// chrome version: 126.0.6478.114 // Policy template for Linux. // Uncomment the policies you wish to activate and change their values to // something useful for your case. The provided values are for reference only // and do not provide meaningful defaults! { // Abusive Experience Intervention Enforce //------------------------------------------------------------------------- // If SafeBrowsingEnabled is not Disabled, then setting // AbusiveExperienceInterventionEnforce to Enabled or leaving it unset // prevents sites with abusive experiences from opening new windows or tabs. // Setting SafeBrowsingEnabled to Disabled or // AbusiveExperienceInterventionEnforce to Disabled lets sites with abusive // experiences open new windows or tabs. //"AbusiveExperienceInterventionEnforce": true, // Specifies how long (in seconds) a cast device selected with an access code or QR code stays in the Google Cast menu's list of cast devices. //------------------------------------------------------------------------- // This policy specifies how long (in seconds) a cast device that was // previously selected via an access code or QR code can be seen within the // Google Cast menu of cast devices. The lifetime of an entry starts at the // time the access code was first entered or the QR code was first scanned. // During this period the cast device will appear in the Google Cast menu's // list of cast devices. After this period, in order to use the cast device // again the access code must be reentered or the QR code must be rescanned. // By default, the period is zero seconds, so cast devices will not stay in // the Google Cast menu, and so the access code must be reentered, or the QR // code rescanned, in order to initiate a new casting session. Note that this // policy only affects how long a cast devices appears in the Google Cast // menu, and has no effect on any ongoing cast session which will continue // even if the period expires. This policy has no effect unless the // AccessCodeCastEnabled policy is Enabled. //"AccessCodeCastDeviceDuration": 60, // Allow users to select cast devices with an access code or QR code from within the Google Cast menu. //------------------------------------------------------------------------- // This policy controls whether a user will be presented with an option, // within the Google Cast menu which allows them to cast to cast devices that // do not appear in the Google Cast menu, using either the access code or QR // code displayed on the cast devices's screen. By default, a user must // reenter the access code or rescan the QR code in order to initiate a // subsequent casting session, but if the AccessCodeCastDeviceDuration policy // has been set to a non-zero value (the default is zero), then the cast // device will remain in the list of available cast devices until the // specified period of time has expired. When this policy is set to Enabled, // users will be presented with the option to select cast devices by using an // access code or by scanning a QR code. When this policy is set to Disabled // or not set, users will not be given the option to select cast devices by // using an access code or by scanning a QR code. //"AccessCodeCastEnabled": true, // Make Access-Control-Allow-Methods matching in CORS preflight spec conformant //------------------------------------------------------------------------- // This policy controls whether request methods are uppercased when matching // with Access-Control-Allow-Methods response headers in CORS preflight. If // the policy is Disabled, request methods are uppercased. This is the // behavior on or before Google Chrome 108. If the policy is Enabled or not // set, request methods are not uppercased, unless matching case-insensitively // with DELETE, GET, HEAD, OPTIONS, POST, or PUT. This would reject fetch(url, // {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO" response header, and // would accept fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: // Foo" response header. Note: request methods "post" and "put" are not // affected, while "patch" is affected. This policy is intended to be // temporary and will be removed in the future. //"AccessControlAllowMethodsInCORSPreflightSpecConformant": true, // Enable Get Image Descriptions from Google. //------------------------------------------------------------------------- // The Get Image Descriptions from Google accessibility feature enables // visually-impaired screen reader users to get descriptions of unlabeled // images on the web. Users who choose to enable it will have the option of // using an anonymous Google service to provide automatic descriptions for // unlabeled images they encounter on the web. If this feature is enabled, // the content of images will be sent to Google servers in order to generate a // description. No cookies or other user data is sent, and Google does not // save or log any image content. If this policy is set to Enabled, the Get // Image Descriptions from Google feature will be enabled, though it will only // affect users who are using a screen reader or other similar assistive // technology. If this policy is set to Disabled, users will not have the // option of enabling the feature. If this policy is not set, user can choose // to use this feature or not. //"AccessibilityImageLabelsEnabled": false, // Allow DNS queries for additional DNS record types //------------------------------------------------------------------------- // This policy controls whether Google Chrome may query additional DNS record // types when making insecure DNS requests. This policy has no effect on DNS // queries made via Secure DNS, which may always query additional DNS types. // If this policy is unset or set to Enabled, additional types such as HTTPS // (DNS type 65) may be queried in addition to A (DNS type 1) and AAAA (DNS // type 28). If this policy is set to Disabled, DNS will only be queried for // A (DNS type 1) and/or AAAA (DNS type 28). This policy is a temporary // measure and will be removed in future versions of Google Chrome. After // removal of the policy, Google Chrome will always be able to query // additional DNS types. //"AdditionalDnsQueryTypesEnabled": true, // Ads setting for sites with intrusive ads //------------------------------------------------------------------------- // Unless SafeBrowsingEnabled is set to False, then setting // AdsSettingForIntrusiveAdsSites to 1 or leaving it unset allows ads on all // sites. Setting the policy to 2 blocks ads on sites with intrusive ads. //"AdsSettingForIntrusiveAdsSites": 1, // Enable additional protections for users enrolled in the Advanced Protection program //------------------------------------------------------------------------- // This policy controls whether users enrolled in the Advanced Protection // program receive extra protections. Some of these features may involve the // sharing of data with Google (for example, Advanced Protection users will be // able to send their downloads to Google for malware scanning). If set to // True or not set, enrolled users will receive extra protections. If set to // False, Advanced Protection users will receive only the standard consumer // features. //"AdvancedProtectionAllowed": true, // List of origins allowing all HTTP authentication //------------------------------------------------------------------------- // Setting the policy specifies for which origins to allow all the HTTP // authentication schemes Google Chrome supports regardless of the AuthSchemes // policy. Format the origin pattern according to this format // (https://support.google.com/chrome/a?p=url_blocklist_filter_format). Up to // 1,000 exceptions can be defined in AllHttpAuthSchemesAllowedForOrigins. // Wildcards are allowed for the whole origin or parts of the origin, either // the scheme, host, port. //"AllHttpAuthSchemesAllowedForOrigins": ["*.example.com"], // Allow pages with Cache-Control: no-store header to enter back/forward cache //------------------------------------------------------------------------- // This policy controls if a page with Cache-Control: no-store header can be // stored in back/forward cache. The website setting this header may not // expect the page to be restored from back/forward cache since some sensitive // information could still be displayed after the restoration even if it is no // longer accessible. If the policy is enabled or unset, the page with Cache- // Control: no-store header might be restored from back/forward cache unless // the cache eviction is triggered (e.g. when there is HTTP-only cookie change // to the site). If the policy is disabled, the page with Cache-Control: no- // store header will not be stored in back/forward cache. //"AllowBackForwardCacheForCacheControlNoStorePageEnabled": true, // Cross-origin HTTP Authentication prompts //------------------------------------------------------------------------- // Setting the policy to Enabled allows third-party images on a page to show // an authentication prompt. Setting the policy to Disabled or leaving it // unset renders third-party images unable to show an authentication prompt. // Typically, this policy is Disabled as a phishing defense. //"AllowCrossOriginAuthPrompt": false, // Enable deleting browser and download history //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset means browser history and // download history can be deleted in Chrome, and users can't change this // setting. Setting the policy to Disabled means browser history and download // history can't be deleted. Even with this policy off, the browsing and // download history are not guaranteed to be retained. Users may be able to // edit or delete the history database files directly, and the browser itself // may expire or archive any or all history items at any time. //"AllowDeletingBrowserHistory": true, // Allow Dinosaur Easter Egg Game //------------------------------------------------------------------------- // Setting the policy to True allows users to play the dinosaur game. Setting // the policy to False means users can't play the dinosaur easter egg game // when device is offline. Leaving the policy unset means users can't play // the game on enrolled Google ChromeOS, but can under other circumstances. //"AllowDinosaurEasterEgg": false, // Allow invocation of file selection dialogs //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset means Chrome can display, // and users can open, file selection dialogs. Setting the policy to Disabled // means that whenever users perform actions provoking a file selection // dialog, such as importing bookmarks, uploading files, and saving links, a // message appears instead. The user is assumed to have clicked Cancel on the // file selection dialog. //"AllowFileSelectionDialogs": true, // Allows system notifications //------------------------------------------------------------------------- // Configures whether Google Chrome on Linux will use system notifications. // If set to True or not set, Google Chrome is allowed to use system // notifications. If set to False, Google Chrome will not use system // notifications. Google Chrome's Message Center will be used as a fallback. //"AllowSystemNotifications": true, // Allow Web Authentication requests on sites with broken TLS certificates. //------------------------------------------------------------------------- // If set to Enabled, Google Chrome will allow Web Authentication requests on // websites that have TLS certificates with errors (i.e. websites considered // not secure). If the policy is set to Disabled or left unset, the default // behavior of blocking such requests will apply. //"AllowWebAuthnWithBrokenTlsCerts": true, // Define domains allowed to access Google Workspace //------------------------------------------------------------------------- // Setting the policy turns on Chrome's restricted sign-in feature in Google // Workspace and prevents users from changing this setting. Users can only // access Google tools using accounts from the specified domains (to allow // gmail or googlemail accounts, add consumer_accounts to the list of // domains). This setting prevents users from signing in and adding a // Secondary Account on a managed device that requires Google authentication, // if that account doesn't belong to one of the explicitly allowed domains. // Leaving this setting empty or unset means users can access Google Workspace // with any account. Users cannot change or override this setting. Note: // This policy causes the X-GoogApps-Allowed-Domains header to be appended to // all HTTP and HTTPS requests to all google.com domains, as described in // https://support.google.com/a/answer/1668854. //"AllowedDomainsForApps": "managedchrome.com,example.com", // Enable alternate error pages //------------------------------------------------------------------------- // Setting the policy to True means Google Chrome uses alternate error pages // built into (such as "page not found"). Setting the policy to False means // Google Chrome never uses alternate error pages. If you set the policy, // users can't change it. If not set, the policy is on, but users can change // this setting. //"AlternateErrorPagesEnabled": true, // Command-line parameters for the alternative browser. //------------------------------------------------------------------------- // Setting the policy to a list of strings means each string is passed to the // alternative browser as separate command-line parameters. On Microsoft® // Windows®, the parameters are joined with spaces. On macOS and Linux®, a // parameter can have spaces and still be treated as a single parameter. If a // parameter contains ${url}, ${url} is replaced with the URL of the page to // open. If no parameter contains ${url}, the URL is appended at the end of // the command line. Environment variables are expanded. On Microsoft® // Windows®, %ABC% is replaced with the value of the ABC environment variable. // On macOS and Linux®, ${ABC} is replaced with the value of the ABC // environment variable. Leaving the policy unset means only the URL is // passed as a command-line parameter. //"AlternativeBrowserParameters": ["-foreground", "-new-window", "${url}", "-profile", "%HOME%\\browser_profile"], // Alternative browser to launch for configured websites. //------------------------------------------------------------------------- // Setting the policy controls which command to use to open URLs in an // alternative browser. The policy can be set to one of ${ie}, ${firefox}, // ${safari}, ${opera}, ${edge} or a file path. When this policy is set to a // file path, that file is used as an executable file. ${ie} is only available // on Microsoft® Windows®. ${safari} and ${edge} are only available on // Microsoft® Windows® and macOS. Leaving the policy unset puts a platform- // specific default in use: Internet Explorer® for Microsoft® Windows®, or // Safari® for macOS. On Linux®, launching an alternative browser will fail. //"AlternativeBrowserPath": "${ie}", // Always Open PDF files externally //------------------------------------------------------------------------- // Setting the policy to Enabled turns the internal PDF viewer off in Google // Chrome, treats PDF files as a download, and lets users open PDFs with the // default application. Setting the policy to Disabled means that unless // users turns off the PDF plugin, it will open PDF files. If you set the // policy, users can't change it in Google Chrome. If not set, users can // choose whether to open PDF externally or not. //"AlwaysOpenPdfExternally": true, // Enable Ambient Authentication for profile types. //------------------------------------------------------------------------- // Configuring this policy will allow/disallow ambient authentication for // Incognito and Guest profiles in Google Chrome. Ambient Authentication is // http authentication with default credentials if explicit credentials are // not provided via NTLM/Kerberos/Negotiate challenge/response schemes. // Setting the RegularOnly (value 0), allows ambient authentication for // Regular sessions only. Incognito and Guest sessions wouldn't be allowed to // ambiently authenticate. Setting the IncognitoAndRegular (value 1), allows // ambient authentication for Incognito and Regular sessions. Guest sessions // wouldn't be allowed to ambiently authenticate. Setting the GuestAndRegular // (value 2), allows ambient authentication for Guest and Regular sessions. // Incognito sessions wouldn't be allowed to ambiently authenticate. Setting // the All (value 3), allows ambient authentication for all sessions. Note // that, ambient authentication is always allowed on regular profiles. In // Google Chrome version 81 and later, if the policy is left not set, ambient // authentication will be enabled in regular sessions only. //"AmbientAuthenticationInPrivateModesEnabled": 0, // Allow or deny audio capture //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset means that, with the // exception of URLs set in the AudioCaptureAllowedUrls list, users get // prompted for audio capture access. Setting the policy to Disabled turns // off prompts, and audio capture is only available to URLs set in the // AudioCaptureAllowedUrls list. Note: The policy affects all audio input // (not just the built-in microphone). //"AudioCaptureAllowed": false, // URLs that will be granted access to audio capture devices without prompt //------------------------------------------------------------------------- // Setting the policy means you specify the URL list whose patterns get // matched to the security origin of the requesting URL. A match grants access // to audio capture devices without prompt For detailed information on valid // url patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. //"AudioCaptureAllowedUrls": ["https://www.example.com/", "https://[*.]example.edu/"], // Allow the audio sandbox to run //------------------------------------------------------------------------- // This policy controls the audio process sandbox. If this policy is enabled, // the audio process will run sandboxed. If this policy is disabled, the audio // process will run unsandboxed and the WebRTC audio-processing module will // run in the renderer process. This leaves users open to security risks // related to running the audio subsystem unsandboxed. If this policy is not // set, the default configuration for the audio sandbox will be used, which // may differ per platform. This policy is intended to give enterprises // flexibility to disable the audio sandbox if they use security software // setups that interfere with the sandbox. //"AudioSandboxEnabled": true, // Kerberos delegation server allowlist //------------------------------------------------------------------------- // Setting the policy assigns servers that Google Chrome may delegate to. // Separate multiple server names with commas. Wildcards, *, are allowed. // Leaving the policy unset means Google Chrome won't delegate user // credentials, even if a server is detected as intranet. //"AuthNegotiateDelegateAllowlist": "*.example.com,foobar.example.com", // Use KDC policy to delegate credentials. //------------------------------------------------------------------------- // Setting the policy to Enabled means HTTP authentication respects approval // by KDC policy. In other words, Google Chrome delegates user credentials to // the service being accessed if the KDC sets OK-AS-DELEGATE on the service // ticket. See RFC 5896 ( https://tools.ietf.org/html/rfc5896.html ). The // service should also be allowed by AuthNegotiateDelegateAllowlist. Setting // the policy to Disabled or leaving it unset means KDC policy is ignored on // supported platforms and only AuthNegotiateDelegateAllowlist is respected. // On Microsoft® Windows®, KDC policy is always respected. //"AuthNegotiateDelegateByKdcPolicy": true, // Supported authentication schemes //------------------------------------------------------------------------- // Setting the policy specifies which HTTP authentication schemes Google // Chrome supports. Leaving the policy unset employs all 4 schemes. Valid // values: * basic * digest * ntlm * negotiate Note: Separate multiple // values with commas. //"AuthSchemes": "basic,digest,ntlm,negotiate", // Authentication server allowlist //------------------------------------------------------------------------- // Setting the policy specifies which servers should be allowed for integrated // authentication. Integrated authentication is only on when Google Chrome // gets an authentication challenge from a proxy or from a server in this // permitted list. Leaving the policy unset means Google Chrome tries to // detect if a server is on the intranet. Only then will it respond to IWA // requests. If a server is detected as internet, then Google Chrome ignores // IWA requests from it. Note: Separate multiple server names with commas. // Wildcards, *, are allowed. //"AuthServerAllowlist": "*.example.com,example.com", // Define a list of protocols that can launch an external application from listed origins without prompting the user //------------------------------------------------------------------------- // Allows you to set a list of protocols, and for each protocol an associated // list of allowed origin patterns, that can launch an external application // without prompting the user. The trailing separator should not be included // when listing the protocol, so list "skype" instead of "skype:" or // "skype://". If this policy is set, a protocol will only be permitted to // launch an external application without prompting by policy if the protocol // is listed, and the origin of the site trying to launch the protocol matches // one of the origin patterns in that protocol's allowed_origins list. If // either condition is false the external protocol launch prompt will not be // omitted by policy. If this policy is not set, no protocols can launch // without a prompt by default. Users may opt out of prompts on a per- // protocol/per-site basis unless the // ExternalProtocolDialogShowAlwaysOpenCheckbox policy is set to Disabled. // This policy has no impact on per-protocol/per-site prompt exemptions set by // users. The origin matching patterns use a similar format to those for the // 'URLBlocklist' policy, which are documented at // https://support.google.com/chrome/a?p=url_blocklist_filter_format. // However, origin matching patterns for this policy cannot contain "/path" or // "@query" elements. Any pattern that does contain a "/path" or "@query" // element will be ignored. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=AutoLaunchProtocolsFromOrigins for more // information about schema and formatting. //"AutoLaunchProtocolsFromOrigins": [{"allowed_origins": ["example.com", "http://www.example.com:8080"], "protocol": "spotify"}, {"allowed_origins": ["https://example.com", "https://.mail.example.com"], "protocol": "teams"}, {"allowed_origins": ["*"], "protocol": "outlook"}], // URLs where AutoOpenFileTypes can apply //------------------------------------------------------------------------- // List of URLs specifying which urls AutoOpenFileTypes will apply to. This // policy has no impact on automatically open values set by users. If this // policy is set, files will only automatically open by policy if the url is // part of this set and the file type is listed in AutoOpenFileTypes. If // either condition is false the download won't automatically open by policy. // If this policy isn't set, all downloads where the file type is in // AutoOpenFileTypes will automatically open. A URL pattern has to be // formatted according to // https://support.google.com/chrome/a?p=url_blocklist_filter_format. //"AutoOpenAllowedForURLs": ["example.com", "https://ssl.server.com", "hosting.com/good_path", "https://server:8080/path", ".exact.hostname.com"], // List of file types that should be automatically opened on download //------------------------------------------------------------------------- // List of file types that should be automatically opened on download. The // leading separator should not be included when listing the file type, so // list "txt" instead of ".txt". Files with types that should be // automatically opened will still be subject to the enabled safe browsing // checks and won't be opened if they fail those checks. If this policy isn't // set, only file types that a user has already specified to automatically be // opened will do so when downloaded. On Microsoft® Windows®, this policy is // only available on instances that are joined to a Microsoft® Active // Directory® domain, joined to Microsoft® Azure® Active Directory® or // enrolled in Chrome Browser Cloud Management. //"AutoOpenFileTypes": ["exe", "txt"], // Automatically select client certificates for these sites //------------------------------------------------------------------------- // Setting the policy lets you make a list of URL patterns that specify sites // for which Chrome can automatically select a client certificate. The value // is an array of stringified JSON dictionaries, each with the form { // "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a // content setting pattern. $FILTER restricts the client certificates the // browser automatically selects from. Independent of the filter, only // certificates that match the server's certificate request are selected. // Examples for the usage of the $FILTER section: * When $FILTER is set to { // "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a // certificate with the CommonName $ISSUER_CN are selected. * When $FILTER // contains both the "ISSUER" and the "SUBJECT" sections, only client // certificates that satisfy both conditions are selected. * When $FILTER // contains a "SUBJECT" section with the "O" value, a certificate needs at // least one organization matching the specified value to be selected. * When // $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs // at least one organizational unit matching the specified value to be // selected. * When $FILTER is set to {}, the selection of client // certificates is not additionally restricted. Note that filters provided by // the web server still apply. Leaving the policy unset means there's no // autoselection for any site. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=AutoSelectCertificateForUrls for more // information about schema and formatting. //"AutoSelectCertificateForUrls": ["{\"pattern\":\"https://www.example.com\",\"filter\":{\"ISSUER\":{\"CN\":\"certificate issuer name\", \"L\": \"certificate issuer location\", \"O\": \"certificate issuer org\", \"OU\": \"certificate issuer org unit\"}, \"SUBJECT\":{\"CN\":\"certificate subject name\", \"L\": \"certificate subject location\", \"O\": \"certificate subject org\", \"OU\": \"certificate subject org unit\"}}}"], // Enable AutoFill for addresses //------------------------------------------------------------------------- // Setting the policy to True or leaving it unset gives users control of // Autofill for addresses in the UI. Setting the policy to False means // Autofill never suggests or fills address information, nor does it save // additional address information that users submit while browsing the web. //"AutofillAddressEnabled": false, // Enable AutoFill for credit cards //------------------------------------------------------------------------- // Setting the policy to True or leaving it unset means users can control // autofill suggestions for credit cards in the UI. Setting the policy to // False means autofill never suggests or fills credit card information, nor // will it save additional credit card information that users might submit // while browsing the web. //"AutofillCreditCardEnabled": false, // Allow automatic fullscreen on these sites //------------------------------------------------------------------------- // For security reasons, the requestFullscreen() web API requires a prior user // gesture ("transient activation") to be called or will otherwise fail. // Users' personal settings may allow certain origins to call this API without // a prior user gesture, as described in // https://chromestatus.com/feature/6218822004768768. This policy supersedes // users' personal settings and allows matching origins to call the API // without a prior user gesture. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. Origins // matching both blocked and allowed policy patterns will be blocked. Origins // not specified by policy nor user settings will require a prior user gesture // to call this API. //"AutomaticFullscreenAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block automatic fullscreen on these sites //------------------------------------------------------------------------- // For security reasons, the requestFullscreen() web API requires a prior user // gesture ("transient activation") to be called or will otherwise fail. // Users' personal settings may allow certain origins to call this API without // a prior user gesture, as described in // https://chromestatus.com/feature/6218822004768768. This policy supersedes // users' personal settings and blocks matching origins from calling the API // without a prior user gesture. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. Origins // matching both blocked and allowed policy patterns will be blocked. Origins // not specified by policy nor user settings will require a prior user gesture // to call this API. //"AutomaticFullscreenBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Allow media autoplay //------------------------------------------------------------------------- // Setting the policy to True lets Google Chrome autoplay media. Setting the // policy to False stops Google Chrome from autoplaying media. By default, // Google Chrome doesn't autoplay media. But, for certain URL patterns, you // can use the AutoplayAllowlist policy to change this setting. If this // policy changes while Google Chrome is running, it only applies to newly // opened tabs. //"AutoplayAllowed": true, // Allow media autoplay on a allowlist of URL patterns //------------------------------------------------------------------------- // Setting the policy lets videos play automatically (without user consent) // with audio content in Google Chrome. If AutoplayAllowed policy is set to // True, then this policy has no effect. If AutoplayAllowed is set to False, // then any URL patterns set in this policy can still play. If this policy // changes while Google Chrome is running, it only applies to newly opened // tabs. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. //"AutoplayAllowlist": ["https://www.example.com", "[*.]example.edu"], // Continue running background apps when Google Chrome is closed //------------------------------------------------------------------------- // Setting the policy to Enabled turns background mode on. In background mode, // a Google Chrome process is started on OS sign-in and keeps running when the // last browser window is closed, allowing background apps and the browsing // session to remain active. The background process displays an icon in the // system tray and can always be closed from there. Setting the policy to // Disabled turns background mode off. If you set the policy, users can't // change it in the browser settings. If unset, background mode is off at // first, but users can change it. //"BackgroundModeEnabled": true, // Allow Basic authentication for HTTP //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset will allow Basic // authentication challenges received over non-secure HTTP. Setting the // policy to Disabled forbids non-secure HTTP requests from using the Basic // authentication scheme; only secure HTTPS is allowed. This policy setting // is ignored (and Basic is always forbidden) if the AuthSchemes policy is set // and does not include Basic. //"BasicAuthOverHttpEnabled": false, // Enable Battery Saver Mode //------------------------------------------------------------------------- // This policy enables or disables the Battery Saver Mode setting. On Chrome, // this setting makes it so that frame rate is throttled to lower power // consumption. If this policy is unset, the end user can control this setting // in chrome://settings/performance. On ChromeOS, this setting makes it so // that frame rate and CPU frequency are throttled, backlights are dimmed, and // Android is put in Battery Saver Mode. On devices with multiple CPUs, some // CPUs will be turned off. The different levels are: Disabled (0): Battery // Saver Mode will be disabled. EnabledBelowThreshold (1): Battery Saver Mode // will be enabled when the device is on battery power and battery level is // low. EnabledOnBattery (2): This value is deprecated as of M121. From M121 // onwards, values will be treated as EnabledBelowThreshold. //"BatterySaverModeAvailability": 1, // Control new behavior for the cancel dialog produced by the beforeunload event //------------------------------------------------------------------------- // This policy provides a temporary opt-out for two related fixes to the // behavior of the confirmation dialog shown by the beforeunload event. When // this policy is Enabled, the new and correct behavior will be used. When // this policy is Disabled, the old and legacy behavior will be used. When // this policy is not set, the default behavior will be used. This policy is a // temporary workaround and will be removed soon. New and correct behavior: // In `beforeunload`, calling `event.preventDefault()` will trigger the // confirmation dialog. Setting `event.returnValue` to the empty string will // not trigger the confirmation dialog. Old and legacy behavior: In // `beforeunload`, calling `event.preventDefault()` will not trigger the // confirmation dialog. Setting `event.returnValue` to the empty string will // trigger the confirmation dialog. //"BeforeunloadEventCancelByPreventDefaultEnabled": true, // Blocks external extensions from being installed //------------------------------------------------------------------------- // Controls external extensions installation. Setting this policy to Enabled // blocks external extensions from being installed. Setting this policy to // Disabled or leaving it unset allows external extensions to be installed. // External extensions and their installation are documented at // https://developer.chrome.com/apps/external_extensions. //"BlockExternalExtensions": true, // Block third party cookies //------------------------------------------------------------------------- // Setting the policy to Enabled prevents webpage elements that aren't from // the domain that's in the browser's address bar from setting cookies. // Setting the policy to Disabled lets those elements set cookies and prevents // users from changing this setting. Leaving it unset turns third-party // cookies on, but users can change this setting. //"BlockThirdPartyCookies": false, // Enable Bookmark Bar //------------------------------------------------------------------------- // Setting the policy to True displays a bookmark bar in Google Chrome. // Setting the policy to False means users never see the bookmark bar. If you // set the policy, users can't change it. If not set, users decide whether to // use this function. //"BookmarkBarEnabled": true, // Enable add person in user manager //------------------------------------------------------------------------- // If this policy is set to true or not configured, Google Chrome and Lacros // will allow to add a new person from the user manager. If this policy is // set to false, Google Chrome and Lacros will not allow adding a new person // from the user manager. Note: If this policy is not configured or set to // true, but LacrosSecondaryProfilesAllowed is set to false, Lacros will not // allow adding a new person from the user manager. //"BrowserAddPersonEnabled": true, // Enable guest mode in browser //------------------------------------------------------------------------- // If this policy is set to true or not configured, Google Chrome and Lacros // will enable guest logins. Guest logins are Google Chrome profiles where all // windows are in incognito mode. If this policy is set to false, Google // Chrome and Lacros will not allow guest profiles to be started. Note: If // this policy is not configured or set to true, but // LacrosSecondaryProfilesAllowed is set to false, Lacros will not allow guest // profiles to be started. //"BrowserGuestModeEnabled": true, // Enforce browser guest mode //------------------------------------------------------------------------- // Setting the policy to Enabled means Google Chrome enforces guest sessions // and prevents profile sign-ins. Guest sign-ins are Google Chrome profiles // where windows are in Incognito mode. Setting the policy to Disabled, // leaving it unset, or disabling browser Guest mode (through // BrowserGuestModeEnabled) allows the use of new and existing profiles. //"BrowserGuestModeEnforced": true, // Browser experiments icon in toolbar //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving the policy unset means that users // can access browser experimental features through an icon in the toolbar // Setting the policy to Disabled removes the browser experimental features // icon from the toolbar. chrome://flags and any other means of turning off // and on browser features will still behave as expected regardless of whether // this policy is Enabled or Disabled. //"BrowserLabsEnabled": false, // Allow queries to a Google time service //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset means Google Chrome send // occasional queries to a Google server to retrieve an accurate timestamp. // Setting the policy to Disabled stops Google Chrome from sending these // queries. //"BrowserNetworkTimeQueriesEnabled": true, // Browser sign in settings //------------------------------------------------------------------------- // This policy controls the sign-in behavior of the browser. It allows you to // specify if the user can sign in to