Set Chrome policies for users or browsers

Controls how long user sessions last. The remaining session time is shown on a countdown timer in the user's system tray. After the specified time, users are automatically signed out and the session ends. Enter a value between 1 and 1440 minutes (24 hours). For unlimited sessions, do not enter a value.

Replaces the default avatar with a custom avatar. You can upload images in JPG format (.jpg or .jpeg files) that are no larger than 512 KB. Other file types are not supported.

Replaces the default wallpaper with a custom wallpaper. You can upload images in JPG format (.jpg or .jpeg files) that are no larger than 16 MB. Other file types are not supported.

Specifies the Chrome browser theme color and users can’t change it. Enter the color into the text field in #RRGGBB hexadecimal format.

Left blank, users can change their browser theme color.

Specifies whether users can sign in to Chrome browser and sync browser information to their Google Account.

Choose one of these options:

• Disable browser sign-in—Users can’t sign in to Chrome browser or sync browser information to their Google Account.
• Enable browser sign-in—Users can sign in to Chrome browser and sync browser information to their Google Account. Chrome browser automatically signs in users when they sign in to a Google service, such as Gmail.
• Force users to sign-in to use the browser—Forces users to sign in to Chrome browser before they can use it. Chrome browser does not let secondary users sign in. Sync is turned on by default and users can’t change it.

Specifies a regular expression that determines which Google Accounts can be set as browser primary accounts in Chrome browser. For example, the value .*@example\.com restricts sign in to accounts in the example.com domain.

If users try to set a browser primary account with a username that doesn't match your specified pattern, an error is displayed.

Left blank, users can set any Google Account as a browser primary account in Chrome browser.

By default, Enable signin interception is selected. The signin interception dialog is displayed when a Google Account is added on the web, and the user would benefit from moving this account to another new or existing profile.

Warning: An experimental feature—Inform your users before changing this setting. To provide feedback or report issues, fill out this form.

This setting allows you to select if supported policies should apply to Chrome Browser on mobile devices. Chrome Browser management needs to be turned on before enabling this setting. Once Chrome Browser management and this setting are enabled, users who are signed in to Chrome Browser on Android with your organization's account will begin receiving the settings you set. When a user signs out of a managed account, the policy stops applying and the local profile on the device is deleted.

You must be signed in as a super administrator for this task.

Note: Chrome OS device management with Microsoft Active Directory (AD) is no longer available for new users. For Chrome OS devices in an AD environment, we recommend using cloud-based Chrome management and Kerberos. For more details, see Manage policies for Chrome OS devices.

Enable Active Directory Management

Selecting Enable Active Directory Management lets you manage Chrome OS devices using Microsoft Active Directory or your Admin console. Use the Device management mode setting, described below, to specify whether devices that are enrolled by users in the selected organizational unit are integrated to Active Directory. You can see devices in your Google Admin console and domain controllers. For details, see Manage Chrome OS devices with Active Directory.

Identity Provider Metadata

Only available if you manage Chrome OS devices with Active Directory

To let Active Directory users access the Google Play Store, you need to upload the Active Directory Federation Services (AD FS) file. Then, apps that you approve for the domain will automatically show up for users when they open the managed Google Play store. For details, see Configure your domain to access the managed Google Play Store.

Domain Join Configuration

Only available if you manage Chrome OS devices with Active Directory

Upload a configuration template to minimize the amount of information that users need to enter when they’re joining their devices to the Active Directory domain. Users are prompted to only enter the Chromebook machine name and choose their configuration, such as sales or engineering.

Specifies whether Chrome OS devices are managed using Microsoft Active Directory or your Admin console. If you select Active Directory, devices that are enrolled by users in the selected organizational unit are integrated to Active Directory. You apply policies to them using Group Policy.

Only takes effect if the device is being enrolled into the domain for the first time or if the device was previously deprovisioned

Selecting Keep Chrome device in current location means that when you enroll the Chrome device, it stays in the top-level organizational unit for your domain and pulls device settings from there.

Selecting Place Chrome device in user organization means that when you enroll the Chrome device, the device is placed in the organizational unit that the enrolling user is in. The settings you've applied for that user's organizational unit are applied to the device.

Place Chrome device in user organization is a useful setting if you need to manually enroll many devices. The device settings unique to the user's organizational unit are automatically added to the device, instead of requiring an additional step of manually moving each device into a specific organizational unit after enrollment.

Controls whether users can add an asset ID and location for a device when they enroll it. 

• Do not allow for users in this organization—Users don't have the option to enter the asset ID and location.
• Users in this organization can provide asset ID and location during enrollment—Users can enter the asset ID and location of the device.

If you choose to allow users to enter the asset ID and location, the Device information page is shown with pre-existing data for the fields. If no data exists, the fields are blank. Users can edit or enter the device details before they complete enrollment. The information that users enter populates the asset ID and location fields in the Admin console and at chrome://policy.

By default, users in this organizational unit are allowed to enroll a new or re-enroll a deprovisioned device. Enrolling a new device or re-enrolling a deprovisioned device consumes an upgrade. Users can also re-enroll a device that was wiped or factory reset. Re-enrolling a device that was wiped or factory reset doesn't consume a new upgrade because the device is still managed.

Selecting Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices) allows users to only re-enroll devices that were wiped or factory reset, but not deprovisioned. They can’t enroll new or re-enroll deprovisioned devices (anytime an upgrade would be consumed).

Selecting Do not allow users in this organization to enroll new or re-enroll existing devices prevents users from enrolling or re-enrolling any device, which includes re-enrolling through forced re-enrollment.

By default, Allow users to end processes with the Chrome task manager is selected.

If you select Block users from ending processes with the Chrome task manager, users can still open the task manager, but can’t use it to end a process because the End process button is dimmed.

Turns on site isolation for managed Chrome browser users on Chrome OS devices. Isolate websites and origins that you specify.

• Turn on site isolation for all websites—Every site runs in a dedicated rendering process. All sites are isolated from each other. (Default setting if you don't specify anything)
• Turn off site isolation for all websites, except those set below—Only the sites you specify run in a separate process. Each entry runs in a dedicated rendering process.

You can also enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.

For details, see Protect your data with site isolation.

Turn on site isolation for managed Chrome browser users on Android devices. Isolate websites and origins that you specify.

Note: Enabling site isolation on Android devices can reduce Chrome browser performance, so it's disabled by default on Android.

• Allow user to choose to enable site isolation—User can choose whether to turn on site isolation.
• Turn on site isolation for all websites—Every site runs in a dedicated rendering process. All sites are isolated from each other.
• Turn off site isolation for all websites, except those set below—Only the sites you specify run in a separate process. Each entry runs in a dedicated rendering process.

You can also enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.

When you select Always allow use of password manager, users can have Chrome browser remember passwords and provide them automatically the next time they sign in to a site. If you select Never allow use of password manager, users cannot save new passwords but they can still use passwords that were previously saved. Select Allow the user to decide to let users configure password manager.

Turns on or off the lock screen on users devices. If you select Do not allow locking screen, the system signs out the user in cases where the lock screen normally activates. Idle settings that lead to the lock screen, such as Lock screen on sleep, also sign the user out.

Specifies whether users can use quick unlock modes, including PIN and fingerprint, to unlock the lock screen on their Chrome OS device.

If you choose PIN and turn off ephemeral mode, users can use their PIN instead of their Google Account password to sign in to Chrome OS devices with the Google H1 security chip. Users can create a PIN during Out Of Box Experience (OOBE) setup or in Security and Privacy settings on their device. Sometimes, users might still be prompted to enter their password. For example, if users repeatedly enter the wrong PIN or if you force users to change their password.

We recommend that you don’t let users unlock with PIN if they use shared devices.

For details, see Lock or unlock your screen.

Allows you to enable the PIN auto-submit feature on the lock and login screen. The feature changes how PIN numbers are entered in Chrome OS. Similar to the text field that is used for password input, it shows users how many numerals are necessary to enter their PIN. Currently the range is from 6 to 12 digits.

Specifies whether users can play media while devises are locked.

If playback is supported, when a user locks their device, they can control their media from the lock screen while media is playing. The controls display on the lock screen and allow the user to quickly skip to the next track or pause content without unlocking the device.

