSLVersionMin
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SSLVersionMin
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SSLVersionMin
Mac/Linux preference name:
SSLVersionMin
Android restriction name:
SSLVersionMin
Supported on:
  • Google Chrome (Linux) since version 66
  • Google Chrome (Mac) since version 66
  • Google Chrome (Windows) since version 66
  • Google ChromeOS (Google ChromeOS) since version 66
  • Google Chrome (Android) since version 66
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to a valid value means Google Chrome won't use SSL/TLS versions less than the specified version. Unrecognized values are ignored.

If this policy is not set, then Google Chrome will show an error for TLS 1.0 and TLS 1.1, but the user will be able to bypass it.

If this policy is set to "tls1.2", the user will not be able to bypass this error.

Support for setting this policy to "tls1" or "tls1.1" was removed in version 91. Suppressing the TLS 1.0/1.1 warning is no longer supported.

  • "tls1" = TLS 1.0
  • "tls1.1" = TLS 1.1
  • "tls1.2" = TLS 1.2
Example value:
"tls1.2"
Windows (Intune):
<enabled/>
<data id="SSLVersionMin" value="tls1.2"/>
Back to top

SafeBrowsingForTrustedSourcesEnabled

Enable Safe Browsing for trusted sources
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SafeBrowsingForTrustedSourcesEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SafeBrowsingForTrustedSourcesEnabled
Supported on:
  • Google Chrome (Windows) since version 61
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset means downloaded files are sent to be analyzed by Safe Browsing, even when it's from a trusted source.

Setting the policy to Disabled means downloaded files won't be sent to be analyzed by Safe Browsing when it's from a trusted source.

These restrictions apply to downloads triggered from webpage content, as well as the Download link menu option. These restrictions don't apply to the save or download of the currently displayed page or to saving as PDF from the printing options.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Example value:
0x00000000 (Windows)
Windows (Intune):
<disabled/>
Back to top

SafeSitesFilterBehavior

Control SafeSites adult content filtering.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SafeSitesFilterBehavior
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SafeSitesFilterBehavior
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SafeSitesFilterBehavior
Mac/Linux preference name:
SafeSitesFilterBehavior
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 69
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy controls the SafeSites URL filter, which uses the Google Safe Search API to classify URLs as pornographic or not.

When this policy is set to:

* Do not filter sites for adult content, or not set, sites aren't filtered

* Filter top level sites for adult content, pornographic sites are filtered

  • 0 = Do not filter sites for adult content
  • 1 = Filter top level sites (but not embedded iframes) for adult content
Example value:
0x00000000 (Windows), 0 (Linux), 0 (Mac)
Windows (Intune):
<enabled/>
<data id="SafeSitesFilterBehavior" value="0"/>
Back to top

SamlLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via SAML can log in offline at the lock screen
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SamlLockScreenOfflineSigninTimeLimitDays
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

While logging in through the lock screen, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).

When this policy is set to -2, it will match the value of the login screen offline signin time limit which comes from SAMLOfflineSigninTimeLimit.

When the policy is unset or set to a value of -1, it will not enforce online authentication on the lock screen and will allow the user to use offline authentication unless a different reason than this policy enforces an online authentication.

If the policy is set to a value of 0, online authentication will always be required.

When this policy is set to any other value, it specifies the number of days since the last online authentication after which the user must use online authentication again in the next login through the lock screen.

This policy affects users who authenticated using SAML.

The policy value should be specified in days.

Restrictions:
  • Minimum:-2
  • Maximum:365
Example value:
0x00000020 (Windows)
Back to top

SandboxExternalProtocolBlocked

Allow Chrome to block navigations toward external protocols in sandboxed iframes
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SandboxExternalProtocolBlocked
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SandboxExternalProtocolBlocked
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SandboxExternalProtocolBlocked
Mac/Linux preference name:
SandboxExternalProtocolBlocked
Supported on:
  • Google Chrome (Linux) since version 96
  • Google Chrome (Mac) since version 96
  • Google Chrome (Windows) since version 96
  • Google ChromeOS (Google ChromeOS) since version 96
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Chrome will block navigations toward external protocols inside sandboxed iframe. See https://chromestatus.com/features/5680742077038592.

When True, this lets Chrome blocks those navigations.

When False, this prevents Chrome from blocking those navigations.

This defaults to True: security feature enabled.

This can be used by administrators who need more time to update their internal website affected by this new restriction. This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 117.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SavingBrowserHistoryDisabled

Disable saving browser history
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SavingBrowserHistoryDisabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SavingBrowserHistoryDisabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SavingBrowserHistoryDisabled
Mac/Linux preference name:
SavingBrowserHistoryDisabled
Android restriction name:
SavingBrowserHistoryDisabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means browsing history is not saved, tab syncing is off and users can't change this setting.

Setting the policy to Disabled or leaving it unset saves browsing history.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SchedulerConfiguration

Select task scheduler configuration
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SchedulerConfiguration
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 74
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy instructs Google Chrome OS to use the task scheduler configuration identified by the specified name. This policy can be set to Conservative or Performance, which tune the task scheduler for stability or maximum performance, respectively.

If unset, users make their own choice.

  • "conservative" = Optimize for stability.
  • "performance" = Optimize for performance.
Example value:
"performance"
Back to top

ScrollToTextFragmentEnabled

Enable scrolling to text specified in URL fragments
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ScrollToTextFragmentEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ScrollToTextFragmentEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ScrollToTextFragmentEnabled
Mac/Linux preference name:
ScrollToTextFragmentEnabled
Android restriction name:
ScrollToTextFragmentEnabled
Supported on:
  • Google Chrome (Linux) since version 83
  • Google Chrome (Mac) since version 83
  • Google Chrome (Windows) since version 83
  • Google ChromeOS (Google ChromeOS) since version 83
  • Google Chrome (Android) since version 83
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

This feature allows for hyperlinks and address bar URL navigations to target specific text within a web page, which will be scrolled to once the loading of the web page is complete.

If you enable or don't configure this policy, web page scrolling to specific text fragments via URL will be enabled.

If you disable this policy, web page scrolling to specific text fragments via URL will be disabled.

Example value:
0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

SearchSuggestEnabled

Enable search suggestions
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SearchSuggestEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SearchSuggestEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SearchSuggestEnabled
Mac/Linux preference name:
SearchSuggestEnabled
Android restriction name:
SearchSuggestEnabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True turns on search suggestions in Google Chrome's address bar. Setting the policy to False turns off these search suggestions.

Suggestions based on bookmarks or history are unaffected by the policy.

If you set the policy, users can't change it. If not set, search suggestions are on at first, but users can turn them off any time.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SecondaryGoogleAccountSigninAllowed

Allow Sign-in To Additional Google Accounts
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SecondaryGoogleAccountSigninAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

This setting allows users to switch between Google Accounts within the content area of their browser window and in Android applications, after they sign into their Google Chrome OS device.

If this policy is set to false, signing in to a different Google Account from a non-Incognito browser content area and Android applications will not be allowed.

If this policy is unset or set to true, the default behavior will be used: signing in to a different Google Account from the browser content area and Android applications will be allowed, except for child accounts where it will be blocked for non-Incognito content area.

In case signing in to a different account shouldn't be allowed via the Incognito mode, consider blocking that mode using the IncognitoModeAvailability policy.

Note that users will be able to access Google services in an unauthenticated state by blocking their cookies.

Example value:
0x00000000 (Windows)
Back to top

SecurityKeyPermitAttestation

URLs/domains automatically permitted direct Security Key attestation
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SecurityKeyPermitAttestation
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SecurityKeyPermitAttestation
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SecurityKeyPermitAttestation
Mac/Linux preference name:
SecurityKeyPermitAttestation
Supported on:
  • Google Chrome (Linux) since version 65
  • Google Chrome (Mac) since version 65
  • Google Chrome (Windows) since version 65
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies URLs and domains for which no prompt appears when attestation certificates from Security Keys are requested. A signal is also sent to the Security Key indicating that individual attestation may be used. Without this, when sites request attestation of Security Keys, users are prompted in Google Chrome version 65 and later.

URLs will only match as U2F appIDs. Domains only match as webauthn RP IDs. So to cover both U2F and webauthn APIs, list the appID URL and domain for a given site.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SecurityKeyPermitAttestation\1 = "https://example.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SecurityKeyPermitAttestation\1 = "https://example.com"
Android/Linux:
[ "https://example.com" ]
Mac:
<array> <string>https://example.com</string> </array>
Windows (Intune):
<enabled/>
<data id="SecurityKeyPermitAttestationDesc" value="1&#xF000;https://example.com"/>
Back to top

SecurityTokenSessionBehavior

Action on security token removal (e.g., smart card) for Google Chrome OS.
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SecurityTokenSessionBehavior
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Specifies what happens when a user who is authenticating via a security token (e.g., with a smart card) removes that token while in a session. IGNORE: Nothing happens. LOCK: The screen is locked until the user authenticates again. LOGOUT: The session is ended and the user is logged out. If this policy is not set, it defaults to IGNORE.

  • "IGNORE" = No action happens.
  • "LOGOUT" = Log the user out.
  • "LOCK" = Lock the current session.
Example value:
"LOGOUT"
Back to top

SecurityTokenSessionNotificationSeconds

Duration of the notification on smart card removal for Google Chrome OS.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SecurityTokenSessionNotificationSeconds
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

This policy only takes effect when the policy SecurityTokenSessionBehavior is set to LOCK or LOGOUT, and a user who authenticates via a smart card removes that smart card. Then, this policy specifies for how many seconds a notification which informs the user of the impending action is displayed. This notification is blocking the screen. The action will only happen after this notification expires. The user can prevent the action from happening by re-inserting the smart card before the notification expires. If this policy is set to zero, no notification will be displayed and the action happens immediately.

Restrictions:
  • Minimum:0
  • Maximum:9999
Example value:
0x0000000a (Windows)
Back to top

SessionLengthLimit

Limit the length of a user session
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SessionLengthLimit
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 25
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

When this policy is set, it specifies the length of time after which a user is automatically logged out, terminating the session. The user is informed about the remaining time by a countdown timer shown in the system tray.

