For administrators who manage Chrome policies from the Google Admin console.
As a Chrome Enterprise admin, you can control settings that apply when people use a managed ChromeOS device, such as a Chromebook. Device-level settings apply for anyone who uses the device, even if they sign in as a guest or with a personal Gmail account.
Specify device settings
Before you begin: To make settings for a specific group of devices, put the devices in an organizational unit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Click the setting you want to configure. Learn about each setting.
Tip: Quickly find a setting by entering text in Search settings at the top.
You see Inherited if a setting is inherited from a parent. Or, you see Locally applied if the setting is overridden for the child.
- Click Save.
Settings typically take effect in minutes, but they might take up to 24 hours to apply for everyone.
Learn about each setting
For managed ChromeOS devices.
If you see Device-specific setting , the setting is only available with specific device types. Some settings aren’t available with single-app kiosks.
Most policies apply to both affiliated and unaffiliated users on ChromeOS. A user is affiliated if they are managed by the same domain that manages the ChromeOS device they are signed into. A user is unaffiliated if they are signed into their device as a managed user from a different domain, for example if [email protected] signs into a device managed by domainB.com or signs into an unmanaged device. The policies that apply only to either affiliated or unaffiliated users are clearly marked in the Admin console.
Enrollment and Access
Forced re-enrollmentSpecifies whether ChromeOS or ChromeOS Flex devices are forced to re-enroll into your account after they’ve been wiped.
By default, wiped ChromeOS devices automatically re-enroll into your account without users having to enter their username and password.
Starting in ChromeOS version 131, ChromeOS Flex devices support forced re-enrollment, These devices are always re-enrolled with user username or password after wiping regardless of the forced re-enrollment option you selected.
Choose an option:
- Force device to automatically re-enroll after wiping—(Default) ChromeOS devices are automatically re-enrolled into your account. This option does not apply to ChromeOS Flex devices.
- Force device to re-enroll with user credentials after wiping—Users are prompted to to re-enroll the ChromeOS or ChromeOS Flex device into your account.
- Do not force device to re-enroll after wiping—Users can use the device without re-enrolling it into your account.
If forced re-enrollment is turned on and you don't want a specific device to re-enroll in your account, you need to deprovision the device or change the setting.
For ChromeOS devices, if forced re-enrollment is turned on, developer mode is disabled for the device. ChromeOS Flex devices do not have access to developer mode.
For details on forced re-enrollment, see Force wiped ChromeOS devices to re-enroll.
Allows users to restore their Chromebook to its factory state if needed.
The default is Allow powerwash to be triggered.
If you select, Do not allow powerwash to be triggered, there is one exception where the user can still trigger a powerwash. This is when you have allowed users to install a Trusted Platform Module (TPM) firmware update on devices but it has not been updated yet. When the update is performed it might erase a device and reset it to factory settings. For details, see TPM firmware update.
This setting enables a web service to request proof that its client is running an unmodified ChromeOS device that’s policy-compliant (running in secure mode if required by the administrator). The setting includes the following controls:
- Enable for content protection–Ensures that ChromeOS devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also ensures that Chromebooks can attest to content providers that they’re running in Verified Boot mode.
- Disable for content protection–If this control is disabled, some premium content may be unavailable to your users.
For more details for admins, go to Enable Verified Access with ChromeOS devices. For developers, go to the Google Verified Access API Developer Guide.
- Require verified mode boot for verified access–Devices must be running in verified boot mode for device verification to succeed. Devices in Dev mode will always fail the verified access check.
- Skip boot mode check for verified access–Allows devices in Dev mode to pass the verified access check.
- Services with full access–Lists email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.
- Services with limited access–Lists email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.
For more details for admins, go to Enable Verified Access with ChromeOS devices. For developers, go to the Google Verified Access API Developer Guide.
Controls the screen's custom text on devices that are disabled because they're lost or stolen. We recommend that you include a return address and contact phone number in your message. Then, anyone who sees the screen can return the device to your organization.
Sign-in Settings
Guest modeControls whether to allow guest browsing on managed ChromeOS devices. If you select Allow guest mode, the main sign-in screen offers the option for a user to sign in as a guest. If you select Disable guest mode, a user must sign in using a Google Account or Google Workspace account. When a user signs in using guest mode, your organization's policies are not applied.
For K-12 EDU domains, the default is Disable guest mode.
For all other domains, the default is Allow guest mode.
Allows you to manage which users can sign in to ChromeOS devices.
Note: If you allow guest browsing or managed guest sessions, users can use devices no matter which setting you choose.
Choose an option:
- Restrict sign-in to a list of users—Only users that you designate can sign in to devices. Other users get an error message. Enter one pattern for each line for the users that you want to specify:
- To let all your users sign in—Enter *@example.com. The Add person button is always available on devices.
- To only allow specific users to sign in—Enter user-id@example.com. When all the specified users have signed in to a device, the Add person button is no longer available.
- Allow any user to sign in—Any user with a Google Account can sign in to devices. The Add person button is available on the sign-in screen.
- Do not allow any user to sign in—Users can not sign in to devices with their Google Account. The Add person button is unavailable.
Lets you choose a domain name to present to users on their sign-in page so that they don't need to enter the @domain.com part of their username during sign-in.
To turn the setting on, from the list, select Use the domain name, set below, for autocomplete at sign-in and enter your domain name.
Specifies whether the ChromeOS device's sign-in screen displays the names and pictures of users who have signed in to the device.
Displaying the names and pictures of users on the sign-in screen allows users to quickly start their sessions and works best for most deployments. We recommend you change this setting rarely and selectively to ensure the best user experience.
- Always show user names and photos—Lets users choose their user account on the sign-in screen (default).
-
Never show user names and photos—Prevents user accounts from being displayed on the sign-in screen. Users must enter their Google Account username and password each time they sign in to their device. If you have SAML single sign-on (SSO) for devices and send users directly to the SAML identity provider (IdP) page, Google redirects them to the SSO sign-in page without entering their email address.
Note: If users are enrolled in 2-Step Verification, they’re prompted to perform their second verification step each time they sign in to their device.
Sets a weekly schedule of when guest browsing and sign-in restriction settings don’t apply to managed ChromeOS devices.
For example, school admins can block guest browsing or only allow users with a username ending in @schooldomain.edu to sign in during school hours. Outside of school hours, users can browse in guest mode or sign in to their device using an account other than their @schooldomain.edu account.
Replaces the default wallpaper with your own custom wallpaper on the sign-in screen. You can upload images in JPG format (.jpg or .jpeg files) that are up to a maximum size of 16 megabytes. Other file types are not supported.
Specifies whether enrolled ChromeOS devices delete all locally-stored settings and user data every time a user signs out. Data the device synchronizes persists in the cloud but not on the device itself. If you set it to Erase all local user data, the storage available to the users is limited to half the RAM capacity of the device. If the policy is set together with a managed guest session, it won't cache the session name or avatar.
Note: By default, ChromeOS devices encrypt all user data and automatically clean up disk space when shared by multiple users. This default behavior works best for most deployments and ensures data security and an optimal user experience. We recommend you enable Erase all local user data rarely and selectively.
Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.
Specifies whether single sign-on (SSO) users can navigate directly to your SAML identity provider (IdP) page instead of first having to enter their email address. By default, Take users to the default Google login page is selected.
Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.
Specifies whether single sign-on (SSO) users can sign in to internal websites and cloud services that rely on the same identity provider (IdP) on subsequent device sign-ins. SAML SSO cookies are always transferred on first sign-in.
To transfer cookies in subsequent sign-ins, select Enable transfer of SAML SSO Cookies into user session during sign-in. If you've also enabled Android apps on supported devices in your organization, cookies are not transferred to Android apps.
Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.
Important: If you enable this policy, you grant third parties access to their users' cameras on their users' behalf. Ensure that you have proper consent forms in place for users—the system does not show end users any consent forms if permission is granted using this policy.
Specifies third-party apps or services that are allowed to have direct access to users' cameras during SAML single sign-on (SSO) flow. Configuring this setting lets third-party identity providers(IdPs) bring new forms of authentication flows to ChromeOS devices.
To add IdPs to the allowlist, enter the URL for each service on a separate line.
For information about setting up Clever Badges for your organization, go Clever support site.
