Overview of Enterprise Policies

Startup, Home page and New Tab page

Startup

Configure the pages to load on startup, the default home page and the default new tab page in Chromium and prevents users from changing them.

The user's home page settings are only completely locked down if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.

The policy 'URLs to open on startup' is ignored unless you select 'Open a list of URLs' in 'Action on startup'.


Remote access

RemoteAccess

Configure remote access options in Chrome Remote Desktop host.

Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application.The native service is packaged and executed separately from the Chromium browser.

These policies are ignored unless the Chrome Remote Desktop host is installed.


Proxy server

Proxy

Allows you to specify the proxy server used by Chromium and prevents users from changing proxy settings.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to auto detect the proxy server, all other options are ignored.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

If you enable this setting, Chromium and ARC-apps ignore all proxy-related options specified from the command line.

Leaving these policies not set will allow the users to choose the proxy settings on their own.


HTTP authentication

HTTPAuthentication

Policies related to integrated HTTP authentication.


Kerberos

Kerberos

Policies related to Kerberos authentication.


Default search provider

DefaultSearchProvider

Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.


Content settings

ContentSettings

Content settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.


Power management

PowerManagement

Configure power management in Chromium OS.

These policies let you configure how Chromium OS behaves when the user remains idle for some amount of time.


Accessibility settings

Accessibility

Configure Chromium OS accessibility features.


Google Cast

GoogleCast

Configure policies for Google Cast, a feature that allows users to send the contents of tabs, sites or the desktop from the browser to remote displays and sound systems.


Quick unlock

QuickUnlock

Configures quick unlock related policies.


Safe Browsing settings

SafeBrowsing

Configure Safe Browsing related policies.


Network File Shares settings

NetworkFileShares

Configure Network File Share related policies.


Cloud Reporting

CloudReporting

Configure cloud reporting policies.

When the policy CloudReportingEnabled is left unset or set to disabled, these policies will be ignored.

These policies are only effective when the machine is enrolled with CloudManagementEnrollmentToken for Chromium. These policies are always effective for Chromium OS.


Sign-in settings

Signin

Controls the behavior of the sign-in screen, where users log into their accounts. Settings include who can log in, what type of accounts are allowed, what authentication methods should be used, as well as general accessibility, input method and locale settings.


User and device reporting

UserAndDeviceReporting

Controls what kind of user and device information is reported.


Network settings

Network

Controls device-wide network configuration.


Device update settings

DeviceUpdate

Controls how and when Chrome OS updates are applied.


Power and shutdown

PowerAndShutdown

Controls settings related to power management and rebooting.


Other

Other

Controls miscellaneous settings including USB, bluetooth, policy refresh, developer mode and others.


Date and time

DateAndTime

Controls clock and time zone settings.


Display

Display

Controls display settings.


Printing

Printing

Controls printing settings.


Linux container

Crostini

Controls settings for the Linux container (Crostini).


Privacy screen settings

PrivacyScreen

Controls user and device policies for the privacy screen feature.


Startup, Home page and New Tab page

Show Home button on toolbar - ShowHomeButton

Category: Startup

Setting the policy to Enabled shows the Home button on Chromium's toolbar. Setting the policy to Disabled keeps the Home button from appearing.

If you set the policy, users can't change it in Chromium. If not set, users chooses whether to show the Home button.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True
  • Can Be Recommended: True



More about "Startup"

Show Home button on toolbar

Remote access

Configure the required domain name for remote access clients - RemoteAccessHostClientDomain

Category: RemoteAccess

This policy is deprecated. Please use RemoteAccessHostClientDomainList instead.

Data Type:

String

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: False



More about "RemoteAccess"

Configure the required domain name for remote access clients

Proxy server

Choose how to specify proxy server settings - ProxyMode

Category: Proxy

This policy is deprecated, please use ProxySettings instead.

Setting the policy to Enabled lets you specify the proxy server Chrome uses and prevents users from changing proxy settings. Chrome and ARC-apps ignore all proxy-related options specified from the command line. The policy only takes effect if the ProxySettings policy isn't specified.