When this policy is not set, the session length is not limited.

If you set this policy, users cannot change or override it.

The policy value should be specified in milliseconds. Values are clamped to a range of 30 seconds to 24 hours.

Example value:
0x0036ee80 (Windows)
Back to top

SessionLocales

Set the recommended locales for a managed session
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SessionLocales
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 38
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy (as recommended only) moves recommended locales for a managed session to the top of the list, in the order in which they appear in the policy. The first recommended locale is preselected.

If not set, the current UI locale is preselected.

For more than one recommended locale, the assumption is that users want to choose among these locales. Locale and keyboard layout selection is prominent when starting a managed session. Otherwise, the assumption is that most users want the preselected locale. Locale and keyboard layout selection is less prominent when starting a managed session.

If you set the policy and turn automatic sign-in on (see the DeviceLocalAccountAutoLoginId and DeviceLocalAccountAutoLoginDelay policies), the managed session uses the first recommended locale and the most popular matching keyboard layout.

The preselected keyboard layout is always the most popular layout matching the preselected locale. Users can always choose any locale supported by Google Chrome OS for their session.

Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SessionLocales\1 = "de" Software\Policies\Google\ChromeOS\SessionLocales\2 = "fr"
Back to top

SetTimeoutWithout1MsClampEnabled

Control Javascript setTimeout() function minimum timeout.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SetTimeoutWithout1MsClampEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SetTimeoutWithout1MsClampEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SetTimeoutWithout1MsClampEnabled
Mac/Linux preference name:
SetTimeoutWithout1MsClampEnabled
Android restriction name:
SetTimeoutWithout1MsClampEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 101 until version 104
  • Google Chrome (Linux) since version 101 until version 104
  • Google Chrome (Mac) since version 101 until version 104
  • Google Chrome (Windows) since version 101 until version 104
  • Google Chrome (Android) since version 101 until version 104
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

When the policy is set to Enabled, the Javascript setTimeout() with a timeout of 0ms will not clamp to 1ms. When the policy is set to Disabled, the Javascript setTimeout() with a timeout of 0ms will clamp to 1ms. When the policy is unset, use the browser's default behavior for setTimeout() function clamp.

This is a web standards compliant feature, but it may change task ordering on a web page, leading to unexpected behavior on sites that are dependent on a certain ordering in some way. It also may affect sites with a lot of setTimeout() with a timeout of 0ms usage, e.g. increasing CPU load.

For users where this policy is unset, Chrome will roll out the change gradually on the stable channel.

This is a temporary policy that is planned be removed in Chrome 105. This deadline may be extended if there is a need for it among enterprises.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SharedArrayBufferUnrestrictedAccessAllowed

Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SharedArrayBufferUnrestrictedAccessAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SharedArrayBufferUnrestrictedAccessAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SharedArrayBufferUnrestrictedAccessAllowed
Mac/Linux preference name:
SharedArrayBufferUnrestrictedAccessAllowed
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context. Google Chrome will require cross-origin isolation when using SharedArrayBuffers from Google Chrome 91 onward (2021-05-25) for Web Compatibility reasons. Additional details can be found on: https://developer.chrome.com/blog/enabling-shared-array-buffer/.

When set to Enabled, sites can use SharedArrayBuffer with no restrictions.

When set to Disabled or not set, sites can only use SharedArrayBuffers when cross-origin isolated.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

SharedClipboardEnabled

Enable the Shared Clipboard Feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SharedClipboardEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SharedClipboardEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SharedClipboardEnabled
Mac/Linux preference name:
SharedClipboardEnabled
Android restriction name:
SharedClipboardEnabled
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
  • Google Chrome (Android) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Enable the Shared Clipboard feature which allows users to send text between Chrome Desktops and an Android device when Sync is enabled and the user is Signed-in.

If this policy is set to true, the capability of sending text, cross device, for chrome user is enabled.

If this policy is set to false, the capability of sending text, cross device, for chrome user is disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the shared clipboard feature is enabled by default.

It is up to the admins to set policies in all platforms they care about. It's recommended to set this policy to one value in all platforms.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

ShelfAlignment

Control the shelf position
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ShelfAlignment
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Control the position of the Google Chrome OS shelf.

If this policy is set to 'Bottom', the shelf will be placed at the bottom of the screen.

If this policy is set to 'Left', the shelf will be placed on the left side of the screen.

If this policy is set to 'Right', the shelf will be placed on the right side of the screen.

If you set this policy as mandatory, users cannot change or override it.

If the policy is left not set, the shelf will be be positioned at the bottom of the screen by default and the user can change the shelf's position.

  • "Left" = Position the shelf on the left side of the screen
  • "Bottom" = Position the shelf at the bottom of the screen
  • "Right" = Position the shelf on the right side of the screen
Example value:
"Bottom"
Back to top

ShelfAutoHideBehavior

Control shelf auto-hiding
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ShelfAutoHideBehavior
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 25
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Always will autohide the Google Chrome OS shelf. Setting the policy to Never ensures the shelf never autohides.

If you set the policy, users can't change it. If not set, users decide whether the shelf autohides.

  • "Always" = Always auto-hide the shelf
  • "Never" = Never auto-hide the shelf
Example value:
"Always"
Back to top

ShowAppsShortcutInBookmarkBar

Show the apps shortcut in the bookmark bar
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ShowAppsShortcutInBookmarkBar
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ShowAppsShortcutInBookmarkBar
Mac/Linux preference name:
ShowAppsShortcutInBookmarkBar
Supported on:
  • Google Chrome (Linux) since version 37
  • Google Chrome (Mac) since version 37
  • Google Chrome (Windows) since version 37
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True displays the apps shortcut. Setting the policy to False means this shortcut never appears.

If you set the policy, users can't change it. If not set, users decide to show or hide the apps shortcut from the bookmark bar context menu.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

ShowFullUrlsInAddressBar

Show Full URLs
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ShowFullUrlsInAddressBar
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ShowFullUrlsInAddressBar
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ShowFullUrlsInAddressBar
Mac/Linux preference name:
ShowFullUrlsInAddressBar
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This feature enables display of the full URL in the address bar. If this policy is set to True, then the full URL will be shown in the address bar, including schemes and subdomains. If this policy is set to False, then the default URL display will apply. If this policy is left unset, then the default URL display will apply and the user will be able to toggle between default and full URL display with a context menu option.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

ShowLogoutButtonInTray

Add a logout button to the system tray
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\ShowLogoutButtonInTray
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 25
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True displays a big, red sign-out button in the system tray during active sessions while the screen isn't locked.

Setting the policy to False or leaving it unset means no button appears.

Example value:
0x00000001 (Windows)
Back to top

SideSearchEnabled

Allow showing the most recent default search engine results page in a Browser side panel
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SideSearchEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SideSearchEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SideSearchEnabled
Mac/Linux preference name:
SideSearchEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 96
  • Google Chrome (Linux) since version 101
  • Google Chrome (Mac) since version 101
  • Google Chrome (Windows) since version 101
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving the policy unset means that users can bring up their most recent default search engine results page in a side panel via toggling an icon in the toolbar.

Setting the policy to Disabled removes the icon from the toolbar that opens the side panel with the default search engine results page.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

SignedHTTPExchangeEnabled

Enable Signed HTTP Exchange (SXG) support
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SignedHTTPExchangeEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SignedHTTPExchangeEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SignedHTTPExchangeEnabled
Mac/Linux preference name:
SignedHTTPExchangeEnabled
Supported on:
  • Google Chrome (Linux) since version 75
  • Google Chrome (Mac) since version 75
  • Google Chrome (Windows) since version 75
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True or leaving it unset means Google Chrome will accept web contents served as Signed HTTP Exchanges.

Setting the policy to False prevents Signed HTTP Exchanges from loading.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SigninAllowed (Deprecated)

Allow sign in to Google Chrome
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SigninAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SigninAllowed
Mac/Linux preference name:
SigninAllowed
Android restriction name:
SigninAllowed
Supported on:
  • Google Chrome (Linux) since version 27
  • Google Chrome (Mac) since version 27
  • Google Chrome (Windows) since version 27
  • Google Chrome (Android) since version 38
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy is deprecated, consider using BrowserSignin instead.

Allows the user to sign in to Google Chrome.

If you set this policy, you can configure whether a user is allowed to sign in to Google Chrome. Setting this policy to 'False' will prevent apps and extensions that use the chrome.identity API from functioning, so you may want to use SyncDisabled instead.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SigninInterceptionEnabled

Enable signin interception
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SigninInterceptionEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SigninInterceptionEnabled
Mac/Linux preference name:
SigninInterceptionEnabled
Supported on:
  • Google Chrome (Linux) since version 89
  • Google Chrome (Mac) since version 89
  • Google Chrome (Windows) since version 89
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

This settings enables or disables signin interception.

When this policy not set or is enabled, the signin interception dialog triggers when a Google account is added on the web, and the user may benefit from moving this account to another (new or existing) profile.

When this is disabled, the signin interception dialog does not trigger. When this is disabled, a dialog will still be shown if managed account profile separation is enforced by ManagedAccountsSigninRestriction.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SitePerProcess

Require Site Isolation for every site
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SitePerProcess
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SitePerProcess
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SitePerProcess
Mac/Linux preference name:
SitePerProcess
Supported on:
  • Google Chrome (Linux) since version 63
  • Google Chrome (Mac) since version 63
  • Google Chrome (Windows) since version 63
  • Google ChromeOS (Google ChromeOS) since version 63
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Since Google Chrome 67, site isolation has been enabled by default on all Desktop platforms, causing every site to run in its own process. A site is a scheme plus eTLD+1 (e.g., https://example.com). Setting this policy to Enabled does not change that behavior; it only prevents users from opting out (for example, using Disable site isolation in chrome://flags). Since Google Chrome 76, setting the policy to Disabled or leaving it unset doesn't turn off site isolation, but instead allows users to opt out.

IsolateOrigins might also be useful for isolating specific origins at a finer granularity than site (e.g., https://a.example.com).