You can automatically pass usernames from Google Identity to third-party identity providers (3P IdPs) to avoid users having to type their username twice.
You do this by specifying the query parameter key that is used by ChromeOS to autofill the username field during online authentication with SAML on the sign-in and lock screens. Some identity providers support these special query parameters on their sign-in pages.
The value for the query parameter is the user's email associated with their ChromeOS profile. If users are expected to use different emails with SAML IdP, leave the field empty.
If you do not specify any query parameter key, users must manually enter their username on the SAML IdP sign-in page.
Examples
Identity provider | Policy value |
---|---|
Microsoft Entra ID | login_hint |
Okta |
Note: Other Okta endpoints might not support autofilling usernames. |
ADFS | login_hint |
Related topics
Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.
Allows you to control client certificates for single sign-on (SSO) sites.
You enter a list of URL patterns as a JSON string. Then, if an SSO site matching a pattern requests a client certificate and a valid device-wide client certificate is installed, Chrome automatically selects a certificate for the site.
If the site requesting the certificate doesn’t match any of the patterns, Chrome doesn’t provide a certificate.
How to format the JSON string:
{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}
The ISSUER/CN parameter (certificate issuer name above) specifies the common name of the Certificate Authority (CA) that client certificates must have as their issuer to be autoselected. If you want Chrome to select a certificate issued by any CA, leave this parameter blank by entering “filter”:{}
.
Examples:
{"pattern":"https://[*.]ext.example.com","filter":{}}, {"pattern":"https://[*.]corp.example.com","filter":{}}, {"pattern":"https://[*.]intranet.usercontent.com","filter":{}}
Allows you to control accessibility settings on the sign-in screen. Accessibility settings include large cursor, spoken feedback, and high-contrast mode.
- Turn off accessibility settings on the sign-in screen upon sign-out—Restores accessibility settings to the defaults when the sign-in screen is shown or the user remains idle on the sign-in screen for one minute.
- Allow user to control accessibility settings on the sign-in screen—Restores the accessibility settings that users turned on or off on the sign-in screen, even if the device is restarted.
Specifies what language the ChromeOS device’s sign-in screen displays. You can also allow users to choose the language.
Specifies which keyboard layouts are allowed on the ChromeOS device’s sign-in screen.
Specifies which URLs that are granted access to perform verified access checks on devices during SAML authentication on the sign-in screen.
Specifically, if a URL matches one of the patterns entered here, it is allowed to receive a HTTP header containing a response to a remote attestation challenge, attesting device identity and device state.
If you do not add an URLs in the Allowed IdP redirect URLs field, no URL is allowed to use remote attestation on the sign-in screen.
URLs must have HTTPS scheme, for example, https://example.com.
For information about valid url patterns, see Enterprise policy URL pattern format.
Specifies whether users can choose to display the device system information, for example ChromeOS version or device serial number, on the sign-in screen or if the system information is always displayed by default.
The default is Allow users to display system information on the sign-in screen by pressing Alt+V.
Only for ChromeOS devices with an integrated electronic privacy screen.
Specifies whether the privacy screen is always turned on or off on the sign-in screen. You can turn on or off the privacy screen on the sign-in screen, or let users choose.
Manifest v2 extensions support will be deprecated in the future. All extensions need to be migrated to Manifest v3 according to the Manifest V2 support timeline.
Specifies if users can access Manifest v2 extensions on the sign-in screen of their device.
Every extension for Chrome has a JSON-formatted manifest file, called manifest.json
. The manifest file is the blueprint of your extension, and must be located in the extension's root directory.
The information in the manifest file includes the following:
- Extension title
- Extension version number
- Permissions needed for the extension to run
For more details, see Manifest file format.
Choose one of these options:
- Default device behavior (default)—Users can access Manifest v2 extensions based on their default device settings and the Manifest V2 support timeline.
- Disable manifest v2 extensions on the sign-in screen—Users can’t install Manifest v2 extensions, and their existing extensions are disabled.
- Enable manifest v2 extensions on the sign-in screen—Users can install Manifest v2 extensions.
- Enable force-installed manifest v2 extensions on the sign-in screen—Users can access force-installed Manifest v2 extensions only. This includes extensions that are force-installed using the Apps & Extensions page in the Google Admin console. All other Manifest v2 extensions are disabled. This option is always available, regardless of the migration stage.
Note: Extensions availability is controlled by other policies as well. For example, a v2 extension allowed by the Manifest policy changes to blocked if it’s listed as blocked by the Permissions and URLs setting on the Apps & Extensions page in your Admin console.
Specifies whether the sign-in screen on managed ChromeOS devices can detect the user's physical location.
By default, Allow access to geolocation on the login screen is selected.
Selecting Do not allow access to geolocation on the login screen might affect other geolocation settings. For example, accuracy of automatic timezone detection might be reduced because it only uses approximate IP-based location data, instead of accurate real-time coordinates.
Note: After sign-in, users can change their location settings.
You can control the available content on users' sign-in and lock screens when SAML or OpenID Connect single sign-on is used for user authentication, or when configuring network connections with Captive Portals.
Blocked URLs
Prevents the user from trying to access specific URLs on the sign-in and lock screens.
To configure this setting, enter up to 1,000 URLs on separate lines.
URL syntax
Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.
URLs can also include:
- The URL scheme, which is http or https followed by ://
- A valid port value from 1 to 65,535
- The path to the resource
- Query parameters
Notes:
- To disable subdomain matching, put an extra period before the host.
- You cannot use user:pass fields, such as http://user:[email protected]/pub/bigfile.iso. Instead, enter http://example.com/pub/bigfile.iso.
- When both Blocked URLs and Blocked URLs exception filters apply (with the same path length), the exception filter takes precedence.
- If an extra period precedes the host, the policy filters exact host matches only.
- You cannot use a wildcard at the end of a URL, such as https://www.google.com/* and https://google.com/*.
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- The key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
Examples
Blocked URLs entry | Result |
---|---|
example.com | Blocks all requests to example.com, www.example.com, and sub.www.example.com |
http://example.com | Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS requests |
https://* | Blocks all HTTPS requests to any domain |
mail.example.com | Blocks requests to mail.example.com but not to www.example.com or example.com |
.example.com | Blocks example.com but not its subdomains, like example.com/docs |
.www.example.com | Blocks www.example.com but not its subdomains |
* | Blocks all requests to URLs except for those listed as a blocked URL exception. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy. |
*:8080 | Blocks all requests to port 8080 |
*/html/crosh.html | Blocks Chrome Secure Shell (Also known as Crosh Shell) |
chrome://settings chrome://os-settings |
Blocks all requests to chrome://os-settings |
example.com/stuff | Blocks all requests to example.com/stuff and its subdomains |
192.168.1.2 | Blocks requests to 192.168.1.2 |
youtube.com/watch?v=V1 | Blocks youtube video with id V1 |
You can control the available content on users' sign-in and lock screens when SAML or OpenID Connect single sign-on is used for user authentication, or when configuring network connections with Captive Portals.
Blocked URLs exceptions
Specifies exceptions to the URL blocklist specified in the Blocked URLs on the sign-in / lock screens setting.
To configure the setting, enter up to 1,000 URLs on separate lines.
URL syntax
Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.
URLs can also include:
- The URL scheme, which is http or https followed by ://
- A valid port value from 1 to 65,535
- The path to the resource
- Query parameters
Notes:
- To disable subdomain matching, put an extra period before the host.
- You cannot use user:pass fields, such as http://user:[email protected]/pub/bigfile.iso. Instead, enter http://example.com/pub/bigfile.iso.
- When both Blocked URLs and Blocked URLs exception filters apply (with the same path length), the exception filter takes precedence.
- If an extra period precedes the host, the policy filters exact host matches only.
- You cannot use a wildcard at the end of a URL, such as https://www.google.com/* and https://google.com/*.
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- The key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
Examples
Allowed URLs entry | Result |
---|---|
example.com | Allows all requests to example.com, www.example.com, and sub.www.example.com |
https://* | Allows all HTTPS requests to any domain |
*:8080 | Allows all requests to port 8080 |
*/html/crosh.html | Allows Chrome Secure Shell (Also known as Crosh Shell) |
chrome://settings chrome://os-settings |
Allows all requests to chrome://os-settings |
example.com/stuff | Allows all requests to example.com/stuff and its subdomains |
192.168.1.2 | Allows requests to 192.168.1.2 |
Lists the website URLs that can automatically connect to USB devices with specific vendor and product IDs on the sign-in screen.
