Set app and extension policies

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can use your Admin console to apply app and extension policies across several apps at a time. For example, you might specify all the apps that you want to force install for users or pin on users' Chrome taskbars.

Before you begin

  • To make settings for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in a group or organizational unit. Only user accounts can be added to groups. For details, see Groups and Add an organizational unit.
  • To apply settings for Chrome browser users on Windows, Mac, or Linux computers, turn on Chrome management for the organizational unit that they belong to. See Turn on Chrome browser management.
  • There is a limit of 500 for the total number of apps times the number of groups.

Open all   |   Close all

Set app policies

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

Set an app or extension policy (main steps)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenUsers & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensionsand thenUsers & browsers.

  3. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting. 
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. On the right, click Additional settingsSettings.
  6. Set the app and extension policies that you want to change. See Learn about each setting below.
  7. Click Save.

Learn about each setting

Android apps on Chrome devices

By default, users in this organizational unit are not allowed to install Google Play and Android apps on devices. To give users access to the approved apps in the Google Play store on their ChromeOS devices, select Allow users to install Android apps.

Android apps on unaffiliated devices

 

Specifies whether users are allowed to use Android apps on ChromeOS devices that are not managed by your organization.

Note: Settings that control users’ access to apps in the Google Play store, including Android apps on Chrome devices and Android apps for unaffiliated users, take precedence over this setting.

Allowed types of apps and extensions

Allows you to block users from installing certain types of apps by unchecking the type of allowed app.

Types of app:

App and extension install sources

Allows you to specify which URLs are allowed to install extensions, apps, and themes. For example, if a URL where you have a .crx file matches the list, a Chrome installation prompt will appear if the user clicks the URL. Put one URL pattern on each line. For examples, see the Chrome developer site.

This policy has no effect on Android apps running on ChromeOS. To set policies for Android apps on ChromeOS devices that support them, see Use Android apps on ChromeOS devices

Allow insecure extension packaging

Not supported on Chrome version 78 or later

Allows you to choose whether you want to allow or not allow insecure extension packaging.

External extensions

Allows you to block external extensions from being installed. An external extension is any extension that is not installed from the Chrome Web Store.

Permissions and URLs

You can use this setting in 2 ways:

Block installing types of extensions

Prevent users from running extensions that request certain permissions that your organizational unit doesn’t allow.

For details, see Block apps and extensions based on permissions.

Prevent apps from altering webpages

Control whether apps or extensions in general can alter webpages that you specify.

For details, see Prevent Chrome extensions from altering webpages.

  • Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
  • Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
Chrome Web Store app icon

Specifies whether users can see the Chrome Web Store app in the launcher on ChromeOS devices and on new tab pages.

Chrome Web Store homepage

You can change the Chrome Web Store homepage to a custom homepage for your users when they're signed in. You can also recommend apps and extensions for your domain in a custom collection named after your domain in the Chrome Web Store.

Chrome Web Store permissions

To let users to publish private apps that are restricted to your domain on the Chrome Web Store, choose Allow users to publish private apps that are restricted to your domain on Chrome Web Store. Then, an option appears that lets you allow or prevent users from publishing private hosted apps if the domain name of the app’s launch_web_url or app_url is not owned by your organization.

Related topics: Create a Chrome app collection and Create and publish custom Chrome apps & extensions.

Chrome Web Store unpublished extensions

This policy only applies to extensions installed and updated from the Chrome Web Store. Off-store extensions that are self-hosted or locally installed using the command line switch or developer mode are not affected by this policy. Force-installed and version-pinned extensions are also excluded.

Specifies whether extensions unpublished from the Chrome Web Store are available on Chrome browser. By default, extensions that are unpublished on the Chrome Web Store are allowed. To disable unpublished extensions, select Disable unpublished extensions.

Extend support for Chrome Apps

Chrome Apps are deprecated on Microsoft Windows, macOS, and Linux.

The default, Chrome Apps will be allowed to run on Windows, Mac, and Linux, means that Chrome Apps are allowed to run on these platforms until the final date when support is removed on all platforms.

If you select the other option, Chrome Apps might not be allowed to run, depending on the status of the deprecation rollout.

Chrome Apps that are force installed by policy are allowed regardless of which option you choose.

Android reporting for users and devices

Allows you to monitor the success and failure of the installations to users and devices on your network by using the reporting tool found in the Admin console.

For setup information, see Monitor forced Android app installs.

Note: The report only shows information for managed users using managed ChromeOS devices that support managed Google Play.

Restore apps on startup

Choose whether all apps that were running when the user signed out the last time are launched at the start of a session.

When the Restore all apps and app windows option is selected, the Pages to load on startup setting only applies when a user launches a new session for the first time on a new device or if sessions are ephemeral. For details, see Pages to load on startup.

Select one of the following options:

  • Restore all apps and app windows—(Default) Apps and app windows are restored or not restored on startup depending on the option you select from Select desired behavior.
  • Only restore Chrome browser—Only browser windows are automatically restored.
Settings Result

Restore all apps and app windows
+
Always restore

Apps and app windows are always restored.
Restore all apps and app windows
+
Ask user every time

User is asked whether to restore apps and app windows.

Restore all apps and app windows
+
Do not restore
Apps and app windows are never restored.
Only restore Chrome browser When you select this option the browser is launched every time the user signs in depending on the option set in the Pages to load on startup setting.
Android ghost windows

Allows you to choose whether to enable the creation of ghost windows while restoring Android apps after a crash or reboot.

Ghost windows are a preview of Android apps that are still loading. The user can see that an app will be available soon and they do not have to manually search for and start the app.

Pin Create apps

On your users’ ChromeOS devices, the launcher contains pre-installed creativity apps. These apps include Camera, Canvas, Gallery, and Screencast. Use this setting to specify which of those apps you want to pin to the shelf on devices. Users can’t unpin them.

By default, for Education customers, Canvas and Screencast are pinned to the shelf. Otherwise, none of the creative apps that are pre-installed in the launcher are pinned to the shelf.

For details about pinning apps to the launcher, see the PinnedLauncherApps policy.

Blocklist for install types of extensions

Specifies extension install types that are not allowed. Selecting Command line prevents Chrome browser from loading extensions from command line.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
9603017440414462069
true
Search Help Center
true
true
true
true
true
410864
false
false