On Google Chrome OS version 76 and earlier, set the DeviceLoginScreenSitePerProcess device policy to the same value. (If the values don't match, a delay can occur when entering a user session.)

Note: For Android, use the SitePerProcessAndroid policy instead.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SitePerProcessAndroid

Enable Site Isolation for every site
Data type:
Boolean
Android restriction name:
SitePerProcessAndroid
Supported on:
  • Google Chrome (Android) since version 68
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled isolates all sites on Android, such that each site runs in its own process, and it prevents users from opting out. A site is a scheme plus eTLD+1 (e.g., https://example.com). Note that Android isolates certain sensitive sites by default starting in Google Chrome version 77, and this policy extends that default site isolation mode to apply to all sites.

Setting the policy to Disabled turns off any form of site isolation, including isolation of sensitive sites and field trials of IsolateOriginsAndroid, SitePerProcessAndroid, and other site isolation modes. Users can still turn the policy on manually.

Leaving the policy unset means users can change this setting.

IsolateOriginsAndroid might also be useful for isolating specific origins at a finer granularity than site (e.g., https://a.example.com).

Note: Support for isolating every site on Android will improve, but currently it may cause performance problems, especially on low-end devices. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To isolate specific sites while limiting performance impact for users, use IsolateOriginsAndroid with a list of the sites you want to isolate. To apply the policy on non-Android platforms, use SitePerProcess.

Example value:
true (Android)
Back to top

SmartLockSigninAllowed

Allow Smart Lock Signin to be used.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SmartLockSigninAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users will be allowed to sign into their account with Smart Lock. This is more permissive than usual Smart Lock behavior which only allows users to unlock their screen.

If this setting is disabled, users will not be allowed to use Smart Lock Signin.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:
0x00000001 (Windows)
Back to top

SmsMessagesAllowed

Allow SMS Messages to be synced from phone to Chromebook.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SmsMessagesAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled lets users set up their devices to sync their text messages to Chromebooks. Users must explicitly opt in to this feature by completing a setup flow. On completion, users can send and receive texts on their Chromebooks.

Setting the policy to Disabled means users can't set up text syncing.

Leaving the policy unset means that by default, the feature isn't allowed for managed users but is allowed for other users.

Example value:
0x00000001 (Windows)
Back to top

SpellCheckServiceEnabled

Enable or disable spell checking web service
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SpellCheckServiceEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SpellCheckServiceEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SpellCheckServiceEnabled
Mac/Linux preference name:
SpellCheckServiceEnabled
Supported on:
  • Google Chrome (Linux) since version 22
  • Google Chrome (Mac) since version 22
  • Google Chrome (Windows) since version 22
  • Google ChromeOS (Google ChromeOS) since version 22
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled puts a Google web service in use to help resolve spelling errors. This policy only controls the use of the online service. Setting the policy to Disabled means this service is never used.

Leaving the policy unset lets users choose whether to use the spellcheck service.

The spell check can always use a downloaded dictionary locally unless the feature is disabled by SpellcheckEnabled in which case this policy will have no effect.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

SpellcheckEnabled

Enable spellcheck
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SpellcheckEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SpellcheckEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SpellcheckEnabled
Mac/Linux preference name:
SpellcheckEnabled
Supported on:
  • Google Chrome (Linux) since version 65
  • Google Chrome (Mac) since version 65
  • Google Chrome (Windows) since version 65
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled turns spellcheck on, and users can't turn it off. On Microsoft® Windows®, Google Chrome OS and Linux®, spellcheck languages can be switched on or off individually, so users can still turn spellcheck off by switching off every spellcheck language. To avoid that, use the SpellcheckLanguage to force-enable specific spellcheck languages.

Setting the policy to Disabled turns off spellcheck from all sources, and users can't turn it on. The SpellCheckServiceEnabled, SpellcheckLanguage and SpellcheckLanguageBlocklist policies have no effect when this policy is set to False.

Leaving the policy unset lets users turn spellcheck on or off in the language settings.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

SpellcheckLanguage

Force enable spellcheck languages
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SpellcheckLanguage
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SpellcheckLanguage
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SpellcheckLanguage
Mac/Linux preference name:
SpellcheckLanguage
Supported on:
  • Google Chrome (Windows) since version 65
  • Google Chrome (Linux) since version 65
  • Google ChromeOS (Google ChromeOS) since version 65
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Force-enables spellcheck languages. Unrecognized languages in the list will be ignored.

If you enable this policy, spellcheck will be enabled for the languages specified, in addition to the languages for which the user has enabled spellcheck.

If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.

If the SpellcheckEnabled policy is set to false, this policy will have no effect.

If a language is included in both this policy and the SpellcheckLanguageBlocklist policy, this policy is prioritized and the spellcheck language is enabled.

The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SpellcheckLanguage\1 = "fr" Software\Policies\Google\Chrome\SpellcheckLanguage\2 = "es"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SpellcheckLanguage\1 = "fr" Software\Policies\Google\ChromeOS\SpellcheckLanguage\2 = "es"
Android/Linux:
[ "fr", "es" ]
Windows (Intune):
<enabled/>
<data id="SpellcheckLanguageDesc" value="1&#xF000;fr&#xF000;2&#xF000;es"/>
Back to top

SpellcheckLanguageBlocklist

Force disable spellcheck languages
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SpellcheckLanguageBlocklist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SpellcheckLanguageBlocklist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SpellcheckLanguageBlocklist
Mac/Linux preference name:
SpellcheckLanguageBlocklist
Supported on:
  • Google Chrome (Windows) since version 86
  • Google Chrome (Linux) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.

If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.

If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.

If the SpellcheckEnabled policy is set to false, this policy will have no effect.

If a language is included in both this policy and the SpellcheckLanguage policy, the latter is prioritized and the spellcheck language will be enabled.

The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SpellcheckLanguageBlocklist\1 = "fr" Software\Policies\Google\Chrome\SpellcheckLanguageBlocklist\2 = "es"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SpellcheckLanguageBlocklist\1 = "fr" Software\Policies\Google\ChromeOS\SpellcheckLanguageBlocklist\2 = "es"
Android/Linux:
[ "fr", "es" ]
Windows (Intune):
<enabled/>
<data id="SpellcheckLanguageBlocklistDesc" value="1&#xF000;fr&#xF000;2&#xF000;es"/>
Back to top

StartupBrowserWindowLaunchSuppressed

Suppress launching of browser window
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\StartupBrowserWindowLaunchSuppressed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 76
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Setting the policy to True prevents the browser window from launching at the start of the session.

Setting the policy to False or leaving it unset allows the window to launch.

Note: The browser window might not launch due to other policies or command-line flags.

Example value:
0x00000001 (Windows)
Back to top

StricterMixedContentTreatmentEnabled (Deprecated)

Enable stricter treatment for mixed content
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\StricterMixedContentTreatmentEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\StricterMixedContentTreatmentEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\StricterMixedContentTreatmentEnabled
Mac/Linux preference name:
StricterMixedContentTreatmentEnabled
Supported on:
  • Google Chrome (Linux) since version 80
  • Google Chrome (Mac) since version 80
  • Google Chrome (Windows) since version 80
  • Google ChromeOS (Google ChromeOS) since version 80
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy has been removed as of M85, please use InsecureContentAllowedForUrls to allow insecure content on a per-site basis instead. This policy controls the treatment for mixed content (HTTP content in HTTPS sites) in the browser. If the policy is set to true or unset, audio and video mixed content will be autoupgraded to HTTPS (i.e. the URL will be rewritten as HTTPS, without a fallback if the resource is not available over HTTPS) and a 'Not Secure' warning will be shown in the URL bar for image mixed content. If the policy is set to false, autoupgrades will be disabled for audio and video, and no warning will be shown for images. This policy does not affect other types of mixed content other than audio, video, and images. This policy will no longer take effect starting in Google Chrome 84.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SuggestLogoutAfterClosingLastWindow

Display the logout confirmation dialog
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SuggestLogoutAfterClosingLastWindow
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 92
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

The policy only applies to managed guest sessions. Setting the policy to True or leaving it unset will show a dialog asking the user to confirm or deny logout when the last window is closed. Setting the policy to False will prevent the dialog from being displayed and therefore also disables auto-logout after closing the last window.

Example value:
0x00000001 (Windows)
Back to top

SuppressDifferentOriginSubframeDialogs

Suppress JavaScript Dialogs triggered from different origin subframes
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SuppressDifferentOriginSubframeDialogs
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SuppressDifferentOriginSubframeDialogs
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SuppressDifferentOriginSubframeDialogs
Mac/Linux preference name:
SuppressDifferentOriginSubframeDialogs
Android restriction name:
SuppressDifferentOriginSubframeDialogs
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
  • Google ChromeOS (Google ChromeOS) since version 91
  • Google Chrome (Android) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

As described in https://www.chromestatus.com/feature/5148698084376576 , JavaScript modal dialogs, triggered by window.alert, window.confirm, and window.prompt, will be blocked in Google Chrome if triggered from a subframe whose origin is different from the main frame origin. This policy allows overriding that change. If the policy is set to enabled or unset, JavaScript dialogs triggered from a different origin subframe will be blocked. If the policy is set to disabled, JavaScript dialogs triggered from a different origin subframe will not be blocked.

This policy will be removed in Google Chrome version 95.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SuppressUnsupportedOSWarning

Suppress the unsupported OS warning
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SuppressUnsupportedOSWarning
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SuppressUnsupportedOSWarning
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SuppressUnsupportedOSWarning
Mac/Linux preference name:
SuppressUnsupportedOSWarning
Supported on:
  • Google Chrome (Linux) since version 49
  • Google Chrome (Mac) since version 49
  • Google Chrome (Windows) since version 49
  • Google ChromeOS (Google ChromeOS) since version 49
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled suppresses the warning that appears when Google Chrome is running on an unsupported computer or operating system.