The URLs that you list are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, go to Enterprise policy URL pattern format.
For each URL, enter the vendor identifier (VID) and product identifier (PID) of the devices you want to allow access to as a colon separated hexadecimal pair (VID:PID). Put each device on a separate line.
Considerations
- For each item that you add to the list, the URL and device IDs must be valid. Otherwise, the item is ignored.
- For each device, you can enter a vendor ID and product ID.
- If you do not add a vendor ID, the policy matches any device.
- If you do not add a product ID, the policy matches any device with the given vendor ID.
- Any policy with a product ID but no vendor ID is invalid.
- If you don’t add any item to the list, no website can automatically connect to any USB device on the sign-in screen.
Lists the website URLs that can automatically connect to HID devices with specific vendor and product IDs on the sign-in screen.
The URLs that you list are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, go to Enterprise policy URL pattern format.
For each URL, enter the vendor identifier (VID) and product identifier (PID) of the devices you want to allow access to as a colon separated hexadecimal pair (VID:PID). Put each device on a separate line.
Considerations
- For each item that you add to the list, the URL and device IDs must be valid. Otherwise, the item is ignored.
- For each device, you can enter a vendor ID and product ID.
- If you do not add a vendor ID, the policy matches any device.
- If you do not add a product ID, the policy matches any device with the given vendor ID.
- Any policy with a product ID but no vendor ID is invalid.
- If you don’t add any item to the list, no website can automatically connect to any HID device on the sign-in screen.
Specifies the length of time that passes before the online sign-in screen automatically refreshes.
This setting is useful if you want to prevent the online sign-in screen from timing out when it is left idle. This setting is recommended if you permanently show a SAML SSO sign-in screen. Read Configure SAML single sign-on for ChromeOS devices.
Enter a value between 5 and 10080 minutes. Leave empty to deactivate online sign-in screen refresh.
Note: This setting does not apply to online authentication flows on the lock screen.
Sign-in screen accessibility
By default, accessibility settings are turned off on devices' sign-in screens. If you use the Admin console to turn on or off accessibility features, users can’t change or override them. If you select Allow the user to decide, users can user turn on or off accessibility features as needed. For details, see Turn on Chromebook accessibility settings and Chromebook keyboard shortcuts.
Note: Turning off accessibility features can make devices less inclusive.
Spoken feedbackLets ChromeOS devices read aloud text that is on the sign-in screen. If needed, users can also connect and set up braille devices. For details, see Use the built-in screen reader and Use a braille device with your Chromebook.
Lets users select items on the sign-in screen to hear specific text read aloud. While ChromeOS reads the selected words aloud, each word is highlighted visually. For details, see Hear text read aloud.
Changes the font and background color scheme to make the sign-in screen easier to read.
Lets users magnify all (full-screen magnifier) or part (docked magnifier) of the sign-in screen. For details, see Zoom in or magnify your Chromebook screen.
Lets users type shortcut key combinations one key at a time in sequence, instead of having to hold down multiple keys at once. For example, to paste an item, instead of pressing the Ctrl and V keys at the same time, sticky keys lets users first press Ctrl and then press V. For details, see Use keyboard shortcuts one key at a time.
Lets users input characters without using physical keys. On-screen keyboards are typically used on devices with a touchscreen interface, but users can also use a touchpad, mouse, or connected joystick. For details, see Use the on-screen keyboard.
Lets users enter text on the sign-in screen using their voice instead of a keyboard. For details, see Type text with your voice.
Highlights objects on the sign-in screen as users navigate through them using the keyboard. It helps users identify where they are on the screen.
While editing text, the area around the text caret, or cursor, on the sign-in screen is highlighted.
The mouse cursor automatically clicks where it stops on the sign-in screen, without users physically pressing mouse or touchpad buttons. For details, see Automatically click objects on your Chromebook.
Increases the size of the mouse cursor so that it's more visible on the sign-in screen.
Creates a colored focus ring around the mouse cursor so that it's more visible on the sign-in screen.
Allows you to reverse the function of the right and left mouse buttons on the sign-in screen. By default, the left mouse button is the primary button.
Plays the same sound through all speakers so that users don’t miss content in stereo sound.
Device update settings
Important: Before changing any of the auto-update settings below, review Manage updates on ChromeOS devices.
Auto-update settingsAllow devices to automatically update OS version
Software support is available only for the latest version of ChromeOS.
You can allow ChromeOS devices to automatically update to new versions of ChromeOS as they're released and let users check for updates themselves. Allow updates is strongly recommended.
To stop updates before a device is enrolled and restarted:
- On the End User License Agreement screen, press Ctrl+Alt+E. If you don’t, downloaded updates that should have been blocked by a policy might be applied when the user restarts the device.
Target version
Software support is available only for the latest version of ChromeOS.
Specifies the most recent ChromeOS version that devices can update to. Devices do not update to versions of ChromeOS beyond the number that you select. The last few versions of ChromeOS are listed. You should only prevent ChromeOS from updating beyond a specific version if you need to resolve compatibility issues before updating the ChromeOS version. Or, if you need to pin ChromeOS updates to a specific version before switching devices to the Long-term support (LTS) channel. For details about switching to long-term support, see Long-term support on ChromeOS.
Select Use latest available version to let ChromeOS update to the newest version when it becomes available.
Roll back to target version
Specifies whether devices should roll back to the version that you specify in Target version, if they're already running a later version.
For details, see Roll back ChromeOS to a previous version.
Release channel
Cannot be set for the top-level organizational unit. You must set by organizational unit.
By default, ChromeOS follows updates on the Stable channel. Alternatively, you can choose the Long-term support (LTS), LTS candidate (LTC), Beta, or Dev channels.
You can configure one or more of your devices to use the Dev or Beta channel to help identify compatibility issues in upcoming versions of Chrome. For more information, see ChromeOS release best practices. For information to help you decide which channel to have your users on, go to ChromeOS release best practices.
Starting in Chrome version 96, you can switch to the LTC channel to help increase stability. It has a slower release cadence than the Stable channel. Devices still continue to receive frequent security fixes, but they only get feature updates every 6 months. For details, see Long-term support (LTS) on ChromeOS.
To allow users to select a channel themselves, select Allow user to configure. This lets users test the latest Chrome features by letting them switch the release channel. For details on how users do this on their ChromeOS device, see Switch between stable, beta & dev software.
For users to select the Dev channel, you must set the Developer Tools user policy to Always allow use of built-in developer tools. For details, see Developer tools.
Rollout plan
Specifies how you want to roll out updates to managed ChromeOS devices.
Choose one of these options:
- Default (devices should update as soon as a new version is available)—Devices automatically update to new versions of ChromeOS as they are released.
- Rollout updates over a specific schedule—Only initially update a percentage of devices, which you can increase over time. You use the Staging Schedule setting to specify the rollout schedule.
- Scatter updates—If you have network bandwidth restrictions, you can scatter updates over a period of days, up to 2 weeks. You can use the Randomly scatter auto-updates over setting to specify the number of days.
Staging Schedule
Only available if you choose to roll out updates over a specific schedule
Specifies the rollout schedule for updating devices to new versions of ChromeOS. You can use this setting to limit new versions of ChromeOS to a specific percentage of devices over time. The date that some devices update might be after the release date. You can gradually add devices until they’re all updated.
Randomly scatter auto-updates over
Only available if you choose to scatter updates
Specifies the approximate number of days that managed devices download an update after its release. You can use this setting to avoid causing traffic spikes in old or low-bandwidth networks. Devices that are offline during this period download the update when they're online again.
Unless you know that your network can't handle traffic spikes, you should select Do not scatter auto-updates or select a low number. When scattered updates are turned off, your users benefit from new Chrome enhancements and features quicker. You also minimize the number of concurrent versions, which simplifies change management during the update period.
Additional blackout windows
Specifies the days and times when Chrome temporarily stops automatic checks for updates. If the device is in the middle of an update, Chrome will temporarily pause the update. You can set as many blackout windows as you need. Manual update checks that users or admins initiate during a blackout window are not blocked.
Note: Setting this policy might affect the staging schedule, as devices cannot download auto-updates during blackout windows.