Idle time in minutes

To specify the amount of idle time before a user’s device goes to sleep or signs them out, enter a value in minutes. To use the system default, which varies by device, leave the box empty.

Action on idle

Select what you want the device to do after the idle time expires:

• Sleep—If you want the device to go into Sleep mode
• Logout—If you want to sign out the current user
• Lock Screen—If you want to lock the screen on the user's device without signing them out

Action on lid close

Select if you want a user's device to go to sleep or sign them out when they close the device lid.

Lock screen on sleep

Select to lock a user’s screen when the device goes to sleep or let the user decide. If you select Allow user to configure, users configure the option in their device settings.

Specifies whether users can browse in Incognito mode.

Choose Disallow incognito mode to prevent users from opening new Incognito windows. Chrome browser does not close Incognito windows that are already open or prevent users from opening new tabs in those windows.

For K-12 EDU domains, the default is Disallow incognito mode. 

For all other domains, the default is Allow incognito mode.

Controls whether Chrome browser saves the user's browsing history.

Specifies whether users can clear browser data, including their browsing and download history.

Note: Preventing users from clearing browser data doesn't guarantee that browser and download history is kept. For example, if a user deletes their profile, their browsing history is cleared.

Specifies whether users browse in Ephemeral mode or not.

Ephemeral mode lets your employees to work from their personal laptop or a shared device that they trust, while reducing the chances of any browsing information being left behind on their device.

Note: If you use this setting, we recommend that you do not disable Chrome sync in the Admin console.

If you select Perform online OCSP/CRL checks, Chrome OS devices performs online revocation checks of HTTPS certificates.

Sets whether websites are allowed to track the user's physical location.

In the case of Chrome browser, this policy corresponds to the user options in their Chrome settings. Tracking the physical location can be allowed by default, denied by default, or the user can be asked each time a website requests the physical location.

In the case of Android apps running on Chrome, if you select Do not allow sites to detect users' geolocation, Android apps cannot access location information. Otherwise, users are asked to consent when an Android app wants to access location information.

For Chrome OS devices with version 92 or later

Sets the frequency of forced online sign-ins on the login screen for users signing into their Chrome OS device without SAML single sign-on (SSO). 

Each time users sign out after the set frequency period, they must go through the online sign-in flow.

When users are signing in online, they use the Google identity service. By forcing users to regularly sign in, you provide additional security for organizations that require 2-Factor Authentication or Multi Factor Authentication.

Enter a value, in days:

• 0—Users are always required to use online sign-in.
• 1-365—After the set frequency period, users are required to use online sign-in the next time they start a session.

Left empty, users are not required to regularly use online sign-in.

For users with SAML SSO, configure the SAML single sign-on login frequency setting.

Important: This setting does not provide additional at-rest protection of user data stored on the Chrome OS devices, including authentication tokens for online services. At-rest user data encryption is based on offline authentication factors, such as password or smart card.

Allows you to enable or disable SAML-based single sign-on for Chrome OS devices.

Important: Before using this policy, review the requirements in Configure SAML single sign-on for Chrome OS devices.

Sets the frequency of forced online sign-in flows for SAML-based single sign-on (SSO) accounts on the login screen. 

Each time users sign out after the set frequency period, they must go through the online sign-in flow for SAML-based SSO accounts.

When users are signing in online, they use your configured SAML SSO service. By forcing users to regularly sign, you provide additional security for organizations that require 2-Factor Authentication or Multi Factor Authentication and confirm that the user account is still valid.

Sign-on frequency options:

• Every day
• Every 3 days
• Every week
• Every 2 weeks
• Every 3 weeks
• Every 4 weeks
• Every time
• Never

Important: Before using this policy, review the requirements in Configure SAML single sign-on for Chrome OS devices. This setting does not provide additional at-rest protection of user data stored on the Chrome OS devices, including authentication tokens for online services. At-rest user data encryption is based on offline authentication factors, such as password or smart card.

For users without SAML SSO, configure the Google online login frequency setting.

For Chrome OS devices with version 92 or later

Sets the frequency of forced online sign-in for users with SAML on their lock screen. 

Each time users lock their session after the set frequency period, they must go through the online sign-in flow.

When users are signing in online, they use your configured SAML SSO service. By forcing users to regularly sign, you provide additional security for organizations that require 2-Factor Authentication or Multi Factor Authentication and confirm that the user account is still valid.

Enter a value, in days:

• 0—Users are always required to use online sign-in on their lock screen.
• 1-365—After the set frequency period, users are required to use online sign-in the next time they unlock their lock screen.

Left empty, users are not required to regularly use online sign-in to unlock their lock screen.

For users with SAML SSO, configure the Google online unlock frequency setting.

Allows you to temporarily enable or disable Rivest Cipher 4 (RC4) cipher suite in TLS if certain legacy servers need it.

Note: RC4 is not secure. We recommend that you reconfigure servers to support AES encryption.

Local anchors common name fallback

Controls whether to allow or block certificates issued by local trust anchors that are missing the subjectAlternativeName extension. If Allow is selected, Chrome browser will use the commonName of a server certificate to match a host name if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificate.

Note: Selecting Allow is not recommended—It might allow bypassing the nameConstraints extension that restricts the host names for a given authorized certificate.

Symantec Corporation's legacy PKI infrastructure

Allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate. For non-Chrome OS systems, this policy depends on the operating system still recognizing certificates from Symantec's legacy infrastructure. If an OS update changes the OS handling of certificates, this policy no longer has an effect. This policy is intended as a temporary workaround to give enterprises more time to transition away from legacy Symantec certificates.

Specifies URLs where certificate-transparency requirements are not enforced on certificates. In turn, Chrome browser can use certificates that were issued by the Certificate Authority (CA) and not publicly disclosed. If the CA issues illegitimate certificates for a specified URL, they might not be detected.

Only the host name portion of the URL is matched. Wildcard host names are not supported. For URL syntax, see Allow or block websites—URL filter format.

If a certificate chain contains certificates with a specified subjectPublicKeyInfo hash, certificate transparency requirements are not enforced on certificates. Therefore, Chrome browser can use certificates that were issued by the Certificate Authority (CA) to an organization but were not publicly disclosed.

For details on specifying a subjectPublicKeyInfo hash, see the CertificateTransparencyEnforcementDisabledForCas policy.

If a certificate chain contains certificates issued by a legacy Certificate Authority (CA) with a specified subjectPublicKeyInfo hash, certificate transparency requirements are not enforced on certificates. Legacy CAs are trusted by some operating systems that run Chrome browser, but not Chrome OS or Android. Chrome browser can use certificates that were issued to an organization but were not publicly disclosed.

For details on specifying subjectPublicKeyInfo hashes, see the CertificateTransparencyEnforcementDisabledForLegacyCas policy.

Controls whether users can import, edit, and remove Certificate Authority (CA) certificates using Certificate Manager. Choose an option:

• Allow users to manage all certificates—This is the default. Users can edit trust settings for all CA certificates, remove user-imported certificates, and import certificates.
• Allow users to manage user certificates—Users can manage only user-imported certificates, but they can’t change trust settings for built-in certificates.
• Disallow users from managing certificates—Users can view CA certificates, but they can’t manage them.

Controls whether users can manage client certificates. Choose an option:

• Allow users to manage all certificates—This is the default. Users can manage all certificates.
• Allow users to manage user certificates—Users can manage only user certificates, not device-wide certificates.
• Disallow users from managing certificates—Users can view certificates, but they can’t manage them.

Specifies whether Intel Hyper-Threading Technology is optimized for stability or performance. Hyper-Threading Technology uses processor resources more efficiently and increases processor throughput.

By default, Renderer code integrity enabled is selected. Chrome browser prevents unknown and potentially hostile code from loading inside Chrome browser renderer processes.

Unless you have compatibility issues with third-party software that must run inside Chrome browser renderer processes, we do not recommend turning off this setting. If you select Renderer code integrity disabled, Chrome Browser security and stability might be impacted.

Controls whether Chrome checks for leaked usernames and passwords.

This setting has no effect if Safe Browsing is not turned on. To make sure that Safe Browsing is turned on and users can’t change it, set the Safe Browsing setting to Always enable Safe Browsing. For details, see Safe Browsing.