Other options are ignored if you choose:

  • direct = Never use a proxy server and always connect directly
  • system = Use system proxy settings
  • auto_detect = Auto detect the proxy server

If you choose to use:

  • fixed_servers = Fixed proxy servers. You can specify further options with ProxyServer and ProxyBypassList. Only the HTTP proxy server with the highest priority is available for ARC-apps.
  • pac_script =A .pac proxy script. Use ProxyPacUrl to set the URL to a proxy .pac file.

Leaving the policy unset lets users choose the proxy settings.

Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).

  • direct = Never use a proxy
  • auto_detect = Auto detect proxy settings
  • pac_script = Use a .pac proxy script
  • fixed_servers = Use fixed proxy servers
  • system = Use system proxy settings

Data Type:

String

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True



More about "Proxy"

Choose how to specify proxy server settings

HTTP authentication

Supported authentication schemes - AuthSchemes

Category: HTTPAuthentication

Setting the policy specifies which HTTP authentication schemes Chromium supports.

Leaving the policy unset employs all 4 schemes.

Valid values:

  • basic

  • digest

  • ntlm

  • negotiate

Note: Separate multiple values with commas.

Data Type:

String

Supported features:

  • Dynamic Policy Refresh: False
  • Per Profile: False



More about "HTTPAuthentication"

Supported authentication schemes

Kerberos

Enable 'Remember password' feature - KerberosRememberPasswordEnabled

Category: Kerberos

Controls whether the 'Remember password' feature is enabled in the Kerberos authentication dialog. Passwords are stored encryped on disk, only accessible to the Kerberos system daemon and during a user session.

If this policy is enabled or not set, users can decide whether Kerberos passwords are remembered, so that they do not have to be entered again. Kerberos tickets are automatically fetched unless additional authentication is required (two-factor authentication).

If this policy is disabled, passwords are never remembered and all previously stored passwords are removed. Users have to enter their password every time they need to authenticate with the Kerberos system. Depending on server settings, this usually happens between every 8 hours to several months.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: False



More about "Kerberos"

Enable 'Remember password' feature

Default search provider

Enable the default search provider - DefaultSearchProviderEnabled

Category: DefaultSearchProvider

Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar.

If you set the policy, users can't change it in Chromium. If not set, the default search provider is on, and users can set the search provider list.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True



More about "DefaultSearchProvider"

Enable the default search provider

Content settings

Default cookies setting - DefaultCookiesSetting

Category: ContentSettings

Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.

Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.

If Chromium is running in Background mode, the session might stay active until the user exits the browser, not just closes the last window. See BackgroundModeEnabled for details about configuring this behavior.

While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.

  • 1 = Allow all sites to set local data
  • 2 = Do not allow any site to set local data
  • 4 = Keep cookies for the duration of the session

Data Type:

Integer

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True



More about "ContentSettings"

Default cookies setting

Power management

Screen dim delay when running on AC power - ScreenDimDelayAC

Category: PowerManagement

Note that this policy is deprecated and will be removed in Chromium OS version 85. Please use PowerManagementIdleSettings instead.

Specifies the length of time without user input after which the screen is dimmed when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS dims the screen.

When this policy is set to zero, Chromium OS does not dim the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

Data Type:

Integer

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: False



More about "PowerManagement"

Screen dim delay when running on AC power

Accessibility settings

Show accessibility options in system tray menu - ShowAccessibilityOptionsInSystemTrayMenu

Category: Accessibility

Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True
  • Can Be Recommended: True



More about "Accessibility"

Show accessibility options in system tray menu

Google Cast

Enable Google Cast - EnableMediaRouter

Category: GoogleCast

Setting the policy to Enabled or leaving it unset turns on Google Cast, which users can launch from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.

Setting the policy to Disabled turns off Google Cast.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: False
  • Per Profile: True



More about "GoogleCast"

Enable Google Cast

Quick unlock

Configure allowed quick unlock modes - QuickUnlockModeAllowlist

Category: QuickUnlock

Setting the policy controls which quick unlock modes can unlock the lock screen.