Auto reboot after updates
Specifies whether the device restarts automatically after an update. If the device is configured as a kiosk, restarts happen immediately. Otherwise, for user sessions or managed guest sessions, the automatic restart happens after the user next signs out.
- Allow auto-reboots—After a successful auto-update, the ChromeOS device restarts when the user next signs out.
- Disallow auto-reboots—Disables auto-restarts.
Note: For user sessions, we recommend you also set the relaunch notification user policy, so that users are notified to restart their device to get the latest update. For details, see Relaunch notification.
Updates over cellular
Specifies the types of connections that ChromeOS devices can use when they automatically update to new versions of ChromeOS. By default, devices automatically check for and download updates only when connected to Wi-Fi or Ethernet. Select Allow automatic updates on all connections, including cellular to let devices automatically update when they’re connected to a mobile network.
Peer to peer
Specifies whether peer to peer is used for ChromeOS update payloads. If you select Allow peer to peer auto update downloads, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device falls back to downloading from an update server.
Enforce updates
For devices with ChromeOS version 86 and later.
- Block devices & user sessions after—For devices that have a version of ChromeOS that is older than the one you specify. Sets the length of time after which users are signed out of devices. Choose a value between 1 and 6 weeks. To immediately sign out users until the device is updated, choose No warning.
- if they are not running at least version—Specifies the oldest ChromeOS version that you allow on users’ devices.
-
Extend this period where devices which are not receiving automatic updates are not yet blocked to—For devices that no longer receive automatic updates and have a version of ChromeOS that is older than the one you specify. Sets the length of time after automatic updates stop that users are signed out of devices. Choose a value between 1 and 12 weeks. To immediately sign out users, choose No warning.
- Final automatic update message—Specifies the message that users see on devices that no longer receive automatic updates and have a ChromeOS version that is older than the one you specify. Use plain text with no formatting. No markup is allowed. Left empty, users see the default message.
For details about automatic device updates, see Auto Update policy.
How users see this message on their devices depends on whether the length of time that you specified in Block devices & user sessions after has passed:- Until devices reach the time you specified—Users see the message on the Chrome management page after they sign in.
- After devices reach the time you specified— Users see the message on the sign-in screen. The device is blocked and users can’t sign in.
Update downloads
Specifies whether ChromeOS devices download ChromeOS updates over HTTP or HTTPS.
ChromeOS devices receive OS updates for 10 years after a device platform is first released. For certain devices, however, you need to opt in to extended updates to receive the full 10 years of support.
For details, see Extended updates support.
Prevents devices from updating to versions of Chrome beyond the version number specified by the app that you choose.
Clicking Select an app opens the Chrome Web store, where you can search for and select the app that you want.
Only available for auto-launched kiosk apps
Lets an autolaunched kiosk app control the ChromeOS version, preventing devices from updating to versions of Chrome beyond the version number specified by the app.
In the manifest file, the app must include "kiosk_enabled": true
and specify the required ChromeOS version, required_platform_version
. It can take up to 24 hours for updates in the manifest file to take effect on devices. For information on configuring settings in the app’s manifest file, see Let a kiosk app control the Chrome version.
Controls whether Chrome variations are fully enabled, enabled for critical fixes only, or disabled on devices.
By using variations, modifications to Google Chrome can be offered without shipping a new version of the browser by selectively enabling or disabling already existing features.
Note: We do not recommend disabling variations as this can potentially prevent the Google Chrome developers from providing critical security fixes in a timely manner.
For more details, see Manage the Chrome variations framework.
Specifies the day and time when devices check for updates, even if they're in sleep mode. Devices don't check for updates when they're powered off.
Kiosk settings
Before you can configure any kiosk settings, you need to enroll the device as a kiosk.
Related topics: Enroll ChromeOS devices, View ChromeOS device details, View and configure apps and extensions, and Set app and extension policies
Managed guest sessionOnly available for devices enrolled with Chrome Enterprise Upgrade or Chrome Education Upgrade.
Before you can configure a ChromeOS device as a managed guest session, you need to make sure managed guest session settings exist for the organizational unit that the device is assigned to. Then, to set the kiosk as a managed guest session kiosk, you select Allow managed guest sessions.
For information about creating managed guest session settings, see Managed guest session devices.
To automatically launch a managed guest session on a device, select Auto-launch managed guest session and set Auto-launch delay to 0.
Enable device health monitoring
Only available for managed guest sessions that automatically launch on ChromeOS devices
Select Enable device health monitoring to allow the health status of the kiosk to be reported. After doing this, you can check if a device is online and working properly.
For more information, see Monitor kiosk health.
Enable device system log upload
Only available for managed guest sessions that automatically launch on ChromeOS devices
Important: Before using this setting, you must inform the users of managed kiosk devices that their activity might be monitored and data might be inadvertently captured and shared. Without notification to your users, you are in violation of the terms of your agreement with Google.
Select Enable device system log upload to automatically capture system logs for kiosk devices. Logs are captured every 12 hours and uploaded to your Admin console, where they’re stored for a maximum of 60 days. At any one time, 7 logs are available to download—one for each day for the past 5 days, one for 30 days ago, and one for 45 days ago.
For more information, see Monitor kiosk health.
Screen rotation (clockwise)
Only available for managed guest sessions that automatically launch on ChromeOS devices
To configure screen rotation for your kiosk devices, select your desired screen orientation. For example, to rotate the screen for a portrait layout, select 90 Degrees. This policy can be overridden by manually configuring the device to a different screen orientation.
To get alerts when a Chrome kiosk device is turned off, check the Receive alerts via email box or the Receive alerts via SMS box, or both boxes.
Get status updates about your Chrome kiosk devices.
- Get updates by email—Next to Alerting emails, enter one email per line.
- Get updates by SMS—Next to Alerting mobile phones, enter one phone number per line.
Blocked URLs
Prevents Chrome browser users from accessing specific URLs.
To configure this setting, enter up to 1,000 URLs on separate lines.
Blocked URLs exceptions
Specifies exceptions to the URL blocklist.
To configure the setting, enter up to 1,000 URLs on separate lines.
URL syntax
Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.
URLs can also include:
- The URL scheme, which is http or https followed by ://
- A valid port value from 1 to 65,535
- The path to the resource
- Query parameters
Notes:
- To disable subdomain matching, put an extra period before the host.
- You cannot use user:pass fields, such as http://user:[email protected]/pub/bigfile.iso. Instead, enter http://example.com/pub/bigfile.iso.
- When both Blocked URLs and Blocked URLs exception filters apply (with the same path length), the exception filter takes precedence.
- If an extra period precedes the host, the policy filters exact host matches only.
- You cannot use a wildcard at the end of a URL, such as https://www.google.com/* and https://google.com/*.
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- The key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
Examples
Blocked URLs entry | Result |
---|---|
example.com | Blocks all requests to example.com, www.example.com, and sub.www.example.com |
http://example.com | Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS requests |
https://* | Blocks all HTTPS requests to any domain |
mail.example.com | Blocks requests to mail.example.com but not to www.example.com or example.com |
.example.com | Blocks example.com but not its subdomains, like example.com/docs |
.www.example.com | Blocks www.example.com but not its subdomains |
* | Blocks all requests to URLs except for those listed as a blocked URL exception. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy. |
*:8080 | Blocks all requests to port 8080 |
*/html/crosh.html | Blocks Chrome Secure Shell (Also known as Crosh Shell) |
chrome://settings chrome://os-settings |
Blocks all requests to chrome://os-settings |
example.com/stuff | Blocks all requests to example.com/stuff and its subdomains |
192.168.1.2 | Blocks requests to 192.168.1.2 |
youtube.com/watch?v=V1 | Blocks youtube video with id V1 |
Applies to Progressive Web Applications (PWA) in kiosk mode.
Specifies which virtual keyboard features are turned on. Check the boxes to select the features you want users to have:
- Auto suggest—Corrects words automatically using autocorrect or spell check, and shows suggested words as you type.
- Handwriting recognition—Reads users’ handwriting. Users can write directly on their screen instead of using their virtual keyboard.
- Voice input—Converts voice to text. Users can speak to enter text in most places where they usually type.
For details about how users can use their on-screen keyboard, see Use the on-screen keyboard.