Google Chrome with their account and use // account related services like Google Chrome Sync. If the policy is set to // "Disable browser sign-in" then the user cannot sign in to the browser and // use account-based services. In this case browser-level features like Google // Chrome Sync cannot be used and will be unavailable. On iOS, if the user was // signed in and the policy is set to "Disabled" they will be signed out // immediately. On other platforms, they will be signed out the next time they // run Google Chrome. On all platforms, their local profile data like // bookmarks, passwords etc. will be preserved and still usable. The user will // still be able to sign into and use Google web services like Gmail. If the // policy is set to "Enable browser sign-in," then the user is allowed to sign // in to the browser. On all platforms except iOS, the user is automatically // signed in to the browser when signed in to Google web services like Gmail. // Being signed in to the browser means the user's account information will be // kept by the browser. However, it does not mean that Google Chrome Sync will // be turned on by default; the user must separately opt-in to use this // feature. Enabling this policy will prevent the user from turning off the // setting that allows browser sign-in. To control the availability of Google // Chrome Sync, use the SyncDisabled policy. If the policy is set to "Force // browser sign-in" the user is presented with an account selection dialog and // has to choose and sign in to an account to use the browser. This ensures // that for managed accounts the policies associated with the account are // applied and enforced. The default value of BrowserGuestModeEnabled will be // set to disabled. Note that existing unsigned profiles will be locked and // inaccessible after enabling this policy. For more information, see help // center article: https://support.google.com/chrome/a/answer/7572556 . This // option is not supported on Linux, Android or iOS. It will fall back to // "Enable browser sign-in" if used. If this policy is not set then the user // can decide if they want to enable browser sign-in in the Google Chrome // settings and use it as they see fit. //"BrowserSignin": 2, // Delay before launching alternative browser (milliseconds) //------------------------------------------------------------------------- // Setting the policy to a number has Google Chrome show a message for that // number of milliseconds, then it opens an alternative browser. Leaving the // policy unset or set to 0 means navigating to a designated URL immediately // opens it in an alternative browser. //"BrowserSwitcherDelay": 10000, // Enable the Legacy Browser Support feature. //------------------------------------------------------------------------- // Setting the policy to Enabled means Google Chrome will try to launch some // URLs in an alternate browser, such as Internet Explorer®. This feature is // set using the policies in the Legacy Browser support group. Setting the // policy to Disabled or leaving it unset means Google Chrome won't try to // launch designated URLs in an alternate browser. //"BrowserSwitcherEnabled": true, // URL of an XML file that contains URLs that should never trigger a browser switch. //------------------------------------------------------------------------- // Setting the policy to a valid URL has Google Chrome download the site list // from that URL and apply the rules as if they were set up with the // BrowserSwitcherUrlGreylist policy. These policies prevent Google Chrome and // the alternative browser from opening one another. Leaving it unset (or set // to a invalid URL) means Google Chrome doesn't use the policy as a source of // rules for not switching browsers. Note: This policy points to an XML file // in the same format as Internet Explorer®'s SiteList policy. This loads // rules from an XML file, without sharing those rules with Internet // Explorer®. Read more on Internet Explorer®'s SiteList policy ( // https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is- // enterprise-mode ) //"BrowserSwitcherExternalGreylistUrl": "http://example.com/greylist.xml", // URL of an XML file that contains URLs to load in an alternative browser. //------------------------------------------------------------------------- // Setting the policy to a valid URL has Google Chrome download the site list // from that URL and apply the rules as if they were set up with the // BrowserSwitcherUrlList policy. Leaving it unset (or set to a invalid URL) // means Google Chrome doesn't use the policy as a source of rules for // switching browsers. Note: This policy points to an XML file in the same // format as Internet Explorer®'s SiteList policy. This loads rules from an // XML file, without sharing those rules with Internet Explorer®. Read more on // Internet Explorer®'s SiteList policy ( https://docs.microsoft.com/internet- // explorer/ie11-deploy-guide/what-is-enterprise-mode) //"BrowserSwitcherExternalSitelistUrl": "http://example.com/sitelist.xml", // Keep last tab open in Chrome. //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset has Google Chrome keep at // least one tab open, after switching to an alternate browser. Setting the // policy to Disabled has Google Chrome close the tab after switching to an // alternate browser, even if it was the last tab. This causes Google Chrome // to exit completely. //"BrowserSwitcherKeepLastChromeTab": false, // Sitelist parsing mode //------------------------------------------------------------------------- // This policy controls how Google Chrome interprets sitelist/greylist // policies for the Legacy Browser Support feature. It affects the following // policies: BrowserSwitcherUrlList, BrowserSwitcherUrlGreylist, // BrowserSwitcherUseIeSitelist, BrowserSwitcherExternalSitelistUrl, and // BrowserSwitcherExternalGreylistUrl. If 'Default' (0) or unset, URL // matching is less strict. Rules that do not contain "/" look for a substring // anywhere in the URL's hostname. Matching the path component of a URL is // case-sensitive. If 'IESiteListMode' (1), URL matching is more strict. // Rules that do not contain "/" only match at the end of the hostname. They // must also be at a domain name boundary. Matching the path component of a // URL is case-insensitive. This is more compatible with Microsoft® Internet // Explorer® and Microsoft® Edge®. For example, with the rules "example.com" // and "acme.com/abc": "http://example.com/", "http://subdomain.example.com/" // and "http://acme.com/abc" match regardless of parsing mode. // "http://notexample.com/", "http://example.com.invalid.com/", // "http://example.comabc/" only match in 'Default' mode. // "http://acme.com/ABC" only matches in 'IESiteListMode'. //"BrowserSwitcherParsingMode": 1, // Websites that should never trigger a browser switch. //------------------------------------------------------------------------- // Setting the policy controls the list of websites that will never cause a // browser switch. Each item is treated as a rule. Those rules that match // won't open an alternative browser. Unlike the BrowserSwitcherUrlList // policy, rules apply to both directions. When the Internet Explorer® add-in // is on, it also controls whether Internet Explorer® should open these URLs // in Google Chrome. Leaving the policy unset adds no websites to the list. // Note: Elements can also be added to this list through the // BrowserSwitcherExternalGreylistUrl policy. //"BrowserSwitcherUrlGreylist": ["ie.com", "!open-in-chrome.ie.com", "foobar.com/ie-only/"], // Websites to open in alternative browser //------------------------------------------------------------------------- // Setting the policy controls the list of websites to open in an alternative // browser. Each item is treated as a rule for something to open in an // alternative browser. Google Chrome uses those rules when choosing if a URL // should open in an alternative browser. When the Internet Explorer® add-in // is on, Internet Explorer® switches back to Google Chrome when the rules // don't match. If rules contradict each other, Google Chrome uses the most // specific rule. Leaving the policy unset adds no websites to the list. // Note: Elements can also be added to this list through the // BrowserSwitcherUseIeSitelist and BrowserSwitcherExternalSitelistUrl // policies. //"BrowserSwitcherUrlList": ["ie.com", "!open-in-chrome.ie.com", "foobar.com/ie-only/"], // Configure the color of the browser's theme //------------------------------------------------------------------------- // This policy allows admins to configure the color of Google Chrome's theme. // The input string should be a valid hex color string matching the format // "#RRGGBB". Setting the policy to a valid hex color causes a theme based on // that color to be automatically generated and applied to the browser. Users // won't be able to change the theme set by the policy. Leaving the policy // unset lets users change their browser's theme as preferred. //"BrowserThemeColor": "#FFFFFF", // Browsing Data Lifetime Settings //------------------------------------------------------------------------- // Configures browsing data lifetime settings for Google Chrome. This policy // allows admins to configure (per data-type) when data is deleted by the // browser. This is useful for customers that work with sensitive customer // data. The available data types are 'browsing_history', 'download_history', // 'cookies_and_other_site_data', 'cached_images_and_files', // 'password_signin', 'autofill', 'site_settings' and 'hosted_app_data'. // 'download_history' and 'hosted_app_data' are not supported on Android. The // browser will automatically remove data of selected types that is older than // 'time_to_live_in_hours'. The minimum value that can be set is 1 hour. The // deletion of expired data will happen 15 seconds after the browser starts // then every 30 minutes while the browser is running. Until Chrome 114, this // policy required the SyncDisabled policy to be set to true. Starting Chrome // 115, setting this policy will disable sync for the respective data types if // neither `Chrome Sync` is disabled by setting the SyncDisabled policy nor // BrowserSignin is disabled. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=BrowsingDataLifetime for more information about // schema and formatting. //"BrowsingDataLifetime": [{"data_types": ["browsing_history"], "time_to_live_in_hours": 24}, {"data_types": ["password_signin", "autofill"], "time_to_live_in_hours": 12}], // Use built-in DNS client //------------------------------------------------------------------------- // This policy controls which software stack is used to communicate with the // DNS server: the Operating System DNS client, or Google Chrome's built-in // DNS client. This policy does not affect which DNS servers are used: if, for // example, the operating system is configured to use an enterprise DNS // server, that same server would be used by the built-in DNS client. It also // does not control if DNS-over-HTTPS is used; Google Chrome will always use // the built-in resolver for DNS-over-HTTPS requests. Please see the // DnsOverHttpsMode policy for information on controlling DNS-over-HTTPS. If // this policy is set to Enabled or is left unset, the built-in DNS client // will be used. If this policy is set to Disabled, the built-in DNS client // will only be used when DNS-over-HTTPS is in use. //"BuiltInDnsClientEnabled": true, // CORS non-wildcard request headers support //------------------------------------------------------------------------- // Configures support of CORS non-wildcard request headers. Google Chrome // version 97 introduces support for CORS non-wildcard request headers. When // scripts make a cross-origin network request via fetch() and XMLHttpRequest // with a script-added Authorization header, the header must be explicitly // allowed by the Access-Control-Allow-Headers header in the CORS preflight // response. "Explicitly" here means that the wild card symbol "*" doesn't // cover the Authorization header. See // https://chromestatus.com/feature/5742041264816128 for more detail. If this // policy is not set, or set to True, Google Chrome will support the CORS non- // wildcard request headers and behave as described above. When this policy // is set to False, chrome will allow the wildcard symbol ("*") in the Access- // Control-Allow-Headers header in the CORS preflight response to cover the // Authorization header. This Enterprise policy is temporary; it's intended // to be removed in the future. //"CORSNonWildcardRequestHeadersSupport": true, // Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes //------------------------------------------------------------------------- // Setting the policy turns off enforcement of Certificate Transparency // disclosure requirements for a list of subjectPublicKeyInfo hashes. // Enterprise hosts can keep using certificates that otherwise wouldn't be // trusted (because they weren't properly publicly disclosed). To turn off // enforcement, the hash must meet one of these conditions: * It's of the // server certificate's subjectPublicKeyInfo. * It's of a // subjectPublicKeyInfo that appears in a Certificate Authority (CA) // certificate in the certificate chain. That CA certificate is constrained // through the X.509v3 nameConstraints extension, one or more directoryName // nameConstraints are present in the permittedSubtrees, and the directoryName // has an organizationName attribute. * It's of a subjectPublicKeyInfo that // appears in a CA certificate in the certificate chain, the CA certificate // has one or more organizationName attributes in the certificate Subject, and // the server's certificate has the same number of organizationName // attributes, in the same order, and with byte-for-byte identical values. // Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a // slash, and the Base64 encoding of that hash algorithm applied to the DER- // encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding // format matches that of an SPKI Fingerprint. The only recognized hash // algorithm is sha256; others are ignored. Leaving the policy unset means // that if certificates requiring disclosure through Certificate Transparency // aren't disclosed, then Google Chrome doesn't trust those certificates. //"CertificateTransparencyEnforcementDisabledForCas": ["sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w=="], // Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities //------------------------------------------------------------------------- // Setting the policy turns off enforcement of Certificate Transparency // disclosure requirements for a list of Legacy Certificate Authorities (CA) // for certificate chains with a specified subjectPublicKeyInfo hash. // Enterprise hosts can keep using certificates that otherwise wouldn't be // trusted (because they weren't properly publicly disclosed). To turn off // enforcement, the subjectPublicKeyInfo hash must appear in a CA certificate // recognized as a Legacy CA. A Legacy CA is publicly trusted by one or more // operating systems supported by Google Chrome, but not Android Open Source // Project or Google ChromeOS. Specify a subjectPublicKeyInfo hash by linking // the hash algorithm name, a slash and the Base64 encoding of that hash // algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified // certificate. Base64 encoding format matches that of an SPKI Fingerprint. // The only recognized hash algorithm is sha256; others are ignored. Leaving // the policy unset means that if certificates requiring disclosure through // Certificate Transparency aren't disclosed, then Google Chrome doesn't trust // those certificates. //"CertificateTransparencyEnforcementDisabledForLegacyCas": ["sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w=="], // Disable Certificate Transparency enforcement for a list of URLs //------------------------------------------------------------------------- // Setting the policy turns off Certificate Transparency disclosure // requirements for the hostnames in the specified URLs. While making it // harder to detect misissued certificates, hosts can keep using certificates // that otherwise wouldn't be trusted (because they weren't properly publicly // disclosed). Leaving the policy unset means that if certificates requiring // disclosure through Certificate Transparency aren't disclosed, then Google // Chrome doesn't trust those certificates. A URL pattern follows this format // ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ). // However, because the validity of certificates for a given hostname is // independent of the scheme, port, or path, Google Chrome only considers the // hostname portion of the URL. Wildcard hosts aren't supported. //"CertificateTransparencyEnforcementDisabledForUrls": ["example.com", ".example.com"], // Allow Chrome for Testing //------------------------------------------------------------------------- // Controls whether users may use Chrome for Testing. If this policy is set // to Enabled or not set, users may install and run Chrome for Testing. If // this policy is set to Disabled, users are not allowed to run Chrome for // Testing. Users will still be able to install Chrome for Testing, however it // will not run with the profiles where this policy is set to Disabled. //"ChromeForTestingAllowed": true, // Determine the availability of variations //------------------------------------------------------------------------- // Configuring this policy allows to specify which variations are allowed to // be applied in Google Chrome. Variations provide a means for offering // modifications to Google Chrome without shipping a new version of the // browser by selectively enabling or disabling already existing features. See // https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework // for more information. Setting the VariationsEnabled (value 0), or leaving // the policy not set allows all variations to be applied to the browser. // Setting the CriticalFixesOnly (value 1), allows only variations considered // critical security or stability fixes to be applied to Google Chrome. // Setting the VariationsDisabled (value 2), prevent all variations from being // applied to the browser. Please note that this mode can potentially prevent // the Google Chrome developers from providing critical security fixes in a // timely manner and is thus not recommended. //"ChromeVariations": 1, // Clear Browsing Data on Exit //------------------------------------------------------------------------- // Configures a list of browsing data types that should be deleted when the // user closes all browser windows. The available data types are browsing // history (browsing_history), download history (download_history), cookies // (cookies_and_other_site_data), cache(cached_images_and_files), autofill // (autofill), passwords (password_signin), site settings (site_settings) and // hosted apps data (hosted_app_data). This policy does not take precedence // over AllowDeletingBrowserHistory. Until Chrome 114, this policy required // the SyncDisabled policy to be set to true. Starting Chrome 115, setting // this policy will disable sync for the respective data types if neither // `Chrome Sync` is disabled by setting the SyncDisabled policy nor // BrowserSignin is disabled. If Google Chrome does not exit cleanly (for // example, if the browser or the OS crashes), the browsing data will be // cleared the next time the profile is loaded. //"ClearBrowsingDataOnExitList": ["browsing_history", "download_history", "cookies_and_other_site_data", "cached_images_and_files", "password_signin", "autofill", "site_settings", "hosted_app_data"], // Enable the Click to Call Feature //------------------------------------------------------------------------- // Enable the Click to Call feature which allows users to send phone numbers // from Chrome Desktops to an Android device when the user is Signed-in. For // more information, see help center article: // https://support.google.com/chrome/answer/9430554?hl=en. If this policy is // set to enabled, the capability of sending phone numbers to Android devices // will be enabled for the Chrome user. If this policy is set to disabled, // the capability of sending phone numbers to Android devices will be disabled // for the Chrome user. If you set this policy, users cannot change or // override it. If this policy is left unset, the Click to Call feature is // enabled by default. //"ClickToCallEnabled": true, // Allow clipboard on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify sites // that can use the clipboard site permission. This does not include all // clipboard operations on origins matching the patterns. For instance, users // will still be able to paste using keyboard shortcuts as this isn't gated by // the clipboard site permission. Leaving the policy unset means // DefaultClipboardSetting applies for all sites, if it's set. If not, the // user's personal setting applies. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. //"ClipboardAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block clipboard on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify sites // that can't use the clipboard site permission. This does not include all // clipboard operations on origins matching the patterns. For instance, users // will still be able to paste using keyboard shortcuts as this isn't gated by // the clipboard site permission. Leaving the policy unset means // DefaultClipboardSetting applies for all sites, if it's set. If not, the // user's personal setting applies. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. //"ClipboardBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Enable mandatory cloud management enrollment //------------------------------------------------------------------------- // Setting the policy to Enabled mandates Chrome Browser Cloud Management // enrollment and blocks Google Chrome launch process if failed. Setting the // policy to Disabled or leaving it unset renders Chrome Browser Cloud // Management optional and doesn't block Google Chrome launch process if // failed. Machine scope cloud policy enrollment on desktop uses this policy. // See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 // for details. //"CloudManagementEnrollmentMandatory": true, // The enrollment token of cloud policy //------------------------------------------------------------------------- // Setting the policy means Google Chrome tries to register itself with Chrome // Browser Cloud Management. The value of this policy is an enrollment token // you can retrieve from the Google Admin console. See // https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for // details. //"CloudManagementEnrollmentToken": "37185d02-e055-11e7-80c1-9a214cf093ae", // Google Chrome cloud policy overrides Platform policy. //------------------------------------------------------------------------- // Setting the policy to Enabled means cloud policy takes precedence if it // conflicts with platform policy. Setting the policy to Disabled or leaving // it unset means platform policy takes precedence if it conflicts with cloud // policy. This mandatory policy affects machine scope cloud policies. This // policy is only available on Google Chrome; it has no effect on Google // Update. //"CloudPolicyOverridesPlatformPolicy": false, // Enable Google Cloud Print proxy //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset lets Google Chrome act as // a proxy between Google Cloud Print and legacy printers connected to the // machine. Using their Google Account, users may turn on the cloud print // proxy by authentication. Setting the policy to Disabled means users can't // turn on the proxy, and the machine can't share its printers with Google // Cloud Print. //"CloudPrintProxyEnabled": true, // Enables merging of user cloud policies into machine-level policies //------------------------------------------------------------------------- // Setting the policy to Enabled allows policies associated with a Google // Workspace account to be merged into machine-level policies. Only policies // originating from secure users can be merged. A secure user is affiliated // with the organization that manages their browser using Chrome Browser Cloud // Management. All other user-level policies will always be ignored. Policies // that need to be merged also need to be set in either // PolicyListMultipleSourceMergeList or // PolicyDictionaryMultipleSourceMergeList. This policy will be ignored if // neither of the two aforementioned policies is configured. Leaving the // policy unset or setting it to Disabled prevents user-level cloud policies // from being merged with policies from any other sources. //"CloudUserPolicyMerge": true, // Allow user cloud policies to override Chrome Browser Cloud Management policies. //------------------------------------------------------------------------- // Setting the policy to Enabled allows policies associated with a Google // Workspace account to take precedence if they conflict with Chrome Browser // Cloud Management policies. Only policies originating from secure users can // take precedence. A secure user is affiliated with the organization that // manages their browser using Chrome Browser