To allow:

  • Every quick unlock mode, use ["all"] (includes modes added in the future).

  • Only PIN unlock, use ["PIN"].

  • PIN and fingerprint, use ["PIN", "FINGERPRINT"].

If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.

Data Type:

Array

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True



More about "QuickUnlock"

Configure allowed quick unlock modes

Safe Browsing settings

Enable Safe Browsing - SafeBrowsingEnabled

Category: SafeBrowsing

This policy is deprecated in Chromium 83, please use SafeBrowsingProtectionLevel instead.

Setting the policy to Enabled keeps Chrome's Safe Browsing feature on. Setting the policy to Disabled keeps Safe Browsing off.

If you set this policy, users can't change it or override the "Enable phishing and malware protection" setting in Chrome. If not set, "Enable phishing and malware protection" is set to True, but the user can change it.

See more about Safe Browsing ( https://developers.google.com/safe-browsing ).

If the policy SafeBrowsingProtectionLevel is set, the value of the policy SafeBrowsingEnabled is ignored.

On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True
  • Can Be Recommended: True



More about "SafeBrowsing"

Enable Safe Browsing

Network File Shares settings

Contorls Network File Shares for ChromeOS availability - NetworkFileSharesAllowed

Category: NetworkFileShares

Setting the policy to Enabled lets users use Network File Shares for Chromium OS. Setting the policy to Disabled means users can't use this feature.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: False
  • Per Profile: True



More about "NetworkFileShares"

Contorls Network File Shares for ChromeOS availability

Cloud Reporting

Enables Chromium cloud reporting - CloudReportingEnabled

Category: CloudReporting

This policy controls Chromium cloud reporting which uploads information about the browser operation to Google Admin console.

When this policy is left unset or set to False, there is no data collected or uploaded. When this policy is set to True, the data is collected and uploaded to Google Admin console.

For Chromium, this policy is only effective when the machine is enrolled with CloudManagementEnrollmentToken. For Chromium OS, this policy is always effective.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: False



More about "CloudReporting"

Enables Chromium cloud reporting

Sign-in settings

Enable guest mode - DeviceGuestModeEnabled

Category: Signin

If this policy is set to true or not configured, Chromium OS will enable guest logins. Guest logins are anonymous user sessions and do not require a password.

If this policy is set to false, Chromium OS will not allow guest sessions to be started.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True



More about "Signin"

Enable guest mode

User and device reporting

Send system logs to the management server - LogUploadEnabled

Category: UserAndDeviceReporting

Setting the policy to Enabled sends system logs to the management server, to allow admins to monitor system logs.

Setting the policy to Disabled or leaving it unset reports no system logs.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True



More about "UserAndDeviceReporting"

Send system logs to the management server

Network settings

Enable data roaming - DeviceDataRoamingEnabled

Category: Network

Setting the policy to Enabled allows data roaming for the device.

Setting the policy to Disabled or leaving it unset renders data roaming unavailable.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True



More about "Network"

Enable data roaming

Device update settings

Release channel - ChromeOsReleaseChannel

Category: DeviceUpdate

Specifies the release channel that this device should be locked to.

Setting ChromeOsReleaseChannel only has an effect if ChromeOsReleaseChannelDelegated is set to False.

  • stable-channel = Stable channel
  • beta-channel = Beta channel
  • dev-channel = Dev channel (may be unstable)

Data Type:

String

Supported features:

  • Dynamic Policy Refresh: True



More about "DeviceUpdate"

Release channel

Power and shutdown

Power management on the login screen - DeviceLoginScreenPowerManagement

Category: PowerAndShutdown

Setting the policy lets you set how Chromium OS behaves when there is no user activity for some amount of time while the sign-in screen appears. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session.

The deviations from these policies are:

  • The actions to take on idle or lid close cannot be to end the session.

  • The default action taken on idle when running on AC power is to shut down.

Leaving the policy or any of its settings unset results in the use of the default values for the various power settings.