Note: Before you configure the Kiosk virtual keyboard features setting, make sure that the on-screen keyboard is not turned off. For details, read about the Kiosk on-screen keyboard setting.
We do not recommend turning on troubleshooting tools in production devices. If you want to turn on the tools, create a child organizational unit for the required devices and apply the setting there. Make sure you disable this setting before deploying devices in production.
You can control whether users can access kiosk troubleshooting tools in a kiosk session.
For more details, see Troubleshoot ChromeOS kiosk devices.
You can specify a list of sites that can connect to USB devices, in a kiosk session, with specific vendor and product IDs. Access to these devices is automatically allowed for the corresponding web applications on the client side.
In the WebUSB API allowed devices section, do the following:
- Next to No USB devices were configured yet, click .
- Enter the URL patterns that specify the sites that are automatically granted permission to access a USB device.
- For each URL under VID-PID, enter the corresponding vendor and product IDs.
- Click Save.
URLs that you specify in the lists are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, see Enterprise policy URL pattern format.
Considerations
- All devices and URLs must be valid or the policy is ignored.
- Each item in the VID-PID field can have a vendor ID and product ID. If you do not add a vendor ID, the policy matches any device. If you do not add a product ID, the policy matches any device with the given vendor ID.
- Any policy with a product ID but no vendor ID is invalid.
- This policy overrides the WebUSB API setting and the user's preferences.
- This policy only affects access to USB devices through the WebUSB API. To grant access to USB devices through the Web Serial API see the SerialAllowUsbDevicesForUrls policy.
You can specify whether URL-keyed anonymized data collection is performed for kiosk sessions.
If you turn the setting on for ChromeOS kiosk, URL-keyed metrics are collected for kiosk apps. If it is not set, it is active by default and the user cannot change it.
You can specify whether admins can upload and download files from Kiosk devices in Chrome Remote Desktop sessions. This allows admins to download logs from devices and upload any data needed to devices during troubleshooting.
File transfer is not allowed by default.
Allows extensions installed by enterprise policy to use the Enterprise Hardware Platform API. This API handles requests from extensions for the manufacturer and model of the hardware platform where the browser is running. This policy also impacts component extensions built into Chrome.
Kiosk power settings
Before you can configure any kiosk power settings, you need to enroll the device as a kiosk.
To always keep a kiosk device on, do each of the following:
- Under Action on idle, select Do nothing
- In Screen dim timeout in minutes, enter 0
- In Screen off timeout in minutes, enter 0
- From the app that needs the kiosk device to be always on, in Apps & extensions > Kiosks, enable Allow App to Manage Power
Specifies whether devices go to sleep, shut down, or do nothing when users close the device lid.
Applies to kiosk devices using AC power
Idle timeout in minutes
Specifies the amount of idle time before kiosk device go to sleep, sign users out, or shut down. Enter a value in minutes.
To use the system default, which varies by device, leave the box empty. To prevent any action while idle, under Action on idle, select Do nothing.
Idle warning timeout in minutes
Specifies the amount of idle time before a warning is displayed notifying the current user that their device is going to sign them out or shut down. Enter a value in minutes.
To never show an idle warning, do one of the following:
- In the Idle warning timeout in minutes field, enter 0
- Under Action on idle, select Sleep
- Under Action on idle, select Do nothing
To use the system default, which varies by device, leave the Idle warning timeout in minutes box empty.
Action on idle
Select what you want devices to do after the idle time expires:
- Sleep—Go into Sleep mode
- Logout—End the current kiosk session
- Shutdown—Shut down the kiosk device
- Do nothing—Take no action
Screen dim timeout in minutes
Specifies the amount of idle time before device screens dim. Enter a value in minutes. To never dim the screen, enter 0. To use the system default, which varies by device, leave the box empty.
Screen off timeout in minutes
Specifies the amount of idle time before device screens turn off. Enter a value in minutes. To never turn off the screen, enter 0. To use the system default, which varies by device, leave the box empty.
Applies to kiosk devices using a battery
Idle timeout in minutes
Specifies the amount of idle time before kiosk device go to sleep, sign users out, or shut down. Enter a value in minutes.
To use the system default, which varies by device, leave the box empty. To prevent any action while idle, under Action on idle, select Do nothing.
Idle warning timeout in minutes
Specifies the amount of idle time before a warning is displayed notifying the current user that their device is going to sign them out or shut down. Enter a value in minutes.
To never show an idle warning, do one of the following:
- In the Idle warning timeout in minutes field, enter 0
- Under Action on idle, select Sleep
- Under Action on idle, select Do nothing
To use the system default, which varies by device, leave the Idle warning timeout in minutes box empty.
Action on idle
Select what you want the device to do after the idle time expires:
- Sleep—Go into Sleep mode
- Logout—End the current kiosk session
- Shutdown—Shut down the kiosk device
- Do nothing—Take no action
Screen dim timeout in minutes
Specifies the amount of idle time before device screens dim. Enter a value in minutes. To never dim the screen, enter 0. To use the system default, which varies by device, leave the box empty.
Screen off timeout in minutes
Specifies the amount of idle time before device screens turn off. Enter a value in minutes. To never turn off the screen, enter 0. To use the system default, which varies by device, leave the box empty.
For devices with ChromeOS version 125 or later
Specifies a weekly schedule for managed ChromeOS devices to go to sleep and wake up. When the interval starts, the device goes to sleep; when the interval ends, the device wakes up.
Considerations
- Before you set this policy, the Action on idle setting for Battery Kiosk power settings and AC Kiosk power settings must be set to Do nothing. For details, see Kiosk power settings.
- Schedules with overlapping intervals are not supported. This policy will not have any effect if it contains any two overlapping intervals.
- The sleep mode time zone is the same as the device time zone.
- When a device is in sleep mode, other scheduled actions, such as scheduled reboot, take effect after the device wakes up.
Kiosk accessibility
By default, Allow the user to decide is selected for each individual accessibility setting. So, on devices running Chrome kiosk apps, accessibility settings are turned off and users can turn them on or off, as needed. If you use the Admin console to turn on or off individual accessibility features, users can’t change or override them.
Note: Turning off accessibility features can make devices less inclusive.
Kiosk floating accessibility menuBy default, the accessibility menu is hidden on devices running Chrome kiosk apps. If you choose Show the floating accessibility menu in kiosk mode, the accessibility menu is always visible on devices. The menu appears at the bottom right corner of the screen. To prevent the menu from blocking app components, such as buttons, users can move it to any screen corner.
Even if Do not show the floating accessibility menu in kiosk mode is selected, users can still enable accessibility features using shortcuts—as long as you have not used the Admin console to turn off the individual accessibility setting and a shortcut exists for it. For details, see Chromebook keyboard shortcuts.
Note: Ordinarily, the Shift + Alt + L shortcuts focus on the launcher button and items on the shelf. However, on devices running Chrome kiosk apps, they focus on the accessibility menu instead.
Lets kiosk devices read aloud text that’s on the screen. If needed, users can also connect and set up braille devices. For details, see Use the built-in screen reader and Use a braille device with your Chromebook.
Lets users select items on the screen to hear specific text read aloud. While ChromeOS reads the selected words aloud, each word is highlighted visually. For details, see Hear text read aloud.
Changes the font and background color scheme to make the screen easier to read.
Lets users type shortcut key combinations one key at a time in sequence, instead of having to hold down multiple keys at once. For example, to paste an item, instead of pressing the Ctrl and V keys at the same time, sticky keys lets users first press Ctrl and then press V. For details, see Use keyboard shortcuts one key at a time.
Lets users input characters without using physical keys. On-screen keyboards are typically used on devices with a touchscreen interface, but users can also use a touchpad, mouse, or connected joystick. For details, see Use the on-screen keyboard.
Lets users enter text using their voice instead of a keyboard. For details, see Type text with your voice.
Highlights objects on the screen as users navigate through them using the keyboard. It helps users identify where they are on the screen.
While editing text, the area around the text caret, or cursor, on the screen is highlighted.
The mouse cursor automatically clicks where it stops on the screen, without users physically pressing mouse or touchpad buttons. For details, see Automatically click objects on your Chromebook.
Increases the size of the mouse cursor so that it's more visible on the screen.
Creates a colored focus ring around the mouse cursor so that it's more visible on the screen.