This policy is supported on Chrome 80+. In Chrome 80 and earlier versions, when no policy is set, ambient authentication is enabled in all sessions (regular, incognito and guest). In Chrome 81 and newer versions, when no policy is set, ambient authentication is enabled in regular sessions only.

Ambient authentication (NTLM/Kerberos) is disabled by default in Incognito mode and guest sessions in Chrome 81.

Specifies whether the Chrome Cleanup tool can periodically scan the system for unwanted software.

The Chrome Cleanup tool removes harmful malware and reverts any hijacked settings. If something suspicious is discovered, the user is given the option to remove it.

If Allow Chrome Cleanup to periodically scan the system and allow manual scans is selected, you can specify whether to share the results from Chrome Cleanup with Google. Choose an option:

• User may choose to share results from a Chrome Cleanup cleanup run with Google
• Results from a Chrome Cleanup cleanup are never shared with Google
• Results from a Chrome Cleanup cleanup are always shared with Google

Users can also manually trigger Chrome Cleanup from chrome://settings if they experience issues such as:

• Excessive pop-up ads and unexpected web pages
• Search engine or homepage redirecting to unrecognized services or sites

If you select Prevent Chrome Cleanup from periodical scans and disallow manual scans, Chrome Cleanup does not periodically scan and users cannot manually trigger a cleanup.

On Microsoft Windows, Chrome Cleanup is only available if Chrome browser is:

• Joined to a Microsoft Active Directory domain
• Running on Windows 10 Pro
• Enrolled in Chrome Browser Cloud Management

Specifies whether third-party software can inject executable code into Chrome's processes.

If you select Prevent third party code from being injected into Chrome, third-party software cannot inject executable code into Chrome's processes.

For devices joined to a Microsoft Active Directory domain, Chrome browser does not block third-party software from injecting executable code into its processes regardless of the policy setting.

Specifies whether the audio process is sandboxed by isolating it from critical system resources and other programs. Sandboxing this process can increase system security.

A sandbox restricts the resources available to the audio process to what it needs.

The default is Use the default configuration for the audio sandbox and that might differ per platform. If you use security software setups that interfere with the sandbox, select Never sandbox the audio process.

Allows or blocks the warning that appears to users who are running Chrome on an unsupported computer or operating system.

By default, Users enrolled in the Advanced Protection program will receive extra precaution is selected.

You can control whether users enrolled in the Advanced Protection program will be protected from online attacks like unauthorized access to your account or harmful downloads. Some of these features might involve sharing data with Google. For example, Advanced Protection users can send their downloads to Google for a more stringent malware scan before downloading.

Select Users enrolled in the Advanced Protection program will only receive standard consumer protections to prevent extra protections for users enrolled in the Advanced Protection program.

Specifies origins (URLs) or hostname patterns for which restrictions on insecure origins do not apply. It also prevents the URL from being labeled Not Secure in the address bar.

You can specify URLs for legacy applications that can't deploy Transport Layer Security (TLS) or set up a staging server for internal web development. Developers can then test features requiring secure contexts without having to deploy TLS on the staging server.

Specifying a list of URLs in this setting is the same as setting the command-line unsafely-treat-insecure-origin-as-secure to a comma-separated list of the same URLs.

For more details on secure contexts, see Secure Contexts.

Controls whether users see security warnings when Chrome launches with potentially dangerous command-line flags.

For Microsoft Windows, machines need to be joined to a Microsoft Active Directory domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.

For macOS, machines need to be managed using MDM or joined to a domain with MCX.

Specifies whether popups opened with a target of _blank are allowed to interact with the page that opened the popup.

• Block popups opened with a target of _blank from interacting with the page that opened the popup—Only popups opened with a target of _blank are allowed to interact with the page that opened the popup if the opener page explicitly opts-in to the interaction.
• Allow popups opened with a target of _blank to interact with the page that opened the popup—All popups opened with a target of _blank are allowed to interact with the page that requested to open the popup unless the opener page explicitly opts-out of the interaction.

Specifies what action is taken if a user removes their security token. Currently, this setting only impacts user sessions when you configure sign in using smart cards. For details, see Set up sign in using smart cards on managed Chrome OS devices.

The options are:

• Nothing—No action is taken.
• Log the user out—The user is signed out of their session and must sign back in again.
• Lock the current session—The user's session is locked until they re-authenticate using their security token.

If you select Log the user out or Lock the current session, the Removal notification duration (seconds) field is displayed. You can enter the number of seconds that the notification, informing the user of the impending action, is displayed. The action is then carried out after this notification expires if the user does not re-insert their security token. If you enter 0, no notification is displayed and the action is carried out immediately.

Linux only

By default, Allow system notifications to be used is selected. So, Chrome browser on Linux is allowed to use system notifications.

Select Do not allow system notifications to be used to prevent Chrome browser from using system notifications. Instead, the browser uses Chrome’s message center.

Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the 3DES (Triple Data Encryption Standard) algorithm. Cipher suites are sets of instructions on how to secure a network through TLS and they provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP, and other network protocols.

3DES only provides an effective security of 112 bits. You can use this policy to temporarily retain compatibility with an outdated server by enabling 3DES cipher suites in TLS. This is a stopgap measure only and the server must be reconfigured.

The default is Use the default setting for 3DES cipher suites in TLS.

Configures the required domain name for remote access clients and prevents users from changing the setting. Only clients from the specified domain can connect to the host device. Left blank, the host allows connections from authorized users from any domain.

You can enable the use of Session Traversal Utilities for NAT (STUN) and Relay (TURN) servers when remote clients are trying to establish a connection to the user’s device.

If you select Enable firewall traversal, remote clients can discover and connect to the user’s device even if they are separated by a firewall. The use of relay servers is enabled by default but you can choose to disable them. Relay servers allow a connection to other peers and transfer data without the need for a direct connection when a firewall is in place. To restrict the UDP port range used by the remote access host in the user’s device, in the UDP port range field, enter the range from minimum to maximum. Left blank, any port can be used.

If you select Disable firewall traversal and outgoing UDP connections are filtered by the firewall, the user’s device only allows connections with client machines within the local network.

Select Show logout button in tray to show the sign out button explicitly in the shelf. This setting is useful for users who might need to quickly sign out of a Chrome OS device.

Select Enable Kerberos to use Kerberos tickets on Chrome OS devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on. For details, go to Configure Kerberos single sign-on for Chrome OS devices.

Specifies whether users can allow Chrome to remember Kerberos passwords, so that they don’t have to enter them again. By default, Allow users to remember Kerberos passwords is selected. Chrome automatically fetches Kerberos tickets unless additional authentication, such as 2-Factor Authentication is required.

Choose Do not allow users to remember Kerberos passwords to never let Chrome remember passwords and remove all previously stored passwords. Users have to enter their password every time they need to authenticate with the Kerberos system.

Determines whether users can add Kerberos accounts. By default, Allow users to add Kerberos accounts is selected. Users have full control over the accounts that they add. So, they can modify or remove them.

Selecting Do not allow users to add Kerberos accounts allows you to add accounts only using policy.

Specifies how Chrome OS connects to the internet.

If you leave the setting at its default Allow user to configure, a direct connection is the default configuration for Chrome OS devices and users can change the proxy configuration in their Chrome settings. If you choose any of the other Proxy mode options, users can't change the configuration.

• Never use a proxy—Chrome OS devices always establish a direct connection to the internet without passing through a proxy server.
• Always auto detect the proxy—Instructs Chrome OS devices to determine which proxy server to connect to using the Web Proxy Autodiscovery Protocol (WPAD).
• Always use the proxy specified below—Sets a specific proxy server for handling requests from users. You'll need to enter the URL of the proxy server in the Proxy server URL field that appears. Format the Proxy Server URL as IP address:port, such as 192.168.1.1:3128.
  If there are any URLs that should bypass the proxy server that handles other user requests, enter them in the URLs which bypass the proxy, one per line ;field. If you include multiple URLs, separate them by putting one URL per line.
• Always use the proxy auto-config specified below—Inserts the URL of the .pac file that should be used for network connections for the Proxy Server Auto Configuration File URL.