Data Type:

Object

Supported features:

  • Dynamic Policy Refresh: True



More about "PowerAndShutdown"

Power management on the login screen

Other

Allowlist of USB detachable devices - UsbDetachableAllowlist

Category: Other

Setting the policy defines the list of USB devices users can detach from their kernel driver to use through the chrome.usb API directly inside a web app. Entries are pairs of USB Vendor Identifier and Product Identifier to identify specific hardware.

If not set, the list of a detachable USB devices is empty.

Data Type:

Array

Supported features:

  • Dynamic Policy Refresh: False



More about "Other"

Allowlist of USB detachable devices

Date and time

Timezone - SystemTimezone

Category: DateAndTime

Setting the policy specifies a device's time zone and turns off location-based automatic time zone adjustment while overriding the SystemTimezoneAutomaticDetection policy. Users can't change the time zone.

New devices start with the time zone set to US Pacific. Value format follows the names in the IANA Time Zone Database ( https://en.wikipedia.org/wiki/Tz_database ). Entering an invalid value activates the policy using GMT.

If not set or if you enter an empty string, the device uses the currently active time zone, but users can change it.

Data Type:

String

Supported features:

  • Dynamic Policy Refresh: True



More about "DateAndTime"

Timezone

Display

Set display resolution and scale factor - DeviceDisplayResolution

Category: Display

Setting the policy sets the resolution and scale factor for each display. External display settings apply to connected displays. (The policy doesn't apply if a display doesn't support the specified resolution or scale.)

Setting external_use_native to True means the policy ignores external_width and external_height and sets external displays to their native resolution. Setting external_use_native to False or leaving it and external_width or external_height unset means the policy doesn't affect external displays.

Setting the recommended flag to True lets users change resolution and scale factor of any display through the settings page, but their settings change back at the next reboot. Setting the recommended flag to False or leaving it unset means users can't change the display settings.

Note: Set external_width and external_height in pixels and external_scale_percentage and internal_scale_percentage in percents.

Data Type:

Object

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: False
  • Can Be Recommended: False



More about "Display"

Set display resolution and scale factor

Printing

Enable printing - PrintingEnabled

Category: Printing

Setting the policy to Enabled or leaving it unset lets users print in Chromium, and users can't change this setting.

Setting the policy to Disabled means users can't print from Chromium. Printing is off in the three dots menu, extensions, and JavaScript applications.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: True



More about "Printing"

Enable printing

Linux container

User is enabled to run Crostini - CrostiniAllowed

Category: Crostini

Setting the policy to Enabled or leaving it unset lets users run $6, as long as VirtualMachinesAllowed and CrostiniAllowed are set to Enabled. Setting the policy to Disabled turns $6 off for the user. Changing it to Disabled starts applying the policy to starting new $6 containers, not those already running.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: False



More about "Crostini"

User is enabled to run Crostini

Privacy screen settings

Set the state of privacy screen on the login screen - DeviceLoginScreenPrivacyScreenEnabled

Category: PrivacyScreen

Set the state of the privacy screen feature on the login screen.

If this policy is set to True, privacy screen will be enabled when the login screen is shown.

If this policy is set to False, privacy screen will be disabled when the login screen is shown.

When this policy is set, the user cannot override the value when the login screen is shown.

If this policy is left unset, the privacy screen is disabled initially, but remains controllable by the user when the login screen is shown.

Data Type:

Boolean

Supported features:

  • Dynamic Policy Refresh: True
  • Per Profile: False
  • Can Be Recommended: False



More about "PrivacyScreen"

Set the state of privacy screen on the login screen

Overview of Enterprise Policies

Startup, Home page and New Tab page

Startup

Configure the pages to load on startup, the default home page and the default new tab page in Chromium and prevents users from changing them.

The user's home page settings are only completely locked down if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.

The policy 'URLs to open on startup' is ignored unless you select 'Open a list of URLs' in 'Action on startup'.

  • Show Home button on toolbar

    Setting the policy to Enabled shows the Home button on Chromium's toolbar. Setting the policy to Disabled keeps the Home button from appearing.