Allows you to reverse the function of the right and left mouse buttons on kiosks. By default, the left mouse button is the primary button.
Plays the same sound through all speakers so that users don’t miss content in stereo sound.
Lets users use accessibility keyboard shortcuts. For details, see Chromebook keyboard shortcuts.
User and device reporting
We recommend that you enable all ChromeOS device information reporting. You can then view all available reported data for features that require reporting, such as the device details, insight reports, or Telemetry API.
For more information, see:
- View ChromeOS device details
- View Chrome insights report
- Use Chrome Management Telemetry API to monitor devices
Specifies whether the enrolled ChromeOS devices report their current OS state information such as OS version, boot mode, and update status.
You can enable or disable all OS information reporting, or select Customize to choose what information is reported.
If you have enabled Android apps on supported devices in your organization, this setting has no effect on Android logging or reporting.
Specifies whether enrolled ChromeOS devices report their current hardware information such as vital product data, system information, and timezone status.
You can enable or disable all hardware information reporting, or select Customize to choose what information is reported.
If you have enabled Android apps on supported devices in your organization, this setting has no effect on Android logging or reporting.
The Hardware status and Network interface options only apply to devices with ChromeOS version 95 or earlier.
Specifies whether enrolled ChromeOS devices report device telemetry about the status of key components such as CPU, memory, storage, and graphics.
You can enable or disable all telemetry information reporting, or select Customize to choose what information is reported.
If you have enabled Android apps on supported devices in your organization, this setting has no effect on Android logging or reporting.
Specifies whether recent users of a device are tracked.
By default, Enable tracking recent users is selected. In addition, if the User data setting is set to Erase all local user data—erasing all user data on a device when a user signs out—this setting is ignored. See User data.
Specifies whether enrolled ChromeOS devices in kiosk mode report their session status.
Specifies whether enrolled ChromeOS devices in kiosk mode report information about the kiosk application.
Specifies whether enrolled ChromeOS devices track print jobs and print usage.
For details, see View print reports.
Specifies, in minutes, how often ChromeOS sends device status uploads. The minimum allowed frequency is 60 minutes.
Inactive device notification reports
Get email reports about inactive devices in your domain. The reports contain:
- Information on all inactive devices in your domain (devices that haven’t synced since the time specified in Inactive Range)
- The total number of inactive devices, including how many are recently inactive, for each organizational unit.
- A link to detailed information on each device, such as the organizational unit, serial number, asset ID, and last sync date if there are less than 30 devices that are newly inactive.
Note: Some information in the reports might be delayed up to one day. For example, if a device synced in the last 24 hours but was previously inactive, it might still appear on the inactive list, even though it is now active.
Inactive Range (days)
If a device doesn't check in to the management server for longer than the number of days you specify, then that device is considered inactive. You can set the number of days to any integer greater than one.
For example, if you want to mark all devices that haven’t synced in the last week as inactive, next to Inactive Range (days), enter 7.
Notification Cadence (days)
To specify how often inactive notification reports are sent, enter the number of days in the Notification Cadence field.
Email addresses to receive notification reports
To specify email addresses that get notification reports, enter the addresses (one per line).
Specifies whether the ChromeOS device sends Google usage statistics and crash reports whenever a system or browser process fails.
Usage statistics contain aggregated information, such as preferences, button clicks, and memory usage. They don't include web page URLs or any personal information. Crash reports contain system information at the time of the crash and might contain webpage URLs or personal information, depending on what was happening at the time of the crash.
If you have enabled Android apps on supported devices in your organization, this policy also controls Android usage and diagnostic data collection.
If you select Enable device system log upload, devices send system logs to the management server and you can monitor those logs.
The default is Disable device system log upload.
Specifies whether users can collect a system-wide performance trace using the system tracing service.
The default is to prevent users from collecting a system-wide trace. This setting only disables system-wide trace collection; browser trace collection is not affected.
XDR events are not displayed in the Admin console. To make sure XDR events are reported to your provider, set up the XDR provider configuration before you turn on this setting. For more details, see Set up XDR for ChromeOS devices.
Specifies whether ChromeOS devices send XDR events.
Extended detection and response (XDR) systems can help to identify suspicious series of activities in your fleet of managed devices by monitoring processes, network and other security related events.
If you select Report information about extended detection and response (XDR) events, enrolled devices report information related to XDR events to your provider.You can choose whether to allow enterprise extensions to add logs to a system log file using the chrome.systemLog API. These logs facilitate faster and easier debugging and are kept for a limited amount of time.
By default, Disable enterprise extensions system logging is selected. Logs are not stored from session to session.
Select Enable enterprise extensions system logging to temporarily store logs in the system log file using the chrome.systemLog API.
We recommend turning on this setting for debugging purposes only and turning it off once debugging is complete
Display settings
Screen settingsSets the display resolution and scale factor for the device display.
External display settings apply to connected displays and don’t apply to displays that don’t support the specified resolution or scale.
Allow user changes
By default, Allow users to overwrite predefined display settings (recommended) is selected—Users can change the resolution and scale factor of their display, but the settings revert back to the default at the next reboot. To prevent users from changing the display settings, select Do not allow user changes for predefined display settings.
External resolution
By default, Always use native resolution is selected—Values entered for External display width and External display height are ignored and external displays are set to their native resolution.
If you select Use custom resolution, the custom resolution is applied to all external monitors. If the resolution is not supported, it reverts to native resolution.
External display scale (percentage)
Specifies the display scale for external monitors that are connected to ChromeOS devices.
Internal display scale (percentage)
Specifies the internal display scale for ChromeOS devices.
Power and shutdown
Power managementControls whether a ChromeOS device that is showing a sign-in screen (no user is signed-in) should go to sleep or shut down after some time or if it should continuously stay awake. This setting is useful for devices that are used as kiosks to make sure they never shut down.
Currently only works with kiosk devices with a sign-in screen showing.
Specifies the number of days after which a device restarts. Sometimes, devices might not restart at the same time of day or the restart might be postponed until the next time a user signs out. If a session is running, a grace period of up to 24 hours applies.
Google recommends that you configure kiosk apps to shut down at regular intervals to allow the app or device to restart.
You can select:
- Allow users to turn off the device using either the shut down icon or the physical power button (Default)—Users can turn off the device using the button on the device, keyboard, mouse, or screen.
- Only allow users to turn off the device using the physical power button—Users turn off the device using the button on the device and cannot turn off the device using the keyboard, mouse, or screen.
This setting might be useful in specific deployment scenarios, such as if the ChromeOS device is being run as a kiosk or digital sign.
Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.
Allows you to reduce the power consumption by automatically switching the Chromebook to battery power.
If you enable Peak shift power management:
- Under Peak Shift Battery Threshold, enter a percentage value between 15 and 100. If the battery percentage is above the value that you specify, the device runs from the battery.
-
To set a daily start and end time to run Peak shift power management:
- Under Peak shift day configuration, select a start and end time. During the times, unless the device reaches the threshold set above, the AC power will not be used.
- Under Charge start time, select a time to start charging the battery.
Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.
Allows you to configure the primary battery charge mode. Choose from:
- Standard—Fully charges the battery at a standard rate
- Adaptive—Battery adaptively optimized based on typical usage pattern
- Express Charge—Battery charges over a shorter period
- Primarily AC—Extends battery life by charging mainly from AC
- Custom—Lets you enter a time to start and stop charging based on battery percentage
Note: You cannot use this setting at the same time as the Advanced Charge battery mode setting.
Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.
Allows you to prolong the usable life of a battery by charging to full capacity only once per day. For the remainder of the day, batteries are in a lower charge state that’s better for storage, even when the system is plugged in to a direct power source.
If you enable Advanced Charge battery mode, enter a daily start and end time.
Note: Within the last 1.5 hours of the end time, the device might prevent the battery from charging to reach a lower charge state.
If you enable Boot on AC and a device shuts down, it will turn on when plugged in to an AC adapter.
Note: If the device is connected to a Dell WD19 docking station that’s connected to power, the Chromebook will turn on even if the setting is disabled.
Allows users to charge other devices, such as a mobile phone, through a special USB port if the Chromebook is turned off and connected to power. All USB ports charge devices when the Chromebook is in Sleep mode.
Applies to unaffiliated users only.
Specifies whether devices are forced to reboot when users sign out. By default, Do not reboot on user sign-out is selected.