How Chrome OS handles bad proxies

PROXY (foo) is how one names a proxy server in Proxy autoconfiguration scripts. If your first proxy doesn’t work, Chrome will try the second, marking the first as a bad proxy.

Currently, when applying a proxy list resolved through PAC, Chrome can rearrange the proxy choices based on the past availability of the proxy. For instance, when applying "PROXY foo1; PROXY foo2;" Chrome might start by trying foo2 if foo1 timed out the last time it was tried (within the past 5 minutes).

If foo2 succeeds, then Chrome will mark foo1 as a bad proxy and redo the priority of the proxy list by putting foo2 first for every other subsequent request.

For Chrome OS devices, the management URLs require a direct path to the internet. Filtering through proxy can cause unexpected functionality.

Android apps running on Chrome OS

If you have enabled Android Apps on supported Chrome OS devices, a subset of proxy settings is made available to Android apps, which they might voluntarily choose to honor. Typically, apps using Android System WebView or the in-built network stack will do so). If you choose:

• Never use a proxy server—Android apps are informed that no proxy is configured.
• Use system proxy settings or fixed server proxy—Android apps are provided with the http proxy server address and port.
• Auto detect proxy server—The script URL "http://wpad/wpad.dat" is provided to Android apps. No other part of the proxy autodetection protocol is used.
• .pac proxy script—The script URL is provided to Android apps.

Specifies whether Chrome OS can bypass a configured proxy server for captive portal authentication. For example, captive portal pages such as landing or sign-in pages where users are prompted to accept terms or sign in before Chrome detects a successful internet connection.

A configured proxy server can be set:

• In the Admin console using the Proxy mode setting
• By users on their Chrome OS device in chrome://settings
• By apps or extensions that are allowed to set or modify a proxy

When you set this policy to Ignore policies for captive portal pages, Chrome opens captive portal pages in a new window and ignores all settings and restrictions that are configured for the current user. When you set it to Keep policies for captive portal pages, Chrome opens captive portal pages in a new browser tab and applies the current user’s policies and restrictions.

Specifies which HTTP authentication schemes are supported. When a server or proxy accepts multiple authentication schemes, the supported authentication scheme with the highest security is selected. You can override the default behavior by disabling specific authentication schemes.

• Basic—Most insecure method with authentication handled without any encryption.
• Digest—A challenge-response scheme that is more secure than basic authentication.
• NTLM—(NT LAN Manager) A more advanced challenge-response scheme that is more secure than digest.
• Negotiate—The most secure option. We recommend this option if available. Otherwise, we recommend NTLM.

By default, Chrome browser allows Basic authentication challenges over non-secure HTTP connections. If you select HTTPS is required to use Basic authentication scheme, Chrome browser allows Basic authentication challenges over HTTPS only.

Note: If Basic is not specified under Supported authentication schemes, this setting is ignored.

By default, NTLMv2 authentication is turned on. Unless you have backward compatibility issues, we do not recommend turning off this setting. Selecting Disable NTLMv2 authentication reduces the security of authentication.

Only supported on Chrome OS devices

Selecting Enable SSL record splitting allows SSL record splitting in Chrome. Record splitting is a workaround for a weakness in SSL 3.0 and TLS 1.0 but can cause compatibility issues with some HTTPS servers and proxies.

Specifies the minimum version of Transport Layer Security (TLS) allowed for your users.

Specifies whether users can bypass SSL warnings and proceed to the page.

Allows you to enter the list of domain names where a user can bypass SSL warnings. Users can bypass SSL warnings only on origin domains that are on this list.

Enter a list of URL values, one per line. For example:

For details, see Enterprise policy URL pattern format.

Note: If SSL error override is enabled, this policy is ignored.

Reduces cellular data usage and speeds up mobile web browsing by using proxy servers hosted at Google to optimize website content.

You can choose to Always enable data compression proxy or Always disable data compression proxy. The default setting is Allow the user to decide.

Allows you to specify a UDP port range to use for WebRTC connections from the user. The port range is 1024–65535 and the maximum should be greater than or equal to the minimum.

Allows you to add URLs for Web Real-Time Communication Interactive Connectivity Establishment (WebRTC ICE) candidates for local IPs.

Google services call the Chrome API to collect the WebRTC events for customers who have opted in. WebRTC transports data over User Datagram Protocol (UDP).

You must put each URL in a new line. The wildcard character * is allowed.

Patterns you add to this list are matched against the security origin of the requesting URL. If a match is found, the local IP addresses are shown in WebRTC ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames.

Allows the Quick UDP Internet Connections (QUIC) protocol to be used in Chrome. QUIC is a transport protocol that reduces latency compared to Transmission Control Protocol (TCP). For details, see Chromium.

Determines which IP addresses and interfaces WebRTC uses when attempting to find the best available connection. See details about specific modes of WebRTC behavior.

Choose one of the options:

• WebRTC will use all available interfaces when searching for the best path—This is the default.
• WebRTC will only use the interface connecting to the public Internet, but may connect using private IP addresses
• WebRTC will only use the interface connecting to the public Internet, and will not connect using private IP addresses
• WebRTC will use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy

Controls the default mode of the remote Domain Name System (DNS) resolution via the HTTPS protocol for each query. DNS-over-HTTPS (DoH) helps to improve safety and privacy while users are browsing the web. For example, attackers are prevented from observing what sites you visit or sending you to phishing websites.

Choose an option:

• Disable DNS-over-HTTPS—Chrome never sends DoH queries to DNS servers.
• Enable DNS-over-HTTPS with insecure fallback—If a DNS server that supports DoH is available, Chrome first sends a DNS-over-HTTPS query. If an error is received or a server that supports DoH isn’t available, Chrome just sends a DNS query to the server instead.
• Enable DNS-over-HTTPS without insecure fallback—Chrome sends DoH queries only to DNS servers.

If you enable DoH, you can add a list of the URI templates of DoH resolvers that you want to make available to your users.

The default setting is Enable DNS-over-HTTPS with insecure fallback. However, sometimes it reverts to Disable DNS-over-HTTPS and users can’t change it. This happens if Chrome detects parental controls or enterprise policies. Chrome detects enterprise policies if:

• You manage Chrome browser on domain-joined computers.
• You have set at least one active policy for Chrome browser.

Specifies whether the built-in DNS client is used in Chrome browser.

The built-in DNS client is enabled by default on macOS, Android and ChromeOS and users can change the setting.

This policy has no effect on DNS-over-HTTPS. To change the DNS-over-HTTPS behavior, see the DNS-over-HTTPS setting.

Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.

For Chrome browser and devices running Chrome OS version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.

Specifies whether Chrome browser can use the legacy CORS protocol, which is less secure and strict than Out-Of-Renderer CORS.

Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.

For Chrome browser and devices running Chrome OS version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.

To make Chrome extensions and specific HTTP headers exempt from CORS inspection, select Enable mitigations.

Specifies the Android VPN app that handles Android and Chrome OS user traffic as soon as users start their devices. For security reasons, virtual private networks (VPNs) don’t apply to system traffic, such as OS and policy updates. If the VPN connection fails, all user traffic is blocked until the VPN connection is re-established. Choose from the list of Android VPN apps that are automatically installed on users’ devices.

Select Do not allow user to disconnect from a VPN manually to prevent users from manually disconnecting from the VPN.

For details, read Set up virtual private networks (Android VPN app).

Specifies which servers are allowed for Integrated Windows Authentication (IWA). When Chrome gets an authentication challenge from a proxy or from a server that is part of this allowed list, integrated authentication is then turned on.

You must separate multiple server names with commas. Wildcards * and , are allowed.

Left blank, Chrome tries to detect if a server is on the intranet. If it is, Chrome will respond to IWA requests. If Chrome detects that a server is on the internet, IWA requests from it are ignored.

Specifies which servers Chrome can delegate to for Integrated Windows Authentication (IWA).

You must separate multiple server names with commas. Wildcards * and , are allowed.

Left blank, Chrome doesn't delegate user credentials, even if a server is detected as on the intranet.

Specifies whether to respect Key Distribution Center (KDC) policy to delegate Kerberos tickets.

Specifies the source of the name used to generate the Kerberos service principal name (SPN).