    If you set the policy, users can't change it in Chromium. If not set, users chooses whether to show the Home button.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True
    • Can Be Recommended: True

Remote access

RemoteAccess

Configure remote access options in Chrome Remote Desktop host.

Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application.The native service is packaged and executed separately from the Chromium browser.

These policies are ignored unless the Chrome Remote Desktop host is installed.


Proxy server

Proxy

Allows you to specify the proxy server used by Chromium and prevents users from changing proxy settings.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to auto detect the proxy server, all other options are ignored.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

If you enable this setting, Chromium and ARC-apps ignore all proxy-related options specified from the command line.

Leaving these policies not set will allow the users to choose the proxy settings on their own.

  • Choose how to specify proxy server settings

    This policy is deprecated, please use ProxySettings instead.

    Setting the policy to Enabled lets you specify the proxy server Chrome uses and prevents users from changing proxy settings. Chrome and ARC-apps ignore all proxy-related options specified from the command line. The policy only takes effect if the ProxySettings policy isn't specified.

    Other options are ignored if you choose:

    • direct = Never use a proxy server and always connect directly
    • system = Use system proxy settings
    • auto_detect = Auto detect the proxy server

    If you choose to use:

    • fixed_servers = Fixed proxy servers. You can specify further options with ProxyServer and ProxyBypassList. Only the HTTP proxy server with the highest priority is available for ARC-apps.
    • pac_script =A .pac proxy script. Use ProxyPacUrl to set the URL to a proxy .pac file.

    Leaving the policy unset lets users choose the proxy settings.

    Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).

    • direct = Never use a proxy
    • auto_detect = Auto detect proxy settings
    • pac_script = Use a .pac proxy script
    • fixed_servers = Use fixed proxy servers
    • system = Use system proxy settings

    Data Type:

    String

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True

HTTP authentication

HTTPAuthentication

Policies related to integrated HTTP authentication.

  • Supported authentication schemes

    Setting the policy specifies which HTTP authentication schemes Chromium supports.

    Leaving the policy unset employs all 4 schemes.

    Valid values:

    • basic

    • digest

    • ntlm

    • negotiate

    Note: Separate multiple values with commas.

    Data Type:

    String

    Supported features:

    • Dynamic Policy Refresh: False
    • Per Profile: False

Kerberos

Kerberos

Policies related to Kerberos authentication.

  • Enable 'Remember password' feature

    Controls whether the 'Remember password' feature is enabled in the Kerberos authentication dialog. Passwords are stored encryped on disk, only accessible to the Kerberos system daemon and during a user session.

    If this policy is enabled or not set, users can decide whether Kerberos passwords are remembered, so that they do not have to be entered again. Kerberos tickets are automatically fetched unless additional authentication is required (two-factor authentication).

    If this policy is disabled, passwords are never remembered and all previously stored passwords are removed. Users have to enter their password every time they need to authenticate with the Kerberos system. Depending on server settings, this usually happens between every 8 hours to several months.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: False

Default search provider

DefaultSearchProvider

Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.

  • Enable the default search provider

    Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar.

    If you set the policy, users can't change it in Chromium. If not set, the default search provider is on, and users can set the search provider list.

    On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True

Content settings

ContentSettings

Content settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.

  • Default cookies setting

    Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.

    Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.

    If Chromium is running in Background mode, the session might stay active until the user exits the browser, not just closes the last window. See BackgroundModeEnabled for details about configuring this behavior.

    While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.

    • 1 = Allow all sites to set local data
    • 2 = Do not allow any site to set local data
    • 4 = Keep cookies for the duration of the session

    Data Type:

    Integer

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True

Power management

PowerManagement

Configure power management in Chromium OS.

These policies let you configure how Chromium OS behaves when the user remains idle for some amount of time.

  • Screen dim delay when running on AC power

    Note that this policy is deprecated and will be removed in Chromium OS version 85. Please use PowerManagementIdleSettings instead.

    Specifies the length of time without user input after which the screen is dimmed when running on AC power.

    When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS dims the screen.

    When this policy is set to zero, Chromium OS does not dim the screen when the user becomes idle.