Setting the policy to Disabled or leaving it unset means the warnings appear on unsupported systems.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SyncDisabled

Disable synchronization of data with Google
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SyncDisabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SyncDisabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SyncDisabled
Mac/Linux preference name:
SyncDisabled
Supported on:
  • Google Chrome (Linux) since version 8
  • Google Chrome (Mac) since version 8
  • Google Chrome (Windows) since version 8
  • Google ChromeOS (Google ChromeOS) since version 11
  • Google Chrome (iOS) since version 96
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled turns off data synchronization in Google Chrome using Google-hosted synchronization services. To fully turn off Chrome Sync services, we recommend that you turn off the service in the Google Admin console.

If the policy is set to Disabled or not set, users are allowed to choose whether to use Chrome Sync.

Note: Do not turn on this policy when RoamingProfileSupportEnabled is Enabled, because that feature shares the same client-side functionality. The Google-hosted synchronization is off completely in this case.

Note for Google Chrome OS devices supporting Android apps:

Disabling Chrome Sync will cause Android Backup and Restore to not function properly.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

SyncTypesListDisabled

List of types that should be excluded from synchronization
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\SyncTypesListDisabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\SyncTypesListDisabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SyncTypesListDisabled
Mac/Linux preference name:
SyncTypesListDisabled
Android restriction name:
SyncTypesListDisabled
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google Chrome (Android) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
  • Google Chrome (iOS) since version 97
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

If this policy is set all specified data types will be excluded from synchronization both for Chrome Sync as well as for roaming profile synchronization. This can be beneficial to reduce the size of the roaming profile or limit the type of data uploaded to the Chrome Sync Servers.

The current data types for this policy are: "bookmarks", "readingList", "preferences", "passwords", "autofill", "themes", "typedUrls", "extensions", "apps", "tabs", "wifiConfigurations". Those names are case sensitive!

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\SyncTypesListDisabled\1 = "bookmarks"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SyncTypesListDisabled\1 = "bookmarks"
Android/Linux:
[ "bookmarks" ]
Mac:
<array> <string>bookmarks</string> </array>
Windows (Intune):
<enabled/>
<data id="SyncTypesListDisabledDesc" value="1&#xF000;bookmarks"/>
Back to top

SystemFeaturesDisableList

Configure the camera, browser settings, os settings, scanning, web store, canvas, explore and crosh features to be disabled
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SystemFeaturesDisableList
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 84
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Allows you to set a list of Google Chrome OS features to be disabled.

Disabling any of these features means that the user can't access it from the UI and will see it as "disabled by admin". The user experience of disabled features is decided by SystemFeaturesDisableMode

If the policy is left not set, all Google Chrome OS features will be enabled by default and the user can use any of them.

Note: The scanning feature is currently disabled by default via a feature flag. If the user enables the feature via the feature flag, the feature can still be disabled by this policy.

  • "browser_settings" = Browser Settings
  • "os_settings" = OS Settings
  • "camera" = Camera
  • "scanning" = Scanning (supported since version 87)
  • "web_store" = Web Store (supported since version 89)
  • "canvas" = Canvas (supported since version 90)
  • "google_news" = Unsupported
  • "explore" = Explore (supported since version 91)
  • "crosh" = Crosh (supported since version 99)
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SystemFeaturesDisableList\1 = "camera" Software\Policies\Google\ChromeOS\SystemFeaturesDisableList\2 = "browser_settings" Software\Policies\Google\ChromeOS\SystemFeaturesDisableList\3 = "os_settings" Software\Policies\Google\ChromeOS\SystemFeaturesDisableList\4 = "scanning" Software\Policies\Google\ChromeOS\SystemFeaturesDisableList\5 = "web_store" Software\Policies\Google\ChromeOS\SystemFeaturesDisableList\6 = "canvas"
Back to top

SystemFeaturesDisableMode

Set the user experience of disabled features
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SystemFeaturesDisableMode
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls the user experience of disabled features listed in SystemFeaturesDisableList.

If this policy is set to "blocked", the disabled features will become unusable but still visible to users.

If this policy is set to "hidden", the disabled features will become unusable and invisible to users.

If this policy is left unset or has an invalid value, the disable mode of system features will be "blocked".

  • "blocked" = Block the disabled features
  • "hidden" = Hide and block the disabled features
Example value:
"blocked"
Back to top

SystemProxySettings

Configures System-proxy service for Google Chrome OS.
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\SystemProxySettings
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Configures the availability of System-proxy service and the proxy credentials for system services. If the policy is not set, System-proxy service will not be available.

Schema:
{ "properties": { "policy_credentials_auth_schemes": { "description": "The authentication schemes for which the policy credentials can be applied. Can be one of:\n * basic\n * digest\n * ntlm\n Leaving this option empty will allow all three schemes to be used.", "items": { "enum": [ "basic", "digest", "ntlm" ], "type": "string" }, "type": "array" }, "system_proxy_enabled": { "type": "boolean" }, "system_services_password": { "description": "The password for authenticating system services to the remote web proxy.", "sensitiveValue": true, "type": "string" }, "system_services_username": { "description": "The username for authenticating system services to the remote web proxy.", "sensitiveValue": true, "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\SystemProxySettings = { "policy_credentials_auth_schemes": [ "basic", "ntlm" ], "system_proxy_enabled": true, "system_services_password": "0000", "system_services_username": "test_user" }
Back to top

TaskManagerEndProcessEnabled

Enable ending processes in Task Manager
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\TaskManagerEndProcessEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\TaskManagerEndProcessEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\TaskManagerEndProcessEnabled
Mac/Linux preference name:
TaskManagerEndProcessEnabled
Supported on:
  • Google Chrome (Linux) since version 52
  • Google Chrome (Mac) since version 52
  • Google Chrome (Windows) since version 52
  • Google ChromeOS (Google ChromeOS) since version 52
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Disabled prevents users from ending processes in the Task Manager.

Setting the policy to Enabled or leaving it unset lets users end processes in the Task Manager.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

TermsOfServiceURL

Set the Terms of Service for a device-local account
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\TermsOfServiceURL
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 26
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy means Google Chrome OS downloads the Terms of Service and presents them to users whenever a device-local account session starts. Users can only sign in to the session after accepting the Terms of Service.

Leaving the policy unset means no Terms of Service appear.

The policy should be set to a URL from which Google Chrome OS can download the Terms of Service. The Terms of Service must be plain text, served as MIME type text/plain. No markup is allowed.

Example value:
"https://www.example.com/terms_of_service.txt"
Back to top

ThirdPartyBlockingEnabled

Enable third party software injection blocking
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\ThirdPartyBlockingEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\ThirdPartyBlockingEnabled
Supported on:
  • Google Chrome (Windows) since version 65
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset prevents third-party software from injecting executable code into Google Chrome's processes.

Setting the policy to Disabled allows this software to inject such code into Google Chrome's processes.

Example value:
0x00000000 (Windows)
Windows (Intune):
<disabled/>
Back to top

TosDialogBehavior

Configuring the ToS behavior during first-run for CCT
Data type:
Integer [Android:choice]
Android restriction name:
TosDialogBehavior
Supported on:
  • Google Chrome (Android) since version 87
Supported features:
Dynamic Policy Refresh: No, Per Profile: No, Platform Only: Yes
Description:

By default the Terms of Service are shown when CCT is first-run. Setting this policy to SkipTosDialog will cause the Terms of Service dialog to not appear during the first-run-experience or subsequent runs. Setting this policy to StandardTosDialog or leaving it unset will cause the Terms of Service dialog to appear during the first-run-experience. The other caveats are:

- This policy only works on fully managed Android devices that can be configured by Unified Endpoint Management vendors.

- If this policy is SkipTosDialog the BrowserSignin policy will have no effect.

- If this policy is SkipTosDialog metrics​ will not be sent to the server.

- If this policy is SkipTosDialog the browser will have limited functionality.

- If this policy is SkipTosDialog admins must communicate this to end users of the device.

  • 1 = Use default browser behavior, shows the ToS and waits for the user to accept.
  • 2 = Automatically skips ToS and loads the browser.
Example value:
2 (Android)
Back to top

TotalMemoryLimitMb

Set limit on megabytes of memory a single Chrome instance can use.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\TotalMemoryLimitMb
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\TotalMemoryLimitMb
Mac/Linux preference name:
TotalMemoryLimitMb
Supported on:
  • Google Chrome (Windows) since version 79
  • Google Chrome (Mac) since version 79
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Configures the amount of memory that a single Google Chrome instance can use before tabs start being discarded (I.E. the memory used by the tab will be freed and the tab will have to be reloaded when switched to) to save memory.

If the policy is set, browser will begin to discard tabs to save memory once the limitation is exceeded. However, there is no guarantee that the browser is always running under the limit. Any value under 1024 will be rounded up to 1024.

If this policy is not set, the browser will only begin attempts to save memory once it has detected that the amount of physical memory on its machine is low.

Restrictions:
  • Minimum:1024
Example value:
0x00000800 (Windows), 2048 (Mac)
Windows (Intune):
<enabled/>
<data id="TotalMemoryLimitMb" value="2048"/>
Back to top

TouchVirtualKeyboardEnabled

Enable virtual keyboard
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\TouchVirtualKeyboardEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 37
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Controls the on-screen keyboard, acting as a supplementary policy to the VirtualKeyboardEnabled policy.

If the VirtualKeyboardEnabled policy is True or if the Enable on-screen keyboard ChromeOS setting is on, this policy has no effect.

If the VirtualKeyboardEnabled policy is False or not set and the Enable on-screen keyboard ChromeOS setting is off, this policy has the following effect: If this policy is not set, the on-screen keyboard is displayed when the device is in tablet mode. If this policy is set to True, the on-screen keyboard is always displayed. If this policy is set to False, the on-screen keyboard is never displayed.

The on-screen keyboard may change to a compact layout depending on the input method.

If you set the policy, users can't change it.