Specifies whether the generated Kerberos service principal name (SPN) includes a non-standard port.

Specifies whether third-party sub-content on a page is allowed to pop up an HTTP basic authentication dialog box.

Specifies whether websites that are not cross-origin isolated can use SharedArrayBuffers. Chrome version 91 and later requires cross-origin isolation when using SharedArrayBuffers for Web Compatibility reasons.

For details, see SharedArrayBuffer updates.

Specifies the Chrome default referrer policy. A referrer policy controls how much referrer information is included with network requests.

If you select Use Chrome’s default referrer policy, the strict-origin-when-cross-origin policy is used. This policy:

• sends the origin, path, and querystring when performing a same-origin request
• only sends the origin when the protocol security level stays the same while performing a cross-origin request, HTTPS to HTTPS
• sends no header to less secure destinations, HTTPS to HTTP

If you select Set Chrome’s default referrer policy to the legacy referrer policy, the legacy no-referrer-when-downgrade policy is used for network requests. This policy:

• sends the origin, path, and querystring of the URL as a referrer when the protocol security level stays the same, HTTP to HTTP or HTTPS to HTTPS, or improves HTTP to HTTPS
• sends no header to less secure destinations, HTTPS to HTTP

Specifies whether the Chrome browser can actively make requests that include information about the user's browser and environment. Servers can then enable analytics and customize the response. By default, Allow User-Agent client hints is selected.

These granular request headers might break some websites that restrict the characters included in some requests.

By default, Accept web contents served as Signed HTTP Exchanges is selected to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution.

Configures a single global per profile cache with HTTP server authentication credentials.

• (Default) HTTP authentication credentials are scoped to top-level sites—For version 80 and later, Chrome scopes HTTP server authentication credentials by top-level site. If two sites use resources from the same authenticating domain, credentials need to be provided independently in the context of both sites and cached proxy credentials are reused across sites.
• HTTP authentication credentials entered in the context of one site will automatically be used in the context of another—This can leave sites open to some types of cross-site attacks. It also allows users to be tracked across sites, even without cookies, by adding entries to the HTTP authentication cache using credentials embedded in URLs.

This policy is intended to give organizations depending on the legacy behavior a chance to update their sign-in procedures, and will be removed in the future.

Specifies whether Chrome always performs revocation checks for successfully validated server certificates signed by locally installed CA certificates. If Chrome can't get any revocation status information, it treats these certificates as revoked.

The default is Use existing online revocation-checking settings.

Some proxy servers can't handle a high number of concurrent connections per client. Specify the maximum number of concurrent connections to the proxy server. The value should be lower than 100 but higher than 6. Some web apps are known to consume many connections with hanging GETs. The default value is 32. Setting a value below 32 might cause the browser network to freeze if there are too many web apps already open with hanging connections.

Specifies which GSSAPI (Generic Security Service Application Program Interface) library Chrome should use for HTTP authentication. Set the policy to either a library name or a full path such as GSSAPILibraryName or libgssapi_krb5.so.2. Left blank, Chrome uses a default library name.

Specifies a list of hostnames that bypass the HTTP Strict Transport Security (HSTS) policy check. The HSTS policy forces web browsers to interact with websites only via secure HTTPS connections and never HTTP connections.

Only enter single-label hostnames; one per line. Hostnames must be canonicalized, any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the hostnames specified, and not to subdomains of those hostnames.

Specifies the type of accounts that are provided by the Android authentication app which supports HTTP Negotiate authentication. Authentication apps generate security codes for signing into sites that require a high level of security. For example, Kerberos authentication. This information should be provided by the supplier of the authentication app. For details, see The Chromium Projects.

By default, Perform DNS interception checks is selected. DNS interception checks perform a check on the browser to see if it is behind a proxy that redirects unknown host names.

When users enter a single word in the Chrome address bar and press Enter, Chrome sends a search to the default search provider. If the single word matches the name of an intranet host, users might have intended to navigate to it instead.

When intranet redirection is allowed, Chrome issues a DNS request for single-word hostnames and then shows users an infobar asking them if they want to go to the site if it is resolvable. For example, calendar matches intranet host http://calendar/. Users who enter calendar in the search bar are asked Did you mean to go to http://calendar/?.

Using intranet redirection, Chrome ensures that DNS interception is not occurring. DNS interception means every single DNS request for any single-word host is resolvable even if no actual host exists.

If your network environment resolves every DNS request for a single-word host, you should allow DNS interception checks. That way, the infobar isn’t shown after each single-word search.

Choose one of the options:

• Use default browser behavior—(Default) For Chrome version 88 or later, DNS interception checks and intranet redirect suggestions are enabled by default. However, they will be disabled by default in a future release.
• Disable DNS interception checks and did-you-mean “http://intranetsite/” infobars
• Disable DNS interception checks; allow did-you-mean “http://intranetsite/” infobars
• Allow DNS interception checks and did-you-mean “http://intranetsite/” infobars

You can also use the DNS interception checks enabled setting to disable DNS interception checks. However, the Intranet Redirection Behavior is more flexible because it lets you separately control intranet redirection infobars.

This policy is temporary and will be removed in a future version of Chrome. It is supported on Chrome browser (Linux, Mac, Windows) and Chrome OS since version 87.

Allows legacy TLS (Transport Layer Security) and Datagram Transport Layer Security (DTLS) downgrades in Web Real-Time Communications (WebRTC).

By default, Disable WebRTC peer connections downgrading to obsolete versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols is selected. So, these TLS/DTLS versions are disabled.

Turn on or off WPAD (Web Proxy Auto-Discovery) optimization in Chrome.

WPAD allows a client, such as Chrome browser, to automatically locate and interface with cache services in a network. Information can then be delivered more quickly to the user.

The default is Enable Web Proxy Auto-Discovery (WPAD) optimization. If you select Disable Web Proxy Auto-Discovery (WPAD) optimization, Chrome must wait longer for DNS-based WPAD servers.

Users cannot change the WPAD optimization setting.

For devices running Chrome OS version 89 or later.

Specifies whether usernames and passwords are used to authenticate to a managed proxy secured with NTLM authentication.

If you choose Use login credentials for network authentication to a managed proxy case, and authentication fails, users are prompted to enter their username and password.

Permits bypassing the list of restricted ports built into Google Chrome by selecting one or more ports that outgoing connections are permitted on.

Ports are restricted to prevent Google Chrome being used as a vector to exploit network vulnerabilities. Setting this policy can expose your network to attacks. This policy is intended as a temporary workaround for errors with code ERR_UNSAFE_PORT when migrating a service running on a blocked port to a standard port such as port 80 or 443.

If you do not not set this policy, all restricted ports are blocked. If there are both valid and invalid values selected, the valid ones values are applied.

This policy overrides the --explicitly-allowed-ports command-line option.

Specifies if Chrome follows the default rollout process for Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2), a post-quantum key-agreement algorithm in Transport Layer Security (TLS).

CECPQ2 helps evaluate the performance of post quantum key-exchange algorithms on users' devices.

CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware. You can disable CECPQ2 while networking issues are being resolved.

Allows users to back up content, data, and settings from Android apps to their Google Account. When users sign in to another Chrome OS device, they can restore their Android app data.

Sets whether Android apps are allowed to track the user's physical location.

You can set to:

• Disable location services for Android apps in Chrome OS—Android apps cannot access location information.
• Allow the user to decide whether an Android app in Chrome OS can use location services—User is asked to consent when an Android app wants to access location information.

Deprecated. Chrome version 75 and earlier.

By default, users can add a secondary account (for example, their personal Gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. To stop users from adding a second Google Account, check the Google account box.

By default, Chrome OS Certificate Authority (CA) certificates are not synchronized to Android apps. To make them available to Android apps, select Enable usage of Chrome OS CA certificates in Android apps.

Lets users import autofill form data from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of autofill data—Automatically imports autofill form data. Users can reimport later.
• Disable imports of autofill data—Autofill form data isn't imported on first run, and users can't manually import it.
• Allow the user to decide—Users can choose whether to manually import autofill form data.