    When this policy is unset, a default length of time is used.

    The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

    Data Type:

    Integer

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: False

Accessibility settings

Accessibility

Configure Chromium OS accessibility features.

  • Show accessibility options in system tray menu

    Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

    If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

    If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True
    • Can Be Recommended: True

Google Cast

GoogleCast

Configure policies for Google Cast, a feature that allows users to send the contents of tabs, sites or the desktop from the browser to remote displays and sound systems.

  • Enable Google Cast

    Setting the policy to Enabled or leaving it unset turns on Google Cast, which users can launch from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.

    Setting the policy to Disabled turns off Google Cast.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: False
    • Per Profile: True

Quick unlock

QuickUnlock

Configures quick unlock related policies.

  • Configure allowed quick unlock modes

    Setting the policy controls which quick unlock modes can unlock the lock screen.

    To allow:

    • Every quick unlock mode, use ["all"] (includes modes added in the future).

    • Only PIN unlock, use ["PIN"].

    • PIN and fingerprint, use ["PIN", "FINGERPRINT"].

    If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.

    Data Type:

    Array

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True

Safe Browsing settings

SafeBrowsing

Configure Safe Browsing related policies.

  • Enable Safe Browsing

    This policy is deprecated in Chromium 83, please use SafeBrowsingProtectionLevel instead.

    Setting the policy to Enabled keeps Chrome's Safe Browsing feature on. Setting the policy to Disabled keeps Safe Browsing off.

    If you set this policy, users can't change it or override the "Enable phishing and malware protection" setting in Chrome. If not set, "Enable phishing and malware protection" is set to True, but the user can change it.

    See more about Safe Browsing ( https://developers.google.com/safe-browsing ).

    If the policy SafeBrowsingProtectionLevel is set, the value of the policy SafeBrowsingEnabled is ignored.

    On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True
    • Can Be Recommended: True

Network File Shares settings

NetworkFileShares

Configure Network File Share related policies.

  • Contorls Network File Shares for ChromeOS availability

    Setting the policy to Enabled lets users use Network File Shares for Chromium OS. Setting the policy to Disabled means users can't use this feature.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: False
    • Per Profile: True

Cloud Reporting

CloudReporting

Configure cloud reporting policies.

When the policy CloudReportingEnabled is left unset or set to disabled, these policies will be ignored.

These policies are only effective when the machine is enrolled with CloudManagementEnrollmentToken for Chromium. These policies are always effective for Chromium OS.

  • Enables Chromium cloud reporting

    This policy controls Chromium cloud reporting which uploads information about the browser operation to Google Admin console.

    When this policy is left unset or set to False, there is no data collected or uploaded. When this policy is set to True, the data is collected and uploaded to Google Admin console.

    For Chromium, this policy is only effective when the machine is enrolled with CloudManagementEnrollmentToken. For Chromium OS, this policy is always effective.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: False

Sign-in settings

Signin

Controls the behavior of the sign-in screen, where users log into their accounts. Settings include who can log in, what type of accounts are allowed, what authentication methods should be used, as well as general accessibility, input method and locale settings.

  • Enable guest mode

    If this policy is set to true or not configured, Chromium OS will enable guest logins. Guest logins are anonymous user sessions and do not require a password.

    If this policy is set to false, Chromium OS will not allow guest sessions to be started.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True

User and device reporting

UserAndDeviceReporting

Controls what kind of user and device information is reported.

  • Send system logs to the management server

    Setting the policy to Enabled sends system logs to the management server, to allow admins to monitor system logs.

    Setting the policy to Disabled or leaving it unset reports no system logs.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True

Network settings

Network

Controls device-wide network configuration.

  • Enable data roaming

    Setting the policy to Enabled allows data roaming for the device.

    Setting the policy to Disabled or leaving it unset renders data roaming unavailable.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True

Device update settings

DeviceUpdate

Controls how and when Chrome OS updates are applied.

  • Release channel

    Specifies the release channel that this device should be locked to.

    Setting ChromeOsReleaseChannel only has an effect if ChromeOsReleaseChannelDelegated is set to False.