Example value:
0x00000000 (Windows)
Back to top

TranslateEnabled

Enable Translate
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\TranslateEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\TranslateEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\TranslateEnabled
Mac/Linux preference name:
TranslateEnabled
Android restriction name:
TranslateEnabled
Supported on:
  • Google Chrome (Linux) since version 12
  • Google Chrome (Mac) since version 12
  • Google Chrome (Windows) since version 12
  • Google ChromeOS (Google ChromeOS) since version 12
  • Google Chrome (Android) since version 30
  • Google Chrome (iOS) since version 88
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to True provides translation functionality when it's appropriate for users by showing an integrated translate toolbar in Google Chrome and a translate option on the right-click context menu. Setting the policy to False shuts off all built-in translate features.

If you set the policy, users can't change this function. Leaving it unset lets them change the setting.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

U2fSecurityKeyApiEnabled (Deprecated)

Allow using the deprecated U2F Security Key API
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\U2fSecurityKeyApiEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\U2fSecurityKeyApiEnabled
Mac/Linux preference name:
U2fSecurityKeyApiEnabled
Supported on:
  • Google Chrome (Linux) since version 96 until version 103
  • Google Chrome (Mac) since version 96 until version 103
  • Google Chrome (Windows) since version 96 until version 103
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If set to Enabled, the deprecated U2F Security Key API can be used and the deprecation reminder prompt shown for U2F API requests is suppressed.

If the policy is set to Disabled or left unset, the default behavior will apply.

The U2F Security Key API is deprecated and it will be disabled by default in Chrome 98.

This is a temporary opt-out mechanism. The U2F API will be removed from Chrome in Chrome 104, at which point this policy will cease to be supported.

For more information about the deprecation of the U2F Security Key API, please refer to https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

URLAllowlist

Allow access to a list of URLs
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\URLAllowlist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\URLAllowlist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\URLAllowlist
Mac/Linux preference name:
URLAllowlist
Android restriction name:
URLAllowlist
Android WebView restriction name:
com.android.browser:URLAllowlist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Android) since version 86
  • Android System WebView (Android) since version 86
  • Google Chrome (iOS) since version 98
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy provides access to the listed URLs, as exceptions to URLBlocklist. See that policy's description for the format of entries of this list. For example, setting URLBlocklist to * will block all requests, and you can use this policy to allow access to a limited list of URLs. Use it to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at ( https://www.chromium.org/administrators/url-blocklist-filter-format ). The most specific filter determines if a URL is blocked or allowed. The URLAllowlist policy takes precedence over URLBlocklist. This policy is limited to 1,000 entries.

This policy also allows enabling the automatic invocation by the browser of external application registered as protocol handlers for the listed protocols like "tel:" or "ssh:".

Leaving the policy unset allows no exceptions to URLBlocklist.

From Google Chrome version 92, this policy is also supported in the headless mode.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Note for Google Chrome OS devices supporting Android apps:

Android apps may voluntarily choose to honor this list. You cannot force them to honor it.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\URLAllowlist\1 = "example.com" Software\Policies\Google\Chrome\URLAllowlist\2 = "https://ssl.server.com" Software\Policies\Google\Chrome\URLAllowlist\3 = "hosting.com/good_path" Software\Policies\Google\Chrome\URLAllowlist\4 = "https://server:8080/path" Software\Policies\Google\Chrome\URLAllowlist\5 = ".exact.hostname.com"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\URLAllowlist\1 = "example.com" Software\Policies\Google\ChromeOS\URLAllowlist\2 = "https://ssl.server.com" Software\Policies\Google\ChromeOS\URLAllowlist\3 = "hosting.com/good_path" Software\Policies\Google\ChromeOS\URLAllowlist\4 = "https://server:8080/path" Software\Policies\Google\ChromeOS\URLAllowlist\5 = ".exact.hostname.com"
Android/Linux:
[ "example.com", "https://ssl.server.com", "hosting.com/good_path", "https://server:8080/path", ".exact.hostname.com" ]
Mac:
<array> <string>example.com</string> <string>https://ssl.server.com</string> <string>hosting.com/good_path</string> <string>https://server:8080/path</string> <string>.exact.hostname.com</string> </array>
Windows (Intune):
<enabled/>
<data id="URLAllowlistDesc" value="1&#xF000;example.com&#xF000;2&#xF000;https://ssl.server.com&#xF000;3&#xF000;hosting.com/good_path&#xF000;4&#xF000;https://server:8080/path&#xF000;5&#xF000;.exact.hostname.com"/>
Back to top

URLBlocklist

Block access to a list of URLs
Data type:
List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\URLBlocklist
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\URLBlocklist
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\URLBlocklist
Mac/Linux preference name:
URLBlocklist
Android restriction name:
URLBlocklist
Android WebView restriction name:
com.android.browser:URLBlocklist
Supported on:
  • Google Chrome (Linux) since version 86
  • Google Chrome (Mac) since version 86
  • Google Chrome (Windows) since version 86
  • Google ChromeOS (Google ChromeOS) since version 86
  • Google Chrome (Android) since version 86
  • Android System WebView (Android) since version 86
  • Google Chrome (iOS) since version 98
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy prevents webpages with prohibited URLs from loading. It provides a list of URL patterns that specify forbidden URLs. Leaving the policy unset means no URLs are prohibited in the browser. Format the URL pattern according to this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ). Up to 1,000 exceptions can be defined in URLAllowlist.

From Google Chrome version 73, you can block javascript://* URLs. However, it affects only JavaScript entered in the address bar (or, for example, bookmarklets). In-page JavaScript URLs with dynamically loaded data aren't subject to this policy. For example, if you block example.com/abc, then example.com can still load example.com/abc using XMLHTTPRequest.

From Google Chrome version 92, this policy is also supported in the headless mode.

Note: Blocking internal chrome://* URLs can lead to unexpected errors.

Note for Google Chrome OS devices supporting Android apps:

Android apps may voluntarily choose to honor this list. You cannot force them to honor it.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\URLBlocklist\1 = "example.com" Software\Policies\Google\Chrome\URLBlocklist\2 = "https://ssl.server.com" Software\Policies\Google\Chrome\URLBlocklist\3 = "hosting.com/bad_path" Software\Policies\Google\Chrome\URLBlocklist\4 = "https://server:8080/path" Software\Policies\Google\Chrome\URLBlocklist\5 = ".exact.hostname.com" Software\Policies\Google\Chrome\URLBlocklist\6 = "file://*" Software\Policies\Google\Chrome\URLBlocklist\7 = "custom_scheme:*" Software\Policies\Google\Chrome\URLBlocklist\8 = "*"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\URLBlocklist\1 = "example.com" Software\Policies\Google\ChromeOS\URLBlocklist\2 = "https://ssl.server.com" Software\Policies\Google\ChromeOS\URLBlocklist\3 = "hosting.com/bad_path" Software\Policies\Google\ChromeOS\URLBlocklist\4 = "https://server:8080/path" Software\Policies\Google\ChromeOS\URLBlocklist\5 = ".exact.hostname.com" Software\Policies\Google\ChromeOS\URLBlocklist\6 = "file://*" Software\Policies\Google\ChromeOS\URLBlocklist\7 = "custom_scheme:*" Software\Policies\Google\ChromeOS\URLBlocklist\8 = "*"
Android/Linux:
[ "example.com", "https://ssl.server.com", "hosting.com/bad_path", "https://server:8080/path", ".exact.hostname.com", "file://*", "custom_scheme:*", "*" ]
Mac:
<array> <string>example.com</string> <string>https://ssl.server.com</string> <string>hosting.com/bad_path</string> <string>https://server:8080/path</string> <string>.exact.hostname.com</string> <string>file://*</string> <string>custom_scheme:*</string> <string>*</string> </array>
Windows (Intune):
<enabled/>
<data id="URLBlocklistDesc" value="1&#xF000;example.com&#xF000;2&#xF000;https://ssl.server.com&#xF000;3&#xF000;hosting.com/bad_path&#xF000;4&#xF000;https://server:8080/path&#xF000;5&#xF000;.exact.hostname.com&#xF000;6&#xF000;file://*&#xF000;7&#xF000;custom_scheme:*&#xF000;8&#xF000;*"/>
Back to top

UnifiedDesktopEnabledByDefault

Make Unified Desktop available and turn on by default
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UnifiedDesktopEnabledByDefault
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 47
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to True turns on Unified Desktop, which allows applications to span multiple displays. Users can turn off Unified Desktop for individual displays.

Setting the policy to False or leaving it unset turns off Unified Desktop, and users can't turn it on.

Example value:
0x00000001 (Windows)
Back to top

UnsafelyTreatInsecureOriginAsSecure (Deprecated)

Origins or hostname patterns for which restrictions on insecure origins should not apply
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UnsafelyTreatInsecureOriginAsSecure
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UnsafelyTreatInsecureOriginAsSecure
Mac/Linux preference name:
UnsafelyTreatInsecureOriginAsSecure
Supported on:
  • Google Chrome (Linux) since version 65
  • Google Chrome (Mac) since version 65
  • Google Chrome (Windows) since version 65
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Deprecated in M69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.

The policy specifies a list of origins (URLs) or hostname patterns (such as "*.example.com") for which security restrictions on insecure origins will not apply.

The intent is to allow organizations to allow origins for legacy applications that cannot deploy TLS, or to set up a staging server for internal web development so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy will also prevent the origin from being labeled "Not Secure" in the omnibox.

Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.

This policy is deprecated in M69 in favor of OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are present, OverrideSecurityRestrictionsOnInsecureOrigin will override this policy.

For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\UnsafelyTreatInsecureOriginAsSecure\1 = "http://testserver.example.com/" Software\Policies\Google\Chrome\UnsafelyTreatInsecureOriginAsSecure\2 = "*.example.org"
Android/Linux:
[ "http://testserver.example.com/", "*.example.org" ]
Mac:
<array> <string>http://testserver.example.com/</string> <string>*.example.org</string> </array>
Windows (Intune):
<enabled/>
<data id="UnsafelyTreatInsecureOriginAsSecureDesc" value="1&#xF000;http://testserver.example.com/&#xF000;2&#xF000;*.example.org"/>
Back to top

UrlKeyedAnonymizedDataCollectionEnabled

Enable URL-keyed anonymized data collection
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UrlKeyedAnonymizedDataCollectionEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UrlKeyedAnonymizedDataCollectionEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UrlKeyedAnonymizedDataCollectionEnabled
Mac/Linux preference name:
UrlKeyedAnonymizedDataCollectionEnabled
Android restriction name:
UrlKeyedAnonymizedDataCollectionEnabled
Supported on:
  • Google Chrome (Linux) since version 69
  • Google Chrome (Mac) since version 69
  • Google Chrome (Windows) since version 69
  • Google ChromeOS (Google ChromeOS) since version 69
  • Google Chrome (Android) since version 70
  • Google Chrome (iOS) since version 90
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means URL-keyed anonymized data collection, which sends URLs of pages the user visits to Google to make searches and browsing better, is always active.