Cloud Management. All other // user-level policies will have default precedence. The policy can be // combined with CloudPolicyOverridesPlatformPolicy. If both policies are // enabled, user cloud policies will also take precedence over conflicting // platform policies. Leaving the policy unset or setting it to disabled // causes user-level cloud policies to have default priority. //"CloudUserPolicyOverridesCloudMachinePolicy": false, // Enable security warnings for command-line flags //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset means security warnings // appear when potentially dangerous command-line flags are used to launch // Chrome. Setting the policy to Disabled prevents security warnings from // appearing when Chrome is launched with potentially dangerous command-line // flags. On Microsoft® Windows®, this policy is only available on instances // that are joined to a Microsoft® Active Directory® domain, joined to // Microsoft® Azure® Active Directory® or enrolled in Chrome Browser Cloud // Management. On macOS, this policy is only available on instances that are // managed via MDM, joined to a domain via MCX or enrolled in Chrome Browser // Cloud Management. //"CommandLineFlagSecurityWarningsEnabled": true, // Enable component updates in Google Chrome //------------------------------------------------------------------------- // Enables component updates for all components in Google Chrome when not set // or set to enabled. If set to disabled, updates to components are disabled. // However, some components are exempt from this policy: updates to any // component that does not contain executable code and is critical for the // security of the browser will not be disabled. Examples of such components // include the certificate revocation lists and subresource filters. //"ComponentUpdatesEnabled": true, // Enable compression dictionary transport support //------------------------------------------------------------------------- // This feature enables the use of dictionary-specific content encodings in // the Accept-Encoding request header ("sbr" and "zst-d") when dictionaries // are available for use. Setting the policy to Enabled or leaving it unset // means Google Chrome will accept web contents using the compression // dictionary transport feature. Setting the policy to Disabled turns off the // compression dictionary transport feature. //"CompressionDictionaryTransportEnabled": true, // Allow cookies on these sites //------------------------------------------------------------------------- // Allows you to set a list of url patterns that specify sites which are // allowed to set cookies. URL patterns may be a single URL indicating that // the site may use cookies on all top-level sites. Patterns may also be two // URLs delimited by a comma. The first specifies the site that should be // allowed to use cookies. The second specifies the top-level site that the // first value should be applied on. If you use a pair of URLs, the first // value in the pair supports * but the second value does not. Using * for the // first value indicates that all sites may use cookies when the second URL is // the top-level site. If this policy is left not set the global default // value will be used for all sites either from the DefaultCookiesSetting or // BlockThirdPartyCookies policies if they are set, or the user's personal // configuration otherwise. See also policies CookiesBlockedForUrls and // CookiesSessionOnlyForUrls. Note that there must be no conflicting URL // patterns between these three policies - it is unspecified which policy // takes precedence. For detailed information on valid url patterns, please // see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // * is not an accepted value for this policy. //"CookiesAllowedForUrls": ["https://www.example.com", "[*.]example.edu", "https://www.example.com/,https://www.toplevel.com/", "*,https://www.toplevel.com/"], // Block cookies on these sites //------------------------------------------------------------------------- // Setting the policy lets you make a list of URL patterns that specify sites // that can't set cookies. Leaving the policy unset results in the use of // DefaultCookiesSetting for all sites, if it's set. If not, the user's // personal setting applies. While no specific policy takes precedence, see // CookiesAllowedForUrls and CookiesSessionOnlyForUrls. URL patterns among // these 3 policies must not conflict. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. * is not an accepted value for this // policy. //"CookiesBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Limit cookies from matching URLs to the current session //------------------------------------------------------------------------- // Unless the RestoreOnStartup policy is set to permanently restore URLs from // previous sessions, then setting CookiesSessionOnlyForUrls lets you make a // list of URL patterns that specify sites that can and can't set cookies for // one session. Leaving the policy unset results in the use of // DefaultCookiesSetting for all sites, if it's set. If not, the user's // personal setting applies. URLs not covered by the patterns specified also // result in the use of defaults. While no specific policy takes precedence, // see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among // these 3 policies must not conflict. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. * is not an accepted value for this // policy. //"CookiesSessionOnlyForUrls": ["https://www.example.com", "[*.]example.edu"], // Settings for Create Themes with AI //------------------------------------------------------------------------- // Create Themes with AI lets users create custom themes/wallpapers by // preselecting from a list of options. 0 = Enable the feature for users, and // send relevant data to Google to help train or improve AI models. Relevant // data may include prompts, inputs, outputs, and source materials, depending // on the feature. It may be reviewed by humans for the sole purpose of // improving AI models. 0 is the default value, except when noted below. 1 = // Enable the feature for users, but do not send data to Google to train or // improve AI models. 1 is the default value for Enterprise users managed by // Google Admin console. 2 = Disable the feature. 2 is the default value for // Education accounts managed by Google Workspace. For more information on // data handling for generative AI features, please see // https://support.google.com/chrome/a?p=generative_ai_settings. //"CreateThemesSettings": 1, // DNS interception checks enabled //------------------------------------------------------------------------- // This policy configures a local switch that can be used to disable DNS // interception checks. The checks attempt to discover whether the browser is // behind a proxy that redirects unknown host names. This detection may not // be necessary in an enterprise environment where the network configuration // is known, since it causes some amount of DNS and HTTP traffic on start-up // and each DNS configuration change. When this policy is not set, or is // enabled, the DNS interception checks are performed. When explicitly // disabled, they're not. //"DNSInterceptionChecksEnabled": true, // Data URL support for SVGUseElement. //------------------------------------------------------------------------- // This policy enables Data URL support for SVGUseElement, which will be // disabled by default starting in M119. If this policy is set to Enabled, // Data URLs will continue to work in SVGUseElement. If this policy is set to // Disabled or not set, Data URLs won't work in SVGUseElement. //"DataUrlInSvgUseEnabled": false, // Set Google Chrome as Default Browser //------------------------------------------------------------------------- // Setting the policy to True has Google Chrome always check whether it's the // default browser on startup and, if possible, automatically register itself. // Setting the policy to False stops Google Chrome from ever checking if it's // the default and turns user controls off for this option. Leaving the // policy unset means Google Chrome lets users control whether it's the // default and, if not, whether user notifications should appear. Note: For // Microsoft®Windows® administrators, turning this setting on only works for // machines running Windows 7. For later versions, you must deploy a "default // application associations" file that makes Google Chrome the handler for the // https and http protocols (and, optionally, the ftp protocol and other file // formats). See Chrome Help ( // https://support.google.com/chrome?p=make_chrome_default_win ). //"DefaultBrowserSettingEnabled": true, // Default clipboard setting //------------------------------------------------------------------------- // Setting the policy to 2 blocks sites from using the clipboard site // permission. Setting the policy to 3 or leaving it unset lets the user // change the setting and decide if the clipboard APIs are available when a // site wants to use one. This policy can be overridden for specific URL // patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls // policies. This policy only affects clipboard operations controlled by the // clipboard site permission, and does not affect sanitized clipboard writes // or trusted copy and paste operations. //"DefaultClipboardSetting": 2, // Default cookies setting //------------------------------------------------------------------------- // Unless the RestoreOnStartup policy is set to permanently restore URLs from // previous sessions, then setting CookiesSessionOnlyForUrls lets you make a // list of URL patterns that specify sites that can and can't set cookies for // one session. Leaving the policy unset results in the use of // DefaultCookiesSetting for all sites, if it's set. If not, the user's // personal setting applies. URLs not covered by the patterns specified also // result in the use of defaults. While no specific policy takes precedence, // see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among // these 3 policies must not conflict. //"DefaultCookiesSetting": 1, // Note: this policy is supported only in recommended mode. // The JSON file should be placed in /etc/opt/chrome/policies/recommended. // Set default download directory //------------------------------------------------------------------------- // Setting the policy changes the default directory that Chrome downloads // files to, but users can change the directory. Leaving the policy unset // means Chrome uses its platform-specific default directory. This policy has // no effect if the policy DownloadDirectory is set. Note: See a list of // variables you can use ( https://www.chromium.org/administrators/policy- // list-3/user-data-directory-variables ). //"DefaultDownloadDirectory": "/home/${user_name}/Downloads", // Control use of the File System API for reading //------------------------------------------------------------------------- // Setting the policy to 3 lets websites ask for read access to files and // directories in the host operating system's file system via the File System // API. Setting the policy to 2 denies access. Leaving it unset lets websites // ask for access, but users can change this setting. //"DefaultFileSystemReadGuardSetting": 2, // Control use of the File System API for writing //------------------------------------------------------------------------- // Setting the policy to 3 lets websites ask for write access to files and // directories in the host operating system's file system. Setting the policy // to 2 denies access. Leaving it unset lets websites ask for access, but // users can change this setting. //"DefaultFileSystemWriteGuardSetting": 2, // Default geolocation setting //------------------------------------------------------------------------- // Setting the policy to 1 lets sites track the users' physical location as // the default state. Setting the policy to 2 denies this tracking by default. // You can set the policy to ask whenever a site wants to track the users' // physical location. Leaving the policy unset means the AskGeolocation // policy applies, but users can change this setting. //"DefaultGeolocationSetting": 1, // Default images setting //------------------------------------------------------------------------- // Setting the policy to 1 lets all websites display images. Setting the // policy to 2 denies image display. Leaving it unset allows images, but // users can change this setting. //"DefaultImagesSetting": 1, // Control use of insecure content exceptions //------------------------------------------------------------------------- // Allows