Lets users import bookmarks from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of bookmarks—Automatically imports bookmarks. Users can reimport later.
• Disable imports of bookmarks—Bookmarks aren't imported on first run, and users can't manually import them.
• Allow the user to decide—Users can choose whether to manually import bookmarks.

Lets users import browsing history from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of browsing history—Automatically imports browsing history. Users can reimport later.
• Disable imports of browsing history—Browsing history isn't imported on first run, and users can't manually import it.
• Allow the user to decide—Users can choose whether to manually import browsing history.

Lets users import homepage settings from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of homepage—Automatically imports homepage settings. Users can reimport later.
• Disable imports of homepage—Homepage settings aren't imported on first run, and users can't import manually them.
• Allow the user to decide—Users can choose whether to manually import homepage settings.

Lets users import saved passwords from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of saved passwords—Automatically imports saved passwords. Users can reimport later.
• Disable imports of saved passwords—Saved passwords aren't imported on first run, and users can't manually import them.
• Allow the user to decide—Users can choose whether to manually import saved passwords.

Lets users import search engine settings from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of search engines—Automatically imports search engine settings. Users can reimport later.
• Disable imports of search engines—Search engines settings aren't imported on first run, and users can't manually import them.
• Allow the user to decide—Users can choose whether to manually import search engine settings.

SafeSearch for Google Search queries

Allows you to turn on or off SafeSearch, which filters explicit content, like pornography, in user search results. You can select:

• Do not enforce SafeSearch for Google Web Search queries
• Always use SafeSearch for Google Web Search queries—Users must use SafeSearch.

For K-12 EDU domains, the default is Always use Safe Search for Google Web Search queries. 

For all other domains, the default is Do not enforce Safe Search for Google Web Search queries.

For more details, see Lock SafeSearch for devices & networks you manage.

Restricted Mode for YouTube

Before you set restrictions on YouTube, we recommend updating to the latest stable version of Chrome.

• Do not enforce Restricted Mode on YouTube (default).

• Enforce at least Moderate Restricted Mode on YouTube—Forces users to use Restricted mode. The mode algorithmically limits which videos are viewable based on their content.

• Enforce Strict Restricted Mode for YouTube—Forces users to use Strict Restricted mode to further limit available videos.

For details on restriction levels, see Manage your organization's YouTube settings.

Controls whether users in your organization can take screenshots on Chrome OS devices. The policy applies to screenshots taken by any means, including the keyboard shortcut and apps and extensions that use the Chrome API to capture screenshots.

If you enable Android apps on supported Chrome OS devices in your organization, screenshot policies also apply to those devices.

Controls whether webpages are allowed to prompt users to live stream a tab, window, or their entire screen.

Allows you to specify a list of URL patterns (as a JSON string) for which sites Chrome automatically selects for client certificates. If set, Chrome skips the client certificate selection prompt for matching sites if a valid client certificate is installed. If this policy is not set, auto-selection won’t be done for websites that request certificates.

The ISSUER/CN parameter specifies the common name of the certification authority that client certificates must have as their issuer to be autoselected.

How to format the JSON string:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

Example JSON string:

{"pattern": "https://[*.]ext.example.com", "filter": {}},
{"pattern": "https://[*.]corp.example.com", "filter": {}},
{"pattern": "https://[*.]intranet.usercontent.com", "filter": {}}

Specifies URLs and domains for which no prompt is shown when the device requests attestation certificates from security keys.

Controls whether Chrome browser allows webpages to use the Web-based Graphics Library (WebGL) API and plugins. WebGL is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Default cookie setting

Sets whether websites are allowed to store browsing information, such as your site preferences or profile information.

This setting corresponds to a user’s cookie options in Chrome Settings. You can allow the user to configure the option. Or, you can specify that cookies are always allowed, never allowed, or kept only for the duration of a user's session.

Allow cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are allowed to set cookies. For example, you can put URLs in the following formats on separate lines:

• "http://www.example.com"
• "[*.]example.edu"

If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.

Block cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are not allowed to set cookies. For example, you can put URLs in the following formats on separate lines:

• "http://www.example.com"
• "[*.]example.edu"

If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.

Allow session-only Cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are allowed to set session-only cookies. You can put URLs in the following formats on separate lines:

• "http://www.example.com"
•  "[*.]example.edu"

The cookies after these sessions are deleted. If this policy is not set, what you specify under Default cookie setting is the global default, or a user can set their own configuration.

Allows or blocks third-party cookies. By default, users are allowed to decide.

Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.

For Chrome browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure setting to allow cross-site access over HTTPS connections only.

You can temporarily revert Chrome browser to the legacy behavior, which is less secure. That way, users can continue to use services that developers have not yet updated, such as single sign-on and internal applications.

Choose an option:

• Revert to legacy SameSite behavior for cookies on all sites—Cookies with the setting configured as SameSite=None do not require the Secure attribute. Cookies that don't specify a SameSite attribute are treated as if they are set to SameSite=None. So, third-party cookies can continue to track users across sites.
• Use SameSite-by-default behavior for cookies on all sites—For cookies that don't specify a SameSite attribute, how Chrome browser treats cookies depends on the default behavior specified in Chrome browser.

To see how Chrome browser treats cookies that don't specify a SameSite attribute:

1. On a managed computer, open Chrome browser.
2. In the address bar at the top, type chrome://flags.
3. Press Enter.
4. For #same-site-by-default-cookies, read the description and check to see if the flag is turned on or off.

Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.

For Chrome browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure setting to allow cross-site access over HTTPS connections only.

You can specify the domains that you want Chrome browser to temporarily revert to the legacy behavior, which is less secure. Don’t specify schemes or ports. Cookies with the setting configured as SameSite=None no longer require the Secure attribute. Cookies that don't specify a SameSite attribute are treated as if they are set to SameSite=None. As a result, third-party cookies can continue to track users across specific sites.

If no domains are listed, the Default legacy SameSite cookie behavior setting specifies how cookies are treated. Otherwise, how Chrome browser treats cookies might vary, depending on the default behavior specified in Chrome browser.

Specifies whether websites are allowed to display images. For Show images on these sites and Block images on these sites, put one URL pattern on each line.

Specifies whether websites are allowed to run JavaScript. If you select Do not allow any site to run JavaScript, some sites might not work properly.

Suspends JavaScript timers for tabs opened in the background and not used for 5 minutes or more. For these tabs, timers only execute their code once a minute. This can decrease CPU load and battery power consumption.

The default is Allow throttling of background javascript timers to be controlled by Chrome’s logic and configurable by users. The policy is controlled by its own internal logic and can be manually configured by users.

If you select Force throttling of background javascript timers or Force no throttling of background javascript timers, the policy is force enabled or force disabled and users cannot override the option.

The policy is applied per webpage, with the most recently set option applied when a webpage is loaded. The user must perform a full restart for the policy setting to be applied to all loaded tabs. It is harmless for webpages to run with different values of this policy.

You can specify whether Google Chrome allows sites to run the v8 JavaScript engine with the Just In Time (JIT) compiler enabled. JIT compilation is a way of executing computer code using compilation during, not before, the execution of a program.

Choose an option:

• Allow sites to run JavaScript JIT (default)—Web content might render more slowly and parts of JavaScript, including WebAssembly, might be disabled. 
• Do not allow sites to run JavaScript JIT—Web content might be rendered in a more secure way.

You can also add specific URLs that you want to allow or block from running JavaScript JIT.  For information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies whether websites are allowed to display desktop notifications.

You can allow or block notifications or ask the user each time a website wants to show desktop notifications.

Note: With Chrome version 64 and later, JavaScript alerts are no longer allowed to interrupt users. Apps that previously used alerts, such as Google Calendar, can send notifications instead. To allow this, in the Allow these sites to show notifications box, add calendar.google.com.

Specifies a list of URL patterns of pages that are allowed to automatically play video content with sound, without user consent. If you change this setting while users are running Chrome, it only applies to newly opened tabs.

For information about valid url patterns, see Enterprise policy URL pattern format.

Sets whether websites are allowed to run outdated plugins such as Adobe Flash Player on their Chrome browser or Chrome OS device. Plugins are used by websites to enable certain types of web content that Chrome browser can't process.

Specifies how PDF files are opened in Google Chrome.