Setting the policy to Disabled results in no URL-keyed anonymized data collection.

If you set the policy, users can't change. If not set, then URL-keyed anonymized data collection at first, but users can change it.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

UrlParamFilterEnabled

Control the URL parameter filter feature
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UrlParamFilterEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UrlParamFilterEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UrlParamFilterEnabled
Mac/Linux preference name:
UrlParamFilterEnabled
Android restriction name:
UrlParamFilterEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 102
  • Google Chrome (Linux) since version 102
  • Google Chrome (Mac) since version 102
  • Google Chrome (Windows) since version 102
  • Google Chrome (Android) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

When enabled or not set, the URL parameter filter may remove some parameters when a user selects "Open Link in Incognito Window" from the context menu. When disabled, no filtering is performed. This policy is temporary and may be removed in a future release.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

UserAgentClientHintsGREASEUpdateEnabled

Control the User-Agent Client Hints GREASE Update feature.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UserAgentClientHintsGREASEUpdateEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UserAgentClientHintsGREASEUpdateEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserAgentClientHintsGREASEUpdateEnabled
Mac/Linux preference name:
UserAgentClientHintsGREASEUpdateEnabled
Android restriction name:
UserAgentClientHintsGREASEUpdateEnabled
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 98
  • Google Chrome (Linux) since version 98
  • Google Chrome (Mac) since version 98
  • Google Chrome (Windows) since version 98
  • Google Chrome (Android) since version 98
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

When enabled the User-Agent Client Hints GREASE Update feature aligns the User-Agent GREASE algorithm with the latest spec. The updated spec may break some websites that restrict the characters that requests may contain. See the spec for more information: https://wicg.github.io/ua-client-hints/#grease If this policy is enabled or not set, the browser will decide which User-Agent GREASE algorithm to use. If the policy is disabled the prior User-Agent GREASE algorithm is used. This policy is a temporary measure and will be removed in a future release.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

UserAgentReduction

Enable or disable the User-Agent Reduction.
Data type:
Integer [Android:choice, Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UserAgentReduction
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UserAgentReduction
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserAgentReduction
Mac/Linux preference name:
UserAgentReduction
Android restriction name:
UserAgentReduction
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 98
  • Google Chrome (Linux) since version 98
  • Google Chrome (Mac) since version 98
  • Google Chrome (Windows) since version 98
  • Google Chrome (Android) since version 98
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

The User-Agent HTTP request header is scheduled to be reduced. In order to facilitate testing and compatibility, this policy can enable the reduction feature for all websites, or disable the ability for origin trials or field trials to enable the feature.

To learn more about the User-Agent Reduction and its timeline, read here:

https://blog.chromium.org/2021/09/user-agent-reduction-origin-trial-and-dates.html

  • 0 = User Agent reduction will be controllable via Field-Trials and Origin-Trials.
  • 1 = User Agent reduction disabled, and not enabled by Field-Trials or Origin-Trials.
  • 2 = User Agent reduction will be enabled for all origins.
Example value:
0x00000000 (Windows), 0 (Linux), 0 (Android), 0 (Mac)
Windows (Intune):
<enabled/>
<data id="UserAgentReduction" value="0"/>
Back to top

UserAvatarImage

User avatar image
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserAvatarImage
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 34
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy allows you to configure the avatar image representing the user on the login screen. The policy is set by specifying the URL from which Google Chrome OS can download the avatar image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its size must not exceed 512kB. The URL must be accessible without any authentication.

The avatar image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If this policy is set, Google Chrome OS will download and use the avatar image.

If you set this policy, users cannot change or override it.

If the policy is left not set, the user can choose the avatar image representing them on the login screen.

Schema:
{ "properties": { "hash": { "description": "The SHA-256 hash of the avatar image.", "type": "string" }, "url": { "description": "The URL from which the avatar image can be downloaded.", "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\UserAvatarImage = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", "url": "https://example.com/avatar.jpg" }
Back to top

UserDataDir

Set user data directory
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UserDataDir
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UserDataDir
Mac/Linux preference name:
UserDataDir
Supported on:
  • Google Chrome (Windows) since version 11
  • Google Chrome (Mac) since version 11
Supported features:
Dynamic Policy Refresh: No, Per Profile: No, Platform Only: Yes
Description:

Configures the directory that Google Chrome will use for storing user data.

If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a directory used for other purposes, because Google Chrome manages its contents.

See https://support.google.com/chrome/a?p=Supported_directory_variables for a list of variables that can be used.

If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.

Example value:
"${users}/${user_name}/Chrome"
Windows (Intune):
<enabled/>
<data id="UserDataDir" value="${users}/${user_name}/Chrome"/>
Back to top

UserDataSnapshotRetentionLimit

Limits the number of user data snapshots retained for use in case of emergency rollback.
Data type:
Integer [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UserDataSnapshotRetentionLimit
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UserDataSnapshotRetentionLimit
Mac/Linux preference name:
UserDataSnapshotRetentionLimit
Supported on:
  • Google Chrome (Linux) since version 83
  • Google Chrome (Mac) since version 83
  • Google Chrome (Windows) since version 83
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Following each major version update, Chrome will create a snapshot of certain portions of the user's browsing data for use in case of a later emergency version rollback. If an emergency rollback is performed to a version for which a user has a corresponding snapshot, the data in the snapshot is restored. This allows users to retain such settings as bookmarks and autofill data.

If this policy is not set, the default value of 3 is used

If the policy is set, old snapshots are deleted as needed to respect the limit. If the policy is set to 0, no snapshots will be taken

Example value:
0x00000003 (Windows), 3 (Linux), 3 (Mac)
Windows (Intune):
<enabled/>
<data id="UserDataSnapshotRetentionLimit" value="3"/>
Back to top

UserDisplayName

Set the display name for device-local accounts
Data type:
String [Windows:REG_SZ]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserDisplayName
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 25
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls the account name Google Chrome OS shows on the login screen for the corresponding device-local account.

If this policy is set, the login screen will use the specified string in the picture-based login chooser for the corresponding device-local account.

If the policy is left not set, Google Chrome OS will use the device-local account's email account ID as the display name on the login screen.

This policy is ignored for regular user accounts.

Example value:
"Policy User"
Back to top

UserFeedbackAllowed

Allow user feedback
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\UserFeedbackAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\UserFeedbackAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\UserFeedbackAllowed
Mac/Linux preference name:
UserFeedbackAllowed
Supported on:
  • Google Chrome (Linux) since version 77
  • Google Chrome (Mac) since version 77
  • Google Chrome (Windows) since version 77
  • Google ChromeOS (Google ChromeOS) since version 77
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset lets users send feedback to Google through Menu > Help > Report an Issue or key combination.

Setting the policy to Disabled means users can't send feedback to Google.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

VideoCaptureAllowed

Allow or deny video capture
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\VideoCaptureAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\VideoCaptureAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VideoCaptureAllowed
Mac/Linux preference name:
VideoCaptureAllowed
Supported on:
  • Google Chrome (Linux) since version 25
  • Google Chrome (Mac) since version 25
  • Google Chrome (Windows) since version 25
  • Google ChromeOS (Google ChromeOS) since version 25
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the VideoCaptureAllowedUrls list, users get prompted for video capture access.

Setting the policy to Disabled turns off prompts, and video capture is only available to URLs set in the VideoCaptureAllowedUrls list.

Note: The policy affects all video input (not just the built-in camera).

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

VideoCaptureAllowedUrls

URLs that will be granted access to video capture devices without prompt
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\VideoCaptureAllowedUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\VideoCaptureAllowedUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VideoCaptureAllowedUrls
Mac/Linux preference name:
VideoCaptureAllowedUrls
Supported on:
  • Google Chrome (Linux) since version 29
  • Google Chrome (Mac) since version 29
  • Google Chrome (Windows) since version 29
  • Google ChromeOS (Google ChromeOS) since version 29
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to video capture devices without prompt

For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\VideoCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\Chrome\VideoCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\VideoCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\ChromeOS\VideoCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Android/Linux:
[ "https://www.example.com/", "https://[*.]example.edu/" ]
Mac:
<array> <string>https://www.example.com/</string> <string>https://[*.]example.edu/</string> </array>
Windows (Intune):
<enabled/>
<data id="VideoCaptureAllowedUrlsDesc" value="1&#xF000;https://www.example.com/&#xF000;2&#xF000;https://[*.]example.edu/"/>
Back to top

VmManagementCliAllowed

Specify VM CLI permission
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VmManagementCliAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 77
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Instructs Google Chrome OS to enable or disable virtual machine management console tools.

If the policy is set to true or left unset, the user will be able to use VM management CLI. Otherwise, all of VM management CLI is disabled and hidden.

Example value:
0x00000000 (Windows)
Back to top

VpnConfigAllowed

Allow the user to manage VPN connections
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\VpnConfigAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 71
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset lets users manage (disconnect or modify) VPN connections. If the VPN connection is created using a VPN app, the UI inside the app isn't affected. So, users might still be able to use the app to modify the VPN connection. Use this policy with the Always on VPN feature, which lets the admin decide to establish a VPN connection when starting a device.

Setting the policy to Disabled turns off the Google Chrome OS user interfaces that would let the user disconnect or modify VPN connections.