Specifies the time of day, frequency (daily, weekly, or monthly), and day of the week or month that devices restart. The schedule is based on the timezone setting of the device.
For user sessions or managed guest sessions:
- Users are notified that the restart will occur 1 hour before the scheduled time. They have an option to restart then or wait for the scheduled reboot. The scheduled reboot cannot be deferred.
- There is a 1 hour grace period after the device is booted. Scheduled reboots are skipped during this period and rescheduled for the next day, week, or month, depending on the setting.
By default, Disable scheduled reboots is selected.
Google recommends that you configure apps to shut down at regular intervals to allow the app or device to restart. For example, you can schedule the device to shut down every Monday at 2 AM.
Currently not available for kiosk devices.
Specifies whether an idle ChromeOS device displays a screen saver on the sign-in screen. The default is to not display a screen saver when idle.
If you select Display screen saver when idle, do the following:
Screen saver image URLs
Add the image URls you want to display. The following applies:
- Add one URL per line. Each item must be a URL referencing an image file and begin with https://. Google does not verify whether an image is available under the specified URLs.
- Images must be .jpg or .jpeg files and the file size must not exceed 8MB.
- At least 2 valid images are required before the screen saver is activated.
- Invalid URLs and unsupported images are ignored.
- The number of images is limited to 25. Only the first 25 URL entries from the list are used.
- The ChromeOS device downloads the images and stores them in a local cache. If an image for the specified URL changes after the image is cached, it might not be updated.
Activation
Enter the time in seconds that the device remains idle before showing the screen saver on the sign-in screen.
Valid values range from 1 second to 9999 seconds. If you leave the field empty, the default value of 7 seconds is used.
Refresh
Enter the interval in seconds to change the displayed image..
Valid values range from 1 second to 9999 seconds. If you leave the field empty, the default value of 60 seconds is used.Virtual machines
Linux virtual machines for unaffiliated users (BETA)Allows you to control whether unaffiliated users can use virtual machines to support Linux apps. The setting is applied to starting new Linux containers, not to those already running.
The default is Block usage for virtual machines needed to support Linux apps for unaffiliated users and unaffiliated users can't use virtual machines to support Linux apps.
If you select Allow usage for virtual machines needed to support Linux apps for unaffiliated users, all unaffiliated users can use Linux virtual machines.
To enable it for affiliated users, select Allow usage for virtual machines needed to support Linux apps for users in the Users & browsers page. For details, see Linux virtual machines for unaffiliated users (BETA).
Note: This feature is no longer in Beta for consumer ChromeOS devices. It remains in Beta for managed devices and users.
Allows you to control the use of Android apps from untrusted sources for individual ChromeOS devices. It does not apply to Google Play.
- Prevent users of this device from using ADB sideloading—The default is to prevent the device from using Android apps from untrusted sources. This does not force users to restore their Chromebook to its factory state.
- Prevent users of this device from using ADB sideloading and force a device powerwash if sideloading was enabled before—Prevents the device from using Android apps from untrusted sources and forces users to restore their Chromebook to its factory state if sideloading was enabled before.
- Allow affiliated users of this device to use ADB sideloading—Allow affiliated users of this device to use Android apps from untrusted sources. You must also enable the Android apps from untrusted sources user setting. For details, see Android apps from untrusted sources.
Other settings
Device network hostname templateSpecifies the host name that is passed to the DHCP server with DHCP requests.
If this policy is set to a nonempty string, that string is used as the device host name during the DHCP request.
The string can contain the ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}, and ${LOCATION} variables. These variables are replaced with values found on the device. The resulting substitution should be a valid host name per RFC 1035, section 3.1.
Left blank or if the value after substitution is not a valid host name, no host name is used in the DHCP request.
Only takes effect when the connection to the printer is secure (ipps:// URI scheme) and the user submitting the print job is affiliated. Only applies to printers that support client-info.
You can set the client-name value to pass to the Internet Printing Protocol (IPP) print destinations in print jobs.
When you add a template for the client-name attribute, an additional client-info value is sent to print jobs submitted to IPP printers. The client-type member of the client-info value that you added is set to other. The client-name member of the added client-info value is set to the value of the policy after the substitution of placeholder variables.
Supported placeholder variables are:
${DEVICE_DIRECTORY_API_ID}
${DEVICE_SERIAL_NUMBER}
${DEVICE_ASSET_ID}
${DEVICE_ANNOTATED_LOCATION}
Unsupported placeholder variables are not substituted. The client-name value must be no longer than 127 characters
Valid values are:
- lowercase and uppercase letters of the English alphabet
- digits
- dashes (-)
- dots (.)
- underscores (_)
If the policy is left empty or an invalid value is added, an additional client-info value is not added to print job requests.
For more details, see View ChromeOS device details.System timezone
Specifies the time zone to set for your users' devices.
System timezone automatic detection
Choose one of the options to specify how a device detects and sets the current time zone:
- Let users decide—Users control the time zone using the standard Chrome date and time settings.
- Never auto-detect timezone—Users must manually pick a time zone.
- Always use coarse timezone detection—Uses device IP address to set the time zone.
- Always send WiFi access-points to server while resolving timezone—Uses location of the WiFi access-point that the device connects to to set the time zone (most accurate).
- Send all location information—Uses location information, such as WiFi access-points and GPS, to set the time zone.
Specifies whether users on the ChromeOS device can go online using a mobile network maintained by a different carrier (charge may apply). With this setting, users need to allow mobile data roaming on the device.
Related topic: Connect to a mobile data network
Specifies a list of USB devices that can be accessed directly by applications, such as Citrix Receiver. You can list devices, such as keyboards, signature pads, printers and scanners, as well as other USB devices.
To add devices to the list, enter the USB vendor identifier (VID) and product identifier (PID) as a colon separated hexadecimal pair (VID:PID). Put each device on a separate line. For example, to list a mouse with a VID of 046E and a PID of D626 and a signature pad with a VID of 0404 and PID of 6002, you enter:
046E:D626
0404:6002
Some peripherals, including certain Thunderbolt or USB4 docks, displays, and connector cables, require users to disable data access protection for them to work properly or at full performance.
By default, data access protection for peripherals is turned on for enrolled ChromeOS devices, limiting peripheral performance. Selecting Disable data access protection can help peripherals to perform better, but might expose personal data through unauthorized usage.
Specifies whether Bluetooth is disabled devices.
If you change the policy from Disable bluetooth to Do not disable bluetooth, you'll need to restart the device for the change to take effect.
If you change the policy from Do not disable bluetooth to Disable bluetooth, the change is immediate and you do not need to restart the device.
Lists the Bluetooth services that ChromeOS devices are allowed to connect to. Left empty, users can connect to any Bluetooth service.
Devices in kiosk, managed guest session, or user mode with Chrome version 56 and later
Controls device-level bandwidth consumption.
- Select Enable network throttling.
- Specify the download and upload speed in kbps. The minimum speed that you can specify is 513 kbps.
All network interfaces on a device are throttled, including WiFi, Ethernet, USB Ethernet adapter, USB cellular dongle, and USB wireless card. All network traffic is throttled, including OS updates.
Installing TPM firmware updates might erase a device and reset it to factory settings and repeated failed update attempts might make a device unusable.
To let users install a Trusted Platform Module (TPM) firmware update on devices, select Allow users to perform TPM firmware updates. For information about how users can install a firmware update, see Update your Chromebook’s security.
Specifies whether system traffic can go through an Internet proxy server with authentication.
The default is to block system traffic from going through a proxy server with authentication.
If you select Allow system traffic to go through a proxy with authentication, proxy servers will require authentication with service account credentials, a username and password, to access the Internet. These credentials are only used for system traffic, browser traffic still requires the user to authenticate to the proxy with their own credentials.
Note: Only HTTPS system traffic can be sent through the authenticated proxy. This can impact users who rely on HTTP for ChromeOS updates. If your network cannot support ChromeOS updates over HTTPS, make sure to set Update downloads to allow updates over HTTP. These updates will not go through the proxy. For details, see Update downloads.
Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.
Allows you to choose the MAC address that the docking station uses when it’s connected to the Chromebook.
Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.
Allows you to turn on and configure the Dell SupportAssist program. For information on Dell Support Assist, go to Dell support.