Chrome downloads PDF files and lets users open them with the system default application—The internal PDF viewer is turned off in Google Chrome, and PDF files are downloaded for users to open with the default application.

Chrome opens PDF files, unless the PDF plugin is turned off—Chrome opens all PDF files unless users have turned off the PDF plugin.

Auto open file types

Specifies a list of file types that automatically open after download. If Safe Browsing is turned on, files are still checked and only open after they pass. Left blank, only file types that users allow can automatically open.

Don’t include the leading separator. For example, just type txt for .txt files.

For Microsoft Windows, machines need to be joined to a Microsoft Active Directory domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.

For macOS, machines need to be managed using MDM or joined to a domain with MCX.

Auto open URLs

Specifies a list of URL patterns of pages that are allowed to automatically open the file types that you specify in Auto open file types.

This setting has no effect on file types that users choose to automatically open.

If you specify one or more URL patterns, Chrome automatically opens files that match both the URL pattern and file type. Chrome also continues to automatically open file types that users allow.

Left blank, Chrome automatically opens file types that you specify in Auto Open file types, no matter what URL they downloaded from.

For URL syntax, see Allow or block websites—URL filter format.

Sets whether websites are allowed to show pop-ups. If the browser blocks pop-ups for a site, users see and can click Blocked on the address bar to see the pop-ups that have been blocked.

This policy will be removed in Chrome version 95.

In Chrome browser version 91 or later, Chrome prevents iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. So, embedded content can’t spoof users into believing that a message is coming from the website they're visiting, or from Chrome browser.

Select Allow JavaScript dialogs triggered from a different origin subframe to revert to the previous behavior.

Specifies whether websites are allowed to show pop-ups while the website is unloading.

A web page unloads when:

• The user clicks a link to leave the page
• The user types a new URL in the address bar
• The user clicks the forward or back buttons
• The browser window is closed
• The page is reloaded

If the browser blocks pop-ups for a site, users see and can click Blocked on the address bar to see the pop-ups that have been blocked.

Blocked URLs

Prevents Chrome browser users from accessing specific URLs.

To configure this setting, enter up to 1,000 URLs on separate lines.

Blocked URL exceptions

Specifies exceptions to the list of blocked URL.

To configure the setting, enter up to 1,000 URLs on separate lines.

Examples

Using blocked URL lists with Android apps

If you enable Android apps on supported Chrome OS devices in your organization, the blocked URLs list and blocked URL exceptions are not honored by apps that use Android System WebView. To enforce a blocklist on these apps, define the blocked URLs in a text file (see below). Then, apply the blocklist to the Android apps. For details, see Apply managed configurations to an Android app.

The following example shows how to define a blocked URL:

{ "com.android.browser:URLBlocklist": "[\"www.solamora.com\"]" }

For apps that don’t use Android System WebView, consult the app documentation for information on how to restrict access in a similar way.

Lets you configure whether users can sync with Google Drive on their Chrome OS device. You can enable or disable Drive syncing or let users choose.

This setting has no effect on the Google Drive Android app on Chrome OS. To completely disable any syncing to Google Drive, configure this policy and do not allow the Google Drive Android app to be installed on supported Chrome OS devices. For details, see Use Android apps on Chrome OS devices.

Lets you configure whether or not users can sync with Google Drive over a cellular connection on their Chrome OS device. This policy has no effect on the Google Drive Android app on Chrome OS.

Allow users to cast from Chrome

Decide if users can use a Chromecast device to cast from a Chrome tab.

Show Cast icon in the toolbar

Specify whether Cast appears on the browser toolbar in Chrome. If you select Always show the Cast icon in the toolbar, it always appears on the toolbar or overflow menu and users can't remove it.

If you don't let users cast, you can't configure this policy. The Cast icon doesn't appear on the toolbar.

Supported on Chrome version 80 to 83 inclusive

Specifies how Chrome browser and Chrome OS devices treat insecure HTTP audio, video, and image mixed content.

By default, Chrome uses strict treatment for mixed content. On HTTPS sites:

• Audio and video are automatically upgraded from HTTP to HTTPS.
• There is no fallback if audio or video is not available over HTTPS.
• Chrome shows a warning in the URL bar for pages that contain images.

Select Do not use strict treatment for mixed content to prevent Chrome from automatically upgrading audio and video to HTTPS and show no warning for images.

For Chrome browser and Chrome OS devices, Google has started to automatically block mixed content. So, in future https:// pages will only load secure https:// resources, not http:// resources. For details about the roll-out plan, see this Chromium blog.

Selecting Allow users to add exceptions to allow blockable mixed content lets users specify certain pages that can run active mixed content. Otherwise, users can’t load active mixed content, such as scripts and iframes. Chrome does not automatically upgrade optionally-blockable mixed content from HTTP to HTTPS on sites users add as exceptions.

To run pages with active mixed content, tell users to:

1. On your computer, open Chrome.
2. At the top right, click More Settings.
3. Under Privacy and security, click Site settings.
4. Scroll to Insecure content.
5. For Allow, click Add.
6. Add URLs of the pages that you want to allow.

Note: URLs that you specify in the Allow insecure content on these sites and Block insecure content on these sites settings take precedence over this setting.

Specifies a list of pages that can display active mixed content, such as scripts and iframes. Also, Chrome does not automatically upgrade optionally-blockable, or passive, mixed content from HTTP to HTTPS. Passive mixed content includes images, audio, and video.

For information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies a list of pages that cannot display active mixed content, such as scripts and iframes. Also, Chrome automatically upgrades optionally-blockable, or passive, mixed content from HTTP to HTTPS. Chrome does not load passive mixed content that fails to load over https://. Passive mixed content includes images, audio, and video

For information on valid URL patterns, see Enterprise policy URL pattern format.

This policy will be removed after Chrome 84.

Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were deprecated in 2018. They are disabled by default in Chrome version 80 and later. For Chrome browser and devices running Chrome OS version 80 to 84 inclusive, select Re-enable Web Components v0 API to temporarily re-enable the APIs for all sites.

This policy will be removed in Chrome 88.

For Chrome browser and devices running Chrome OS version 78 to 88 inclusive. Allows you to specify whether pages can send synchronous XMLHttpRequest (XHR) requests during page dismissal. For example, when users close tabs, quit the browser, type a new entry in the address bar, and so on.

Chrome browser detects window occlusion when a browser window is covered by another window. If that happens, Chrome browser does not paint pixels on the covered page. Showing blank white pages helps to reduce CPU and power consumption.

Select Disable detection of window occlusion to prevent Chrome browser on Microsoft Windows devices from showing blank pages when they’re covered.

This policy will be removed after Chrome 84

Starting in Chrome version 83, we are refreshing standard form control elements, such as <select>, <button>, and <input type=date>. This will help to improve accessibility and platform uniformity.

For Chrome browser and devices running Chrome OS version 83 and 84, select Use legacy (pre-M81) form control element for all sites to temporarily revert to legacy form control elements. Otherwise, updated form control elements are used as they are launched in Chrome versions 83 and 84.

Specifies whether users can follow links that scroll to a text fragment on a webpage.

If you enable this setting, hyperlinks and address bar URL navigations can target specific text within a webpage. When the webpage is fully loaded it then scrolls to that text.

For Chrome browser and Chrome OS devices, URL-keyed anonymized data collection sends Google the URL of each site the user visits to make searching and browsing better. If this policy is not set it will be active by default, but the user will be able to change it.

Specifies whether websites can request access to bluetooth devices via the Web Bluetooth API.

The default is Allow the user to decide, where websites request access to nearby Bluetooth devices and the user can decide to allow or block this access.

Controls whether or not the Always open box is shown on external protocol launch confirmation prompts. If the user clicks a link with a protocol, a dialog is displayed asking if they want to use an app instead. When the policy is enabled, a box is displayed in the dialog.

If the user checks the box, future prompts asking to use the app for similar requests are skipped. If the policy is disabled, the box does not appear and users can't skip the confirmation prompts.

When enabled the Back-Forward cache feature stores the exact state of a webpage. When navigating away from a page, its current state might be preserved in the back-forward cache. When a browser’s back button is clicked, the page might load from cache and restore the page, allowing for quick navigation back and forth.