Example value:
0x00000000 (Windows)
Back to top

WPADQuickCheckEnabled

Enable WPAD optimization
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WPADQuickCheckEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WPADQuickCheckEnabled
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WPADQuickCheckEnabled
Mac/Linux preference name:
WPADQuickCheckEnabled
Supported on:
  • Google Chrome (Linux) since version 35
  • Google Chrome (Mac) since version 35
  • Google Chrome (Windows) since version 35
  • Google ChromeOS (Google ChromeOS) since version 35
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

Setting the policy to Enabled or leaving it unset turns on WPAD (Web Proxy Auto-Discovery) optimization in Google Chrome.

Setting the policy to Disabled turns off WPAD optimization, causing Google Chrome to wait longer for DNS-based WPAD servers.

Whether or not this policy is set, users can't change the WPAD optimization setting.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

WallpaperImage

Wallpaper image
Data type:
External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WallpaperImage
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 35
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If you set the policy, Google Chrome OS

downloads and uses the wallpaper image you set for the user's desktop and sign-in screen background, and users can't change it. Specify the URL (that's accessible without authentication) which Google Chrome OS

can download the wallpaper image from, as well as a cryptographic hash (in JPEG format with a file size up to 16 MB) to verify its integrity.

If not set, users choose the image for the desktop and sign-in screen background.

Schema:
{ "properties": { "hash": { "description": "The SHA-256 hash of the wallpaper image.", "type": "string" }, "url": { "description": "The URL from which the wallpaper image can be downloaded.", "type": "string" } }, "type": "object" }
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WallpaperImage = { "hash": "baddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecaf", "url": "https://example.com/wallpaper.jpg" }
Back to top

WarnBeforeQuittingEnabled

Show a warning dialog when the user is attempting to quit
Data type:
Boolean
Mac/Linux preference name:
WarnBeforeQuittingEnabled
Supported on:
  • Google Chrome (Mac) since version 102
Supported features:
Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Controls "Warn Before Quitting (⌘Q)" dialog when the user is attempting to quit browser.

If this policy is set to Enabled or not set, a warning dialog is shown when the user is attempting to quit.

If this policy is set to Disabled, a warning dialog is not shown when the user is attempting to quit.

Example value:
<true /> (Mac)
Back to top

WebAppInstallForceList

Configure list of force-installed Web Apps
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebAppInstallForceList
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebAppInstallForceList
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebAppInstallForceList
Mac/Linux preference name:
WebAppInstallForceList
Supported on:
  • Google Chrome (Linux) since version 75
  • Google Chrome (Mac) since version 75
  • Google Chrome (Windows) since version 75
  • Google ChromeOS (Google ChromeOS) since version 75
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy specifies a list of web apps that install silently, without user interaction, and which users can't uninstall or turn off.

Each list item of the policy is an object with a mandatory member: url (the URL of the web app to install)

and 5 optional members: - default_launch_container (for how the web app opens—a new tab is the default)

- create_desktop_shortcut (True if you want to create Linux and Microsoft® Windows® desktop shortcuts).

- fallback_app_name (Starting with Google Chrome version 90, allows you to override the app name if it is not a Progressive Web App (PWA), or the app name that is temporarily installed if it is a PWA but authentication is required before the installation can be completed. If both custom_name and fallback_app_name are provided, the latter will be ignored.)

- custom_name (Starting with Google Chrome version 99, allows you to permanently override the app name for all web apps and PWAs. Currently only supported on Google Chrome OS.)

- custom_icon (Starting with Google Chrome version 99, allows you to override the app icon of installed apps. The icons have to be square, maximal 1 MB in size, and in one of the following formats: jpeg, png, gif, webp, ico. The hash value has to be the SHA256 hash of the icon file. Currently only supported on Google Chrome OS.)

See PinnedLauncherApps for pinning apps to the Google Chrome OS shelf.

Schema:
{ "items": { "properties": { "create_desktop_shortcut": { "type": "boolean" }, "custom_icon": { "properties": { "hash": { "type": "string" }, "url": { "type": "string" } }, "required": [ "url", "hash" ], "type": "object" }, "custom_name": { "type": "string" }, "default_launch_container": { "enum": [ "tab", "window" ], "type": "string" }, "fallback_app_name": { "type": "string" }, "url": { "type": "string" } }, "required": [ "url" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebAppInstallForceList = [ { "create_desktop_shortcut": true, "default_launch_container": "window", "url": "https://www.google.com/maps" }, { "default_launch_container": "tab", "url": "https://docs.google.com" }, { "default_launch_container": "window", "fallback_app_name": "Editor", "url": "https://docs.google.com/editor" }, { "custom_name": "Spreadsheets", "default_launch_container": "window", "url": "https://docs.google.com/sheets" }, { "custom_icon": { "hash": "c28f469c450e9ab2b86ea47038d2b324c6ad3b1e9a4bd8960da13214afd0ca38", "url": "https://mydomain.example.com/sunny_icon.png" }, "url": "https://weather.example.com" } ]
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebAppInstallForceList = [ { "create_desktop_shortcut": true, "default_launch_container": "window", "url": "https://www.google.com/maps" }, { "default_launch_container": "tab", "url": "https://docs.google.com" }, { "default_launch_container": "window", "fallback_app_name": "Editor", "url": "https://docs.google.com/editor" }, { "custom_name": "Spreadsheets", "default_launch_container": "window", "url": "https://docs.google.com/sheets" }, { "custom_icon": { "hash": "c28f469c450e9ab2b86ea47038d2b324c6ad3b1e9a4bd8960da13214afd0ca38", "url": "https://mydomain.example.com/sunny_icon.png" }, "url": "https://weather.example.com" } ]
Android/Linux:
WebAppInstallForceList: [ { "create_desktop_shortcut": true, "default_launch_container": "window", "url": "https://www.google.com/maps" }, { "default_launch_container": "tab", "url": "https://docs.google.com" }, { "default_launch_container": "window", "fallback_app_name": "Editor", "url": "https://docs.google.com/editor" }, { "custom_name": "Spreadsheets", "default_launch_container": "window", "url": "https://docs.google.com/sheets" }, { "custom_icon": { "hash": "c28f469c450e9ab2b86ea47038d2b324c6ad3b1e9a4bd8960da13214afd0ca38", "url": "https://mydomain.example.com/sunny_icon.png" }, "url": "https://weather.example.com" } ]
Mac:
<key>WebAppInstallForceList</key> <array> <dict> <key>create_desktop_shortcut</key> <true/> <key>default_launch_container</key> <string>window</string> <key>url</key> <string>https://www.google.com/maps</string> </dict> <dict> <key>default_launch_container</key> <string>tab</string> <key>url</key> <string>https://docs.google.com</string> </dict> <dict> <key>default_launch_container</key> <string>window</string> <key>fallback_app_name</key> <string>Editor</string> <key>url</key> <string>https://docs.google.com/editor</string> </dict> <dict> <key>custom_name</key> <string>Spreadsheets</string> <key>default_launch_container</key> <string>window</string> <key>url</key> <string>https://docs.google.com/sheets</string> </dict> <dict> <key>custom_icon</key> <dict> <key>hash</key> <string>c28f469c450e9ab2b86ea47038d2b324c6ad3b1e9a4bd8960da13214afd0ca38</string> <key>url</key> <string>https://mydomain.example.com/sunny_icon.png</string> </dict> <key>url</key> <string>https://weather.example.com</string> </dict> </array>
Windows (Intune):
<enabled/>
<data id="WebAppInstallForceList" value="{"url": "https://www.google.com/maps", "default_launch_container": "window", "create_desktop_shortcut": true}, {"url": "https://docs.google.com", "default_launch_container": "tab"}, {"url": "https://docs.google.com/editor", "default_launch_container": "window", "fallback_app_name": "Editor"}, {"url": "https://docs.google.com/sheets", "default_launch_container": "window", "custom_name": "Spreadsheets"}, {"url": "https://weather.example.com", "custom_icon": {"url": "https://mydomain.example.com/sunny_icon.png", "hash": "c28f469c450e9ab2b86ea47038d2b324c6ad3b1e9a4bd8960da13214afd0ca38"}}"/>
Back to top

WebAppSettings

Web App management settings
Data type:
Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebAppSettings
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebAppSettings
Mac/Linux preference name:
WebAppSettings
Supported on:
  • Google Chrome (Linux) since version 102
  • Google Chrome (Mac) since version 102
  • Google Chrome (Windows) since version 102
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy allows an admin to specify settings for installed web apps.

This policy maps a Web App ID to its specific setting. A default configuration can be set using the special ID "*", which applies to all web apps without a custom configuration in this policy.

The "manifest_id" field is the Manifest ID for the Web App. See https://developer.chrome.com/blog/pwa-manifest-id/ for instructions on how to determine the Manifest ID for an installed web app. The "run_on_os_login" field specifies if a web app can be run during OS login. If this field is set to "blocked", the web app will not run during OS login and the user will not be able to enable this later. If this field is set to "run_windowed", the web app will run during OS login and the user will not be able to disable this later. If this field is set to "allowed", the user will be able to configure the web app to run at OS login. The default configuration only allows the "allowed" and "blocked" values.