Specifies the clock format displayed on the sign-in screen and for managed guest sessions on ChromeOS devices.
The default is Automatic, based on current language. You can also set the clock to a 12 hour or 24 hour clock format. Users can always change the clock format for their account.
Specifies the cache size, in bytes, used for caching apps and extensions for installation by multiple users of a single device. This means that each app and extension does not need to redownload for every user.
If you set it to lower than 1 MB or leave it unset, ChromeOS uses the default size of 256 MiB.
Specifies whether hardware profiles, including ICC display profiles used to improve the display quality of attached monitors, can be downloaded from Google servers.
The default is to allow hardware profiles to be downloaded.
You can enable or disable notifications when disk space is low. This applies to all users on the device.
The default is Do not show notification when disk space is low.
- If the device is unmanaged or there is only one user, the policy is ignored and the notification is always displayed.
- If there are multiple user accounts on a managed device, the notification is only shown if you select Show notification when disk space is low.
Specifies whether or not users can capture Internet Protocol (IP) packets on their device for review or analysis.
Specifies whether users are prompted to select a client certificate on the sign-in screen when more than one certificate matches.
If you choose to prompt users and have entered a list of URL patterns in the Single sign-on client certificates setting, whenever the auto-selection policy matches multiple certificates the user is asked to select the client certificate. For details, see Single sign-on client certificates.
If PIV cards are used, you can set the DriveLock Smart Card Middleware (CSSI) app parameter filter_auth_cert to automatically filter authentication certificates. For details, see Auto-select certificates during sign-in.
Note: Users might have limited knowledge of certificate selection,. We only recommend using the Prompt when multiple certificates match on the sign-in screen setting for testing purposes or if you cannot properly configure the filter in the Single sign-on client certificates setting.
Controls whether the AES Key Locker implementation is turned on for user storage encryption for dm-crypt user homes on ChromeOS, if supported.
Applies to user homes that use dm-crypt for encryption. Legacy user homes that do not use dm-crypt do not support AES Key Locker, so they default to AESNI.
By default, Do not use Key Locker with the encryption algorithm for user storage encryption is selected. User storage encryption for dm-crypt user homes defaults to using AESNI.
Turns on or off international keyboard shortcut mapping. The default is International keyboard shortcuts are mapped to the location of the keys in the keyboard instead of the glyph of the key. Keyboard shortcuts work consistently with international keyboard layouts and deprecated legacy shortcuts.
Note: This policy will be deprecated after customized keyboard shortcuts are available.
By default, unaffiliated users can use Android apps on managed ChromeOS devices.
Changes to this setting are only applied on managed ChromeOS devices while Android apps are not running. For example, while starting ChromeOS.
For information about how to install Android apps on ChromeOS devices, see Deploy Android apps to managed users on ChromeOS devices.
Specifies the default keyboard backlight color set for users’ devices.
Specifies whether a device plays an audible notification when the battery level or the remaining time drops below a threshold.
If not plugged in, the device plays warning sounds when:
- Remaining usage time drops to 15 minutes.
- Remaining usage time drops to 5 minutes.
Note: If connected to a low-power charger, the device plays a warning sound when the battery drops to 10%, then again at 5%.
Choose one of these options:
- Enable low battery sound—The device plays an audible notification when the battery is low. If you turn this policy on, users can’t turn it off.
- Disable low battery sound—The device doesn’t play an audible notification for the low battery warning. If you turn this policy off, users can’t turn it on.
- Allow the user to decide—Initially, the low battery sound is turned off for existing users and turned on for new users, but any user can turn the sound on or off at any time.
Specifies whether a device plays an audible notification when the battery level or the remaining time drops below a threshold.
If not plugged in, the device plays warning sounds when:
- Remaining usage time drops to 15 minutes.
- Remaining usage time drops to 5 minutes.
Note: If connected to a low-power charger, the device plays a warning sound when the battery drops to 10%, then again at 5%.
Choose one of these options:
- Enable low battery sound—The device plays an audible notification when the battery is low. If you turn this policy on, users can’t turn it off.
- Disable low battery sound—The device doesn’t play an audible notification for the low battery warning. If you turn this policy off, users can’t turn it on.
- Allow the user to decide—Initially, the low battery sound is turned off for existing users and turned on for new users, but any user can turn the sound on or off at any time.
Specifies the types of peripherals whose drivers are preloaded on ChromeOS devices. Drivers that aren’t preloaded are downloaded as soon as the user connects the peripherals.
Note: Drivers for supported peripherals are already available on ChromeOS devices. For a list of supported peripherals, go to About ChromeOS peripherals.Controls whether ChromeOS Flex devices send additional hardware data to Google.
This hardware data is used for overall improvements to ChromeOS and ChromeOS Flex. For example, we might analyze the impact of a crash based on the central processing unit (CPU), or prioritize a bug fix based on how many devices share a component.
When you turn on this setting, ChromeOS Flex devices share additional hardware details. If you turn this setting off, devices only share standard hardware data.
Not supported on Active Directory managed ChromeOS devices.
Control whether videos are decoded by using hardware acceleration.
Hardware acceleration offloads video decoding from the central processing unit (CPU) to the graphics processing unit (GPU), delivering faster and more efficient video processing with reduced power consumption.
By default, the setting is turned on, meaning that video decoding is hardware-accelerated, where available. If you turn off this setting, video decoding can never be hardware-accelerated.
Note: We don’t recommend turning off this setting, because it results in a higher CPU load. This, in turn, negatively affects device performance and battery consumption.
You can control whether users can change the behavior of function keys by using the launcher or search keys.
Choose an option:
- Allow the user to decide—Lets users choose if they want to allow or prevent the launcher or search key to change the behavior of function keys.
- Allow the launcher/search key to change the behavior of function keys—The behavior of function keys can be changed by using the launcher or search key. Users can’t change this.
- Prevent the launcher/search key from changing the behavior of function keys—The behavior of function keys can't be changed by using the launcher or search key. Users can’t change this.
Chrome management—partner access
Allow EMM partners access to device managementCurrently not available for the Education edition
Gives EMM partners programmatic access to manage device policies, get device information, and issue remote commands. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.
When partner access is turned on, your EMM partner can manage individual ChromeOS devices, which means they no longer have to manage devices by Admin console organizational-unit structure. Instead, they can use the structure configured in their EMM console.
You can’t simultaneously set the same policy for the same device using partner access and the Admin console. Device-level policies configured using partner access controls take precedence over policies set in the Admin console. To enforce policies on devices at organizational-unit level, you need to select Disable Chrome management—partner access.
Related topic: Manage ChromeOS devices with EMM console
Imprivata
Imprivata login screen integrationSpecifies whether users can sign in to ChromeOS devices by tapping their badge, instead of having to enter their username and password. For details about how to set it up, see Use ChromeOS devices with Imprivata OneSign.
By default, Disable shared kiosk mode is selected.
Lists the apps and extensions that should not be cleared and re-launched between users.
Security
Post-quantum TLSThis policy is temporary and will be removed in future versions of Google ChromeOS. You can turn on the setting to test for issues, and turn it off while issues are being resolved.
Specifies whether ChromeOS offers a post-quantum key agreement algorithm in Transport Layer Security (TLS). Depending on the ChromeOS version, the algorithm is either ML-KEM, which is a NIST post-quantum standard, or Kyber, which is an earlier draft iteration of the standard. Post-quantum key agreement in TLS connections lets supporting servers protect user traffic from decryption by quantum computers.
Kyber is backwards-compatible, meaning that existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.
Note: TLS must be implemented correctly. Otherwise, devices can malfunction when offered the new option. For example, they might disconnect in response to unrecognized options or the resulting larger messages. Such devices aren’t post-quantum-ready and might interfere with an enterprise's post-quantum transition. Admins dealing with this scenario should contact their vendor for a solution.
Choose one of the options:
- Use the default Chrome setting—This is the default. ChromeOS follows the default rollout process for offering a post-quantum key agreement in TLS connections.
- Allow post-quantum key agreement in TLS connections—ChromeOS offers a post-quantum key agreement in TLS connections. User traffic is protected from quantum computer decrypting.
- Do not allow post-quantum key agreement in TLS connections—ChromeOS doesn’t offer a post-quantum key agreement in TLS connections. User traffic isn’t protected from quantum computer decrypting.
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.