This feature might cause issues for some websites that do not expect this caching. Specifically, some websites depend on the "unload" event being dispatched when the browser navigates away from the page. The "unload" event will not be dispatched if the page enters the back-forward cache.

If this policy is set to enabled or is not set, the feature will be enabled.

By default, the PDF viewer can annotate PDFs on Chrome OS devices.

You can disable certain printer types or destinations from being available for printing.

Available with Android 5.0 Lollipop and later devices and Chrome OS devices with Chrome version 40 and later.

Allows your users to unlock their Chrome device without a password using an Android phone. If the user and the devices are nearby, the user no longer needs to enter a password to unlock their Chrome device.

Users can set up their SMS Messages to be synced between their phones and Chrome OS devices.

Note: If this policy is allowed, users must explicitly opt into this feature by completing a setup flow. Once the setup flow is complete, users will be able to send and receive SMS messages on their devices.

Specifies whether users can send phone numbers from Chrome OS devices to an Android device when the user is signed in.

The default is Allow users to send phone numbers from Chrome to their phone.

Specifies whether users can interact with their Android phone on a Chrome OS device.

The default is Do not allow Phone Hub to be enabled and users are not allowed to opt into Phone Hub.

If you select Allow Phone Hub to be enabled, users are allowed to opt into Phone Hub and the following two options are displayed:

• Allow Phone Hub notifications to be enabled—If you enable this, users who have already opted in to Phone Hub, can send or receive their phone's notifications on Chrome OS.
• Allow Phone Hub task continuation to be enabled—If you enable this, users who have already opted in to Phone Hub, can continue tasks such as viewing their phone's webpages on Chrome OS.

Specifies whether sites can or cannot ask users to grant them write access to files or directories in the host operating system's file system using the File System API. You can add a list of URLs that can or cannot request write access from the user.

Select one of the following:

• Allow the user to decide (default)—Lets websites ask for access, but users can change this setting. This access applies for sites that don't match a URL defined in the Allow write access to files and directories on these sites or the Block write access to files and directories on these sites fields.
• Allow sites to ask the user to grant write access to files and directories—Lets websites ask the user for write access to files and directories. 
• Do not allow sites to request write access to files and directories—Denies write access to files and directories.

In the Allow file system write access on these sites field, enter all URLs that are allowed to request write access to files and directories from the user. Put each URL on it’s own line. 

In the Block write access on these sites field, enter all URLs that are not allowed access to files and directories. Put each URL on it’s own line. 

If a URL isn't explicitly allowed or blocked, the option you selected from the File system write access drop-down or the users' personal settings take precedence, in that order.

Do not enter the same URL in both the Allow file system write access on these sites and Block write access on these sites. If a URL matches with both, neither policy takes precedence.

For details on valid URL patterns, see Enterprise policy URL pattern format.

You can specify whether websites can access and use sensors such as motion and light sensors.

In the Default access section, select one of the following:

• Allow the user to decide if a site may access sensors (default)—Lets websites ask for access, but users can change this setting. This access applies for sites that don't match a URL defined in the Allow access to sensors on these sites or the Block access to sensors on these sites fields.
• Allow sites to access sensors—Allows access to sensors for all sites.
• Do not allow any site to access sensors—Denies access to sensors for all sites.

In the Allow access to sensors on these sites field, enter URLs that are always allowed access to sensors. Put each URL on it’s own line. 

In the Block access to sensors on these sites field, enter URLs that are never allowed access to sensors. Put each URL on it’s own line. 

If the URL isn't explicitly allowed or blocked, the option set in the Default access section or the users' personal settings take precedence, in that order.

Do not enter the same URL in both the Allow access to sensors on these sites and Block access to sensors on these sites. If a URL matches with both, the Block access to sensors on these sites applies and access to motion or light sensors is blocked.
 

For details on valid URL patterns, see Enterprise policy URL pattern format.

Not currently available for Google Workspace for Education domains

Gives EMM partners programmatic access to manage user policies for Chrome and Chrome devices. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual user policies that determine your users' experience on Chrome and Chrome devices. Therefore EMM partners no longer have to manage user policies by Admin console organizational unit structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same user using partner access and the Admin console. User-level policies configured using partner access controls take precedence over organizational unit policies set in the Admin console. To enforce policies on users by organizational unit, you must select Disable Chrome management—partner access.

You can also use your EMM console to set device policies. 

Specifies whether users can open some URLs in an alternative browser, such as Microsoft Internet Explorer.

Specifies the length of time, in seconds, that it takes to open the alternative browser. During this time, users see an interstitial page that lets them know they're switching to another browser. By default, URLs immediately open in the alternative browser, without showing the interstitial page.

Allows you to use your Internet Explorer site list to control whether URLs open in Chrome browser or Internet Explorer.

Specifies the URL of the XML file that contains the list of website URLs that open in an alternative browser. You can review this sample XML file.

Specifies the URL of the XML file that contains the list of website URLs that do not trigger a browser switch.

Specifies a list of website URLs that open in an alternative browser.

Specifies a list of website URLs that do not trigger a browser switch.

By default, only the URL is passed as a parameter to the alternative browser. You can specify parameters to be passed to the alternative browser’s executable. Parameters that you specify are used when the alternative browser is invoked. You can use the special placeholder ${url} to specify where the URL should appear in the command line.

You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.

Lets you specify the program that's used as an alternative browser. For example, for Windows computers, the default alternative browser is Internet Explorer.

You can specify a file location or use one of these variables:

• ${chrome}—Chrome browser
• ${firefox}— Mozilla Firefox
• ${ie}—Internet Explorer
• ${opera}—Opera
• ${safari}—Apple Safari

Windows only

Specifies the parameters to be passed to Chrome browser's executable when returning from the alternative browser. By default, only the URL is passed as a parameter to Chrome browser. Parameters that you specify are used when Chrome browser is invoked. You can use the special placeholder ${url} to specify where the URL should appear in the command line.

You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.

Windows only

Specifies the executable of Chrome browser to be launched when returning from the alternative browser.

You can specify a file location or use the variable ${chrome}, which is the default installation location for Chrome browser.

Specifies whether to close Chrome browser after the last tab in the window switches to the alternative browser.

Chrome browser tabs automatically close after switching to the alternative browser. If you specify Close Chrome completely and the last tab is open in the window before switching, Chrome browser closes completely.

Controls whether users can use Parallels Desktop for Chromebook to access the Microsoft Windows applications and files, including Microsoft Office, on their Chromebook Enterprise device.

When you select Allow users to use Parallels desktop, you must accept the end-user license agreement.

Specifies the URL for the Microsoft Windows image and the SHA-256 hash of the Windows image file that users download to their Chromebooks before using Parallels Desktop.

Specifies the required disk space in gigabytes for running Parallels Desktop. The default value is 20GB.

If you set a required free disk space value and the user device detects that the remaining space is smaller than that value, it cannot run Parallels. Therefore, we recommend you check the size of your uncompressed virtual machine (VM) image as well as how much additional data or applications you expect to install before deciding on a required disk space value.

To allow Parallels to generate and collect event logs from your users, select Enable sharing diagnostics data to Parallels. For details on the information collected in the logs, see Parallels Customer Experience Program.

Specifies whether user-level Chrome policies that you set in your Admin console are enforced when users sign in to Chrome with their Google Account on any device. The default for this setting is Apply all user policies when users sign into Chrome, and provide a managed Chrome experience.

For backward compatibility, you can let users sign into Chrome as unmanaged users. Select Do not apply any policies when users sign into Chrome. Allow users to access Chrome as an unmanaged user. Then, when users sign in to Chrome, they no longer receive user-level policies that you set in the Admin console, including apps and extensions.

Turning Chrome management off and on again might cause some users to experience changes to their account. Before you turn it on again, inform your users. While Chrome management was turned off, users might have signed in as unmanaged users. When the setting is turned back on again, Android apps might be removed or users might no longer be able to sign in multiple people at the same time on Chrome devices.

You don't need to turn on Chrome management to apply policies if you manage Chrome devices using your Admin console. User-level policies apply to those Chrome devices, even if you turn off this setting.

For information about how to set up Chrome browser user-level management, see Manage user profiles on Chrome browser.