    • stable-channel = Stable channel
    • beta-channel = Beta channel
    • dev-channel = Dev channel (may be unstable)

    Data Type:

    String

    Supported features:

    • Dynamic Policy Refresh: True

Power and shutdown

PowerAndShutdown

Controls settings related to power management and rebooting.

  • Power management on the login screen

    Setting the policy lets you set how Chromium OS behaves when there is no user activity for some amount of time while the sign-in screen appears. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session.

    The deviations from these policies are:

    • The actions to take on idle or lid close cannot be to end the session.

    • The default action taken on idle when running on AC power is to shut down.

    Leaving the policy or any of its settings unset results in the use of the default values for the various power settings.

    Data Type:

    Object

    Supported features:

    • Dynamic Policy Refresh: True

Other

Other

Controls miscellaneous settings including USB, bluetooth, policy refresh, developer mode and others.

  • Allowlist of USB detachable devices

    Setting the policy defines the list of USB devices users can detach from their kernel driver to use through the chrome.usb API directly inside a web app. Entries are pairs of USB Vendor Identifier and Product Identifier to identify specific hardware.

    If not set, the list of a detachable USB devices is empty.

    Data Type:

    Array

    Supported features:

    • Dynamic Policy Refresh: False

Date and time

DateAndTime

Controls clock and time zone settings.

  • Timezone

    Setting the policy specifies a device's time zone and turns off location-based automatic time zone adjustment while overriding the SystemTimezoneAutomaticDetection policy. Users can't change the time zone.

    New devices start with the time zone set to US Pacific. Value format follows the names in the IANA Time Zone Database ( https://en.wikipedia.org/wiki/Tz_database ). Entering an invalid value activates the policy using GMT.

    If not set or if you enter an empty string, the device uses the currently active time zone, but users can change it.

    Data Type:

    String

    Supported features:

    • Dynamic Policy Refresh: True

Display

Display

Controls display settings.

  • Set display resolution and scale factor

    Setting the policy sets the resolution and scale factor for each display. External display settings apply to connected displays. (The policy doesn't apply if a display doesn't support the specified resolution or scale.)

    Setting external_use_native to True means the policy ignores external_width and external_height and sets external displays to their native resolution. Setting external_use_native to False or leaving it and external_width or external_height unset means the policy doesn't affect external displays.

    Setting the recommended flag to True lets users change resolution and scale factor of any display through the settings page, but their settings change back at the next reboot. Setting the recommended flag to False or leaving it unset means users can't change the display settings.

    Note: Set external_width and external_height in pixels and external_scale_percentage and internal_scale_percentage in percents.

    Data Type:

    Object

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: False
    • Can Be Recommended: False

Printing

Printing

Controls printing settings.

  • Enable printing

    Setting the policy to Enabled or leaving it unset lets users print in Chromium, and users can't change this setting.

    Setting the policy to Disabled means users can't print from Chromium. Printing is off in the three dots menu, extensions, and JavaScript applications.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: True

Linux container

Crostini

Controls settings for the Linux container (Crostini).

  • User is enabled to run Crostini

    Setting the policy to Enabled or leaving it unset lets users run $6, as long as VirtualMachinesAllowed and CrostiniAllowed are set to Enabled. Setting the policy to Disabled turns $6 off for the user. Changing it to Disabled starts applying the policy to starting new $6 containers, not those already running.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: False

Privacy screen settings

PrivacyScreen

Controls user and device policies for the privacy screen feature.

  • Set the state of privacy screen on the login screen

    Set the state of the privacy screen feature on the login screen.

    If this policy is set to True, privacy screen will be enabled when the login screen is shown.

    If this policy is set to False, privacy screen will be disabled when the login screen is shown.

    When this policy is set, the user cannot override the value when the login screen is shown.

    If this policy is left unset, the privacy screen is disabled initially, but remains controllable by the user when the login screen is shown.

    Data Type:

    Boolean

    Supported features:

    • Dynamic Policy Refresh: True
    • Per Profile: False
    • Can Be Recommended: False