you to set whether users can add exceptions to allow mixed content // for specific sites. This policy can be overridden for specific URL // patterns using the 'InsecureContentAllowedForUrls' and // 'InsecureContentBlockedForUrls' policies. If this policy is left not set, // users will be allowed to add exceptions to allow blockable mixed content // and disable autoupgrades for optionally blockable mixed content. //"DefaultInsecureContentSetting": 2, // Control use of JavaScript JIT //------------------------------------------------------------------------- // Allows you to set whether Google Chrome will run the v8 JavaScript engine // with JIT (Just In Time) compiler enabled or not. Disabling the JavaScript // JIT will mean that Google Chrome may render web content more slowly, and // may also disable parts of JavaScript including WebAssembly. Disabling the // JavaScript JIT may allow Google Chrome to render web content in a more // secure configuration. This policy can be overridden for specific URL // patterns using the JavaScriptJitAllowedForSites and // JavaScriptJitBlockedForSites policies. If this policy is left not set, // JavaScript JIT is enabled. //"DefaultJavaScriptJitSetting": 1, // Default JavaScript setting //------------------------------------------------------------------------- // Setting the policy to 1 lets websites run JavaScript. Setting the policy to // 2 denies JavaScript. Leaving it unset allows JavaScript, but users can // change this setting. //"DefaultJavaScriptSetting": 1, // Default Local Fonts permission setting //------------------------------------------------------------------------- // Setting the policy to BlockLocalFonts (value 2) automatically denies the // local fonts permission to sites by default. This will limit the ability of // sites to see information about local fonts. Setting the policy to // AskLocalFonts (value 3) will prompt the user when the local fonts // permission is requested by default. If users allow the permission, it will // extend the ability of sites to see information about local fonts. Leaving // the policy unset means the default behavior applies which is to prompt the // user, but users can change this setting //"DefaultLocalFontsSetting": 2, // Default notification setting //------------------------------------------------------------------------- // Setting the policy to 1 lets websites display desktop notifications. // Setting the policy to 2 denies desktop notifications. Leaving it unset // means AskNotifications applies, but users can change this setting. //"DefaultNotificationsSetting": 2, // Default pop-ups setting //------------------------------------------------------------------------- // Setting the policy to 1 lets websites display pop-ups. Setting the policy // to 2 denies pop-ups. Leaving it unset means BlockPopups applies, but users // can change this setting. //"DefaultPopupsSetting": 1, // Default printer selection rules //------------------------------------------------------------------------- // Setting the policy sets the rules for selecting the default printer in // Google Chrome, overriding the default rules. Printer selection occurs the // first time users try to print, when Google Chrome seeks a printer matching // the specified attributes. In case of a less than perfect match, Google // Chrome can be set to select any matching printer, depending on the order // printers are discovered. Leaving the policy unset or set to attributes for // which there's no match means the built-in PDF printer is the default. If // there's no PDF printer, Google Chrome defaults to none. Currently, all // printers are classified as "local". Printers connected to Google Cloud // Print are considered "cloud", but Google Cloud Print is no longer // supported. Note: Omitting a field means all values match for that // particular field. For example, not specifying idPattern means Print Preview // accepts all printer IDs. Regular expression patterns must follow the // JavaScript RegExp syntax, and matches are case sensistive. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=DefaultPrinterSelection for more information // about schema and formatting. //"DefaultPrinterSelection": "{ \"kind\": \"local\", \"idPattern\": \".*public\", \"namePattern\": \".*Color\" }", // List of alternate URLs for the default search provider //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderAlternateURLs specifies a list of alternate URLs for // extracting search terms from the search engine. The URLs should include the // string '{searchTerms}'. Leaving DefaultSearchProviderAlternateURLs unset // means no alternate URLs are used to extract search terms. //"DefaultSearchProviderAlternateURLs": ["https://search.my.company/suggest#q={searchTerms}", "https://search.my.company/suggest/search#q={searchTerms}"], // Allow default search provider context menu search access //------------------------------------------------------------------------- // Enables the use of a default search provider on the context menu. If you // set this policy to disabled the search context menu item that relies on // your default search provider will not be available. If this policy is set // to enabled or not set, the context menu item for your default search // provider will be available. The policy value is only appled when the // DefaultSearchProviderEnabled policy is enabled, and is not applicable // otherwise. //"DefaultSearchProviderContextMenuAccessAllowed": true, // Enable the default search provider //------------------------------------------------------------------------- // Setting the policy to Enabled means a default search is performed when a // user enters non-URL text in the address bar. To specify the default search // provider, set the rest of the default search policies. If you leave those // policies empty, the user can choose the default provider. Setting the // policy to Disabled means there's no search when the user enters non-URL // text in the address bar. The Disabled value is not supported by the Google // Admin console. If you set the policy, users can't change it in Google // Chrome. If not set, the default search provider is on, and users can set // the search provider list. On Microsoft® Windows®, this policy is only // available on instances that are joined to a Microsoft® Active Directory® // domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome // Browser Cloud Management. On macOS, this policy is only available on // instances that are managed via MDM, joined to a domain via MCX or enrolled // in Chrome Browser Cloud Management. //"DefaultSearchProviderEnabled": true, // Default search provider encodings //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, setting // DefaultSearchProviderEncodings specifies the character encodings supported // by the search provider. Encodings are code page names such as UTF-8, // GB2312, and ISO-8859-1. They're tried in the order provided. Leaving // DefaultSearchProviderEncodings unset puts UTF-8 in use. //"DefaultSearchProviderEncodings": ["UTF-8", "UTF-16", "GB2312", "ISO-8859-1"], // Parameter providing search-by-image feature for the default search provider //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderImageURL specifies the URL of the search engine used // for image search. (If DefaultSearchProviderImageURLPostParams is set, then // image search requests use the POST method instead.) Leaving // DefaultSearchProviderImageURL unset means no image search is used. If // image search uses the GET method, then the URL must specify image // parameters using a valid combination of the following placeholders: // '{google:imageURL}', '{google:imageOriginalHeight}', // '{google:imageOriginalWidth}', '{google:processedImageDimensions}', // '{google:imageSearchSource}', '{google:imageThumbnail}', // '{google:imageThumbnailBase64}'. //"DefaultSearchProviderImageURL": "https://search.my.company/searchbyimage/upload", // Parameters for image URL which uses POST //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderImageURLPostParams specifies the parameters during // image search with POST. It consists of comma-separated, name-value pairs. // If a value is a template parameter, such as {imageThumbnail}, real image // thumbnail data replaces it. Leaving // DefaultSearchProviderImageURLPostParams unset means image search request is // sent using the GET method. The URL must specify the image parameter using // a valid combination of the following placeholders depending on what the // search provider supports: '{google:imageURL}', // '{google:imageOriginalHeight}', '{google:imageOriginalWidth}', // '{google:processedImageDimensions}', '{google:imageSearchSource}', // '{google:imageThumbnail}', '{google:imageThumbnailBase64}'. //"DefaultSearchProviderImageURLPostParams": "content={google:imageThumbnail},url={google:imageURL},sbisrc={google:imageSearchSource}", // Default search provider keyword //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderKeyword specifies the keyword or shortcut used in the // address bar to trigger the search for this provider. Leaving // DefaultSearchProviderKeyword unset means no keyword activates the search // provider. //"DefaultSearchProviderKeyword": "mis", // Default search provider name //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderName specifies the default search provider's name. // Leaving DefaultSearchProviderName unset means the hostname specified by the // search URL is used. //"DefaultSearchProviderName": "My Intranet Search", // Default search provider new tab page URL //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderNewTabURL specifies the URL of the search engine used // to provide a New Tab page. Leaving DefaultSearchProviderNewTabURL unset // means no new tab page is provided. //"DefaultSearchProviderNewTabURL": "https://search.my.company/newtab", // Default search provider search URL //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderSearchURL specifies the URL of the search engine used // during a default search. The URL should include the string '{searchTerms}', // replaced in the query by the user's search terms. You can specify Google's // search URL as: // '{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'. //"DefaultSearchProviderSearchURL": "https://search.my.company/search?q={searchTerms}", // Parameters for search URL which uses POST //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderSearchURLPostParams specifies the parameters when // searching a URL with POST. It consists of comma-separated, name-value // pairs. If a value is a template parameter, such as '{searchTerms}', real // search terms data replaces it. Leaving // DefaultSearchProviderSearchURLPostParams unset means search requests are // sent using the GET method. //"DefaultSearchProviderSearchURLPostParams": "q={searchTerms},ie=utf-8,oe=utf-8", // Default search provider suggest URL //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderSuggestURL specifies the URL of the search engine to // provide search suggestions. The URL should include the string // '{searchTerms}', replaced in the query by the user's search terms. You can // specify Google's search URL as: // '{google:baseURL}complete/search?output=chrome&q={searchTerms}'. //"DefaultSearchProviderSuggestURL": "https://search.my.company/suggest?q={searchTerms}", // Parameters for suggest URL which uses POST //------------------------------------------------------------------------- // If DefaultSearchProviderEnabled is on, then setting // DefaultSearchProviderSuggestURLPostParams specifies the parameters during // suggestion search with POST. It consists of comma-separated, name-value // pairs. If a value is a template parameter, such as '{searchTerms}', real // search terms data replaces it. Leaving // DefaultSearchProviderSuggestURLPostParams unset unset means suggest search // requests are sent using the GET method. //"DefaultSearchProviderSuggestURLPostParams": "q={searchTerms},ie=utf-8,oe=utf-8", // Default sensors setting //------------------------------------------------------------------------- // Setting the policy to 1 lets websites access and use sensors such as motion // and light. Setting the policy to 2 denies access to sensors. Leaving it // unset means AllowSensors applies, but users can change this setting. //"DefaultSensorsSetting": 2, // Control use of the Serial API //------------------------------------------------------------------------- // Setting the policy to 3 lets websites ask for access to serial ports. // Setting the policy to 2 denies access to serial ports. Leaving it unset // lets websites ask for access, but users can change this setting. //"DefaultSerialGuardSetting": 2, // Default third-party storage partitioning setting //------------------------------------------------------------------------- // Third-party storage partitioning is on by default for some users as of // M113, but can be disabled via Chrome flag. If this policy is set to // AllowPartitioning or unset, third-party storage partitioning may be // enabled. If this policy is set to BlockPartitioning, third-party storage // partitioning cannot be enabled. For detailed information on third-party // storage partitioning, please see https://developer.chrome.com/docs/privacy- // sandbox/storage-partitioning/. //"DefaultThirdPartyStoragePartitioningSetting": 1, // Control use of the Web Bluetooth API //------------------------------------------------------------------------- // Setting the policy to 3 lets websites ask for access to nearby Bluetooth // devices. Setting the policy to 2 denies access to nearby Bluetooth devices. // Leaving the policy unset lets sites ask for access, but users can change // this setting. //"DefaultWebBluetoothGuardSetting": 2, // Control use of the WebHID API //------------------------------------------------------------------------- // Setting the policy to 3 lets websites ask for access to HID devices. // Setting the policy to 2 denies access to HID devices. Leaving it unset // lets websites ask for access, but users can change this setting. This // policy can be overridden for specific url patterns using the // WebHidAskForUrls and WebHidBlockedForUrls policies. //"DefaultWebHidGuardSetting": 2, // Control use of the WebUSB API //------------------------------------------------------------------------- // Setting the policy to 3 lets websites ask for access to connected USB // devices. Setting the policy to 2 denies access to connected USB devices. // Leaving it unset lets websites ask for access, but users can change this // setting. //"DefaultWebUsbGuardSetting": 2, // Default Window Management permission setting //------------------------------------------------------------------------- // Setting the policy to BlockWindowManagement (value 2) automatically denies // the window management permission to sites by default. This will limit the // ability of sites to see information about the device's screens and use that // information to open and place windows or request fullscreen on specific // screens. Setting the policy to AskWindowManagement (value 3) will prompt // the user when the window management permission is requested by default. If // users allow the permission, it will extend the ability of sites to see // information about the device's screens and use that information to open and // place windows or request fullscreen on specific screens. Leaving the // policy unset means the AskWindowManagement policy applies, but users can // change this setting. This replaces the deprecated // DefaultWindowPlacementSetting policy. //"DefaultWindowManagementSetting": 2, // Enable desktop sharing in the omnibox and 3-dot menu //------------------------------------------------------------------------- // Setting the policy to True or leaving it unset lets users share or save the // current webpage using actions provided by the desktop sharing hub. The // sharing hub is accessed through either an omnibox icon or the 3-dot menu. // Setting the policy to False removes the sharing icon from the omnibox and // the entry from the 3-dot menu. //"DesktopSharingHubEnabled": true, // Settings for DevTools Generative AI Features //------------------------------------------------------------------------- // These features in Google Chrome's DevTools employ generative AI models to // provide additional debugging information. To use these features, Google // Chrome has to collect data such as error messages, stack traces, code // snippets, and network requests and send them to a server owned by Google, // which runs a generative AI model. Response body or authentication and // cookie headers in network requests are not included in the data sent to the // server. 0 = Enable the feature for users, and send relevant data to Google // to help train or improve AI models. 0 is the default value, except when // noted below. 1 = Enable the feature for users, but do not send data to // Google to train or improve AI models. 1 is the default value for Enterprise // users managed by Google Admin console. 2 = Disable the feature. 2 is the // default value for Education accounts managed by Google Workspace. DevTools // Generative AI features include: - Console Insights: explains console // messages and offers suggestions on how to fix console errors. //"DevToolsGenAiSettings": 0, // Control where Developer Tools can be used //------------------------------------------------------------------------- // Setting the policy to 0 (the default) means you can access the developer // tools and the JavaScript console, but not in the context of extensions // installed by enterprise policy or, since version 114 and if this is a // managed user, extensions built into the browser. Setting the policy to 1 // means you can access the developer tools and the JavaScript console in all // contexts, including that of extensions installed by enterprise policy. // Setting the policy to 2 means you can't access developer tools, and you // can't inspect website elements. This setting also turns off keyboard // shortcuts and menu or context menu entries to open developer tools or the // JavaScript console. As of Google Chrome version 99, this setting also // controls entry points for the 'View page source' feature. If you set this // policy to 'DeveloperToolsDisallowed' (value 2), users cannot access source // viewing via keyboard shortcut or the context menu. To fully block source // viewing, you must also add 'view-source:*' to the URLBlocklist policy. As // of Google Chrome version 119, this setting also controls whether developer // mode for Isolated Web Apps can be activated and used. //"DeveloperToolsAvailability": 2, // Disable support for 3D graphics APIs //------------------------------------------------------------------------- // Setting the policy to True (or setting HardwareAccelerationModeEnabled to // False) prevents webpages from accessing the WebGL API, and plugins can't // use the Pepper 3D API. Setting the policy to False or leaving it unset // lets webpages use the WebGL API and plugins use the Pepper 3D API, but the // browser's default settings might still require command line arguments to // use these APIs. //"Disable3DAPIs": false, // Disable CNAME lookup when negotiating Kerberos authentication //------------------------------------------------------------------------- // Setting the policy to Enabled skips CNAME lookup. The server name is used // as entered when generating the Kerberos SPN. Setting the policy to // Disabled or leaving it unset means CNAME lookup determines the canonical // name of the server when generating the Kerberos SPN. //"DisableAuthNegotiateCnameLookup": false, // Disable Print Preview //------------------------------------------------------------------------- // Setting the policy to Enabled has Google Chrome open the system print // dialog instead of the built-in print preview when users request a printout. // Setting the policy to Disabled or leaving it unset has print commands // trigger the print preview screen. //"DisablePrintPreview": false, // Disable proceeding from the Safe Browsing warning page //------------------------------------------------------------------------- // Setting the policy to Enabled prevents users from proceeding past the // warning page the Safe Browsing service shows to the malicious site. This // policy only prevents users from proceeding on Safe Browsing warnings such // as malware and phishing, not for SSL certificate-related issues such as // invalid or expired certificates. Setting the policy to Disabled or leaving // it unset means users can choose to proceed to the flagged site after the // warning appears. See more about Safe Browsing ( // https://developers.google.com/safe-browsing ). //"DisableSafeBrowsingProceedAnyway": true, // Disable taking screenshots //------------------------------------------------------------------------- // Setting the policy to Enabled disallows screenshots taken with keyboard // shortcuts or extension APIs. Setting the policy to Disabled or not set // allows screenshots. Note that on Microsoft® Windows®, macOS and Linux, // this does not prevent screenshots that are taken with operating system or // third party applications. //"DisableScreenshots": true, // Set disk cache directory //------------------------------------------------------------------------- // Setting the policy has Google Chrome use the directory you provide for // storing cached files on the disk—whether or not users specify the --disk- // cache-dir flag. If not set, Google Chrome uses the default cache // directory, but users can change that setting with the --disk-cache-dir // command line flag. Google Chrome manages the contents of a volume's root // directory. So to avoid data loss or other errors, do not set this policy to // the root directory or any directory used for other purposes. See the // variables you can use ( https://www.chromium.org/administrators/policy- // list-3/user-data-directory-variables ). //"DiskCacheDir": "${user_home}/Chrome_cache", // Set disk cache size in bytes //------------------------------------------------------------------------- // Setting the policy to None has Google Chrome use the default cache size for // storing cached files on the disk. Users can't change it. If you set the // policy, Google Chrome uses the cache size you provide—whether or not users // specify the --disk-cache-size flag. (Values below a few megabytes are // rounded up.) If not set, Google Chrome uses the default size. Users can // change that setting using the --disk-cache-size flag. Note: The value // specified in this policy is used as a hint to various cache subsystems in // the browser. Therefore the actual total disk consumption of all caches will // be higher but within the same order of magnitude as the value specified. //"DiskCacheSize": 104857600, // Controls the mode of DNS-over-HTTPS //------------------------------------------------------------------------- // Controls the mode of the DNS-over-HTTPS resolver. Please note that this // policy will only set the default mode for each query. The mode may be // overridden for special types of queries such as requests to resolve a DNS- // over-HTTPS server hostname. The "off" mode will disable DNS-over-HTTPS. // The "automatic" mode will send DNS-over-HTTPS queries first if a DNS-over- // HTTPS server is available and may fallback to sending insecure queries on // error. The "secure" mode will only send DNS-over-HTTPS queries and will // fail to resolve on error. On Android Pie and above, if DNS-over-TLS is // active, Google Chrome will not send insecure DNS requests. If this policy // is unset the browser may send DNS-over-HTTPS requests to a resolver // associated with the user's configured system resolver. //"DnsOverHttpsMode": "off", // Specify URI template of desired DNS-over-HTTPS resolver //------------------------------------------------------------------------- // The URI template of the desired DNS-over-HTTPS resolver. To specify // multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates // with spaces. If the DnsOverHttpsMode is set to "secure" then this policy // must be set and not empty. On Google ChromeOS only, either this policy or // the DnsOverHttpsTemplatesWithIdentifiers must be set, otherwise the DNS // resolution will fail. If the DnsOverHttpsMode is set to "automatic" and // this policy is set then the URI templates specified will be used; if this // policy is unset then hardcoded mappings will be used to attempt to upgrade // the user's current DNS resolver to a DoH resolver operated by the same // provider. If the URI template contains a dns variable, requests to the // resolver will use GET; otherwise requests will use POST. Incorrectly // formatted templates will be ignored. //"DnsOverHttpsTemplates": "https://dns.example.net/dns-query{?dns}", // Allow reporting of domain reliability related data //------------------------------------------------------------------------- // If this policy is set false, domain reliability diagnostic data reporting // is disabled and no data is sent to Google. If this policy is set true or // not set, domain reliability diagnostic data reporting will follow the // behavior of MetricsReportingEnabled for Google Chrome or // DeviceMetricsReportingEnabled for Google