Schema:
{ "items": { "properties": { "manifest_id": { "type": "string" }, "run_on_os_login": { "enum": [ "allowed", "blocked", "run_windowed" ], "type": "string" } }, "required": [ "manifest_id" ], "type": "object" }, "type": "array" }
Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebAppSettings = [ { "manifest_id": "https://foo.example/index.html", "run_on_os_login": "allowed" }, { "manifest_id": "https://bar.example/index.html", "run_on_os_login": "allowed" }, { "manifest_id": "https://foobar.example/index.html", "run_on_os_login": "run_windowed" }, { "manifest_id": "*", "run_on_os_login": "blocked" } ]
Android/Linux:
WebAppSettings: [ { "manifest_id": "https://foo.example/index.html", "run_on_os_login": "allowed" }, { "manifest_id": "https://bar.example/index.html", "run_on_os_login": "allowed" }, { "manifest_id": "https://foobar.example/index.html", "run_on_os_login": "run_windowed" }, { "manifest_id": "*", "run_on_os_login": "blocked" } ]
Mac:
<key>WebAppSettings</key> <array> <dict> <key>manifest_id</key> <string>https://foo.example/index.html</string> <key>run_on_os_login</key> <string>allowed</string> </dict> <dict> <key>manifest_id</key> <string>https://bar.example/index.html</string> <key>run_on_os_login</key> <string>allowed</string> </dict> <dict> <key>manifest_id</key> <string>https://foobar.example/index.html</string> <key>run_on_os_login</key> <string>run_windowed</string> </dict> <dict> <key>manifest_id</key> <string>*</string> <key>run_on_os_login</key> <string>blocked</string> </dict> </array>
Windows (Intune):
<enabled/>
<data id="WebAppSettings" value="{"manifest_id": "https://foo.example/index.html", "run_on_os_login": "allowed"}, {"manifest_id": "https://bar.example/index.html", "run_on_os_login": "allowed"}, {"manifest_id": "https://foobar.example/index.html", "run_on_os_login": "run_windowed"}, {"manifest_id": "*", "run_on_os_login": "blocked"}"/>
Back to top

WebAuthnFactors

Configure allowed WebAuthn factors
Data type:
List of strings
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebAuthnFactors
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 101
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Setting the policy controls which WebAuthn factors can be used.

To allow:

* Every WebAuthn factor, use ["all"] (includes factors added in the future).

* Only PIN, use ["PIN"].

* PIN and fingerprint, use ["PIN", "FINGERPRINT"].

If the policy is unset or set to an empty list, no WebAuthn factors are available for managed devices.

  • "all" = All
  • "PIN" = PIN
  • "FINGERPRINT" = Fingerprint
Example value:
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebAuthnFactors\1 = "PIN"
Back to top

WebRtcAllowLegacyTLSProtocols

Allow legacy TLS/DTLS downgrade in WebRTC
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebRtcAllowLegacyTLSProtocols
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebRtcAllowLegacyTLSProtocols
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebRtcAllowLegacyTLSProtocols
Mac/Linux preference name:
WebRtcAllowLegacyTLSProtocols
Supported on:
  • Google Chrome (Linux) since version 87
  • Google Chrome (Mac) since version 87
  • Google Chrome (Windows) since version 87
  • Google ChromeOS (Google ChromeOS) since version 87
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

If enabled, WebRTC peer connections can downgrade to obsolete versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols. When this policy is disabled or not set, these TLS/DTLS versions are disabled.

This policy is temporary and will be removed in a future version of Google Chrome.

Example value:
0x00000000 (Windows), false (Linux), <false /> (Mac)
Windows (Intune):
<disabled/>
Back to top

WebRtcEventLogCollectionAllowed

Allow collection of WebRTC event logs from Google services
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebRtcEventLogCollectionAllowed
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebRtcEventLogCollectionAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebRtcEventLogCollectionAllowed
Mac/Linux preference name:
WebRtcEventLogCollectionAllowed
Supported on:
  • Google Chrome (Linux) since version 70
  • Google Chrome (Mac) since version 70
  • Google Chrome (Windows) since version 70
  • Google ChromeOS (Google ChromeOS) since version 70
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

Setting the policy to Enabled means Google Chrome can collect WebRTC event logs from Google services such as Hangouts Meet and upload them to Google. These logs have diagnostic information for debugging issues with audio or video meetings in Google Chrome, such as the time and size of RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs have no audio or video content from the meeting. To make debugging easier, Google might associate these logs, by means of a session ID, with other logs collected by the Google service itself.

Setting the policy to Disabled results in no collection or uploading of such logs.

Leaving the policy unset on versions up to and including M76 means Google Chrome defaults to not being able to collect and upload these logs. Starting at M77, Google Chrome defaults to being able to collect and upload these logs from most profiles affected by cloud-based, user-level enterprise policies. From M77 up to and including M80, Google Chrome can also collect and upload these logs by default from profiles affected by Google Chrome on-premise management.

Example value:
0x00000001 (Windows), true (Linux), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

WebRtcIPHandling

The IP handling policy of WebRTC
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebRtcIPHandling
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebRtcIPHandling
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebRtcIPHandling
Mac/Linux preference name:
WebRtcIPHandling
Supported on:
  • Google Chrome (Linux) since version 91
  • Google Chrome (Mac) since version 91
  • Google Chrome (Windows) since version 91
  • Google ChromeOS (Google ChromeOS) since version 91
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

This policy allows restricting which IP addresses and interfaces WebRTC uses when attempting to find the best available connection. See RFC 8828 section 5.2 (https://tools.ietf.org/html/rfc8828.html#section-5.2). When unset, defaults to using all available interfaces.

  • "default" = WebRTC will use all available interfaces when searching for the best path.
  • "default_public_and_private_interfaces" = WebRTC will only use the interface connecting to the public Internet, but may connect using private IP addresses.
  • "default_public_interface_only" = WebRTC will only use the interface connecting to the public Internet, and will not connect using private IP addresses.
  • "disable_non_proxied_udp" = WebRTC will use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy.
Example value:
"default"
Windows (Intune):
<enabled/>
<data id="WebRtcIPHandling" value="default"/>
Back to top

WebRtcLocalIpsAllowedUrls

URLs for which local IPs are exposed in WebRTC ICE candidates
Data type:
List of strings
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebRtcLocalIpsAllowedUrls
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebRtcLocalIpsAllowedUrls
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebRtcLocalIpsAllowedUrls
Mac/Linux preference name:
WebRtcLocalIpsAllowedUrls
Supported on:
  • Google Chrome (Linux) since version 79
  • Google Chrome (Mac) since version 79
  • Google Chrome (Windows) since version 79
  • Google ChromeOS (Google ChromeOS) since version 79
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found or chrome://flags/#enable-webrtc-hide-local-ips-with-mdns is Disabled, the local IP addresses are shown in WebRTC ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames. Please note that this policy weakens the protection of local IPs if needed by administrators.

Example value:
Windows (Windows clients):
Software\Policies\Google\Chrome\WebRtcLocalIpsAllowedUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\WebRtcLocalIpsAllowedUrls\2 = "*example.com*"
Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\WebRtcLocalIpsAllowedUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WebRtcLocalIpsAllowedUrls\2 = "*example.com*"
Android/Linux:
[ "https://www.example.com", "*example.com*" ]
Mac:
<array> <string>https://www.example.com</string> <string>*example.com*</string> </array>
Windows (Intune):
<enabled/>
<data id="WebRtcLocalIpsAllowedUrlsDesc" value="1&#xF000;https://www.example.com&#xF000;2&#xF000;*example.com*"/>
Back to top

WebRtcUdpPortRange

Restrict the range of local UDP ports used by WebRTC
Data type:
String [Windows:REG_SZ]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebRtcUdpPortRange
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebRtcUdpPortRange
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebRtcUdpPortRange
Mac/Linux preference name:
WebRtcUdpPortRange
Android restriction name:
WebRtcUdpPortRange
Supported on:
  • Google Chrome (Linux) since version 54
  • Google Chrome (Mac) since version 54
  • Google Chrome (Windows) since version 54
  • Google ChromeOS (Google ChromeOS) since version 54
  • Google Chrome (Android) since version 54
Supported features:
Dynamic Policy Refresh: No, Per Profile: Yes
Description:

If the policy is set, the UDP port range used by WebRTC is restricted to the specified port interval (endpoints included).

If the policy is not set, or if it is set to the empty string or an invalid port range, WebRTC is allowed to use any available local UDP port.

Example value:
"10000-11999"
Windows (Intune):
<enabled/>
<data id="WebRtcUdpPortRange" value="10000-11999"/>
Back to top

WebSQLAccess

Force WebSQL to be enabled.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WebSQLAccess
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WebSQLAccess
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WebSQLAccess
Mac/Linux preference name:
WebSQLAccess
Android restriction name:
WebSQLAccess
Supported on:
  • Google Chrome (Android) since version 101
  • Google Chrome (Linux) since version 101
  • Google Chrome (Mac) since version 101
  • Google Chrome (Windows) since version 101
  • Google ChromeOS (Google ChromeOS) since version 101
Supported features:
Dynamic Policy Refresh: No, Per Profile: No
Description:

WebSQL is on by default as of M101, but can be disabled via Chrome flag. If this policy is set to false or unset, WebSQL can be disabled. If this policy is set to true, WebSQL cannot be disabled.

Example value:
0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)
Windows (Intune):
<enabled/>
Back to top

WifiSyncAndroidAllowed

Allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone.
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\WifiSyncAndroidAllowed
Supported on:
  • Google ChromeOS (Google ChromeOS) since version 89
Supported features:
Dynamic Policy Refresh: Yes, Per Profile: Yes
Description:

If this setting is enabled, users will be allowed to sync Wi-Fi network configurations between their Google Chrome OS device(s) and a connected Android phone. Before Wi-Fi network configurations can sync, users must explicitly opt in to this feature by completing a setup flow.

If this setting is disabled, users will not be allowed to sync Wi-Fi network configurations.

This feature depends on the wifiConfigurations datatype in Chrome Sync being enabled. If wifiConfigurations is disabled in the SyncTypesListDisabled policy, or Chrome Sync is disabled in the SyncDisabled policy this feature will not be enabled.

If this policy is left not set, the default is not allowed for managed users.

Example value:
0x00000001 (Windows)
Back to top

WindowOcclusionEnabled

Enable Window Occlusion
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\WindowOcclusionEnabled
OMA-URI:
.\Device\Vendor\MSFT\Policy\Config\Chrome~Policy~googlechrome\WindowOcclusionEnabled
Supported on:
  • Google Chrome (Windows) since version 90
Supported features:
Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No
Description:

Enables window occlusion in Google Chrome.

If you enable this setting, to reduce CPU and power consumption Google Chrome will detect when a window is covered by other windows, and will suspend work painting pixels.

If you disable this setting Google Chrome will not detect when a window is covered by other windows.

If this policy is left not set, occlusion detection will be enabled.

Example value:
0x00000001 (Windows)
Windows (Intune):
<enabled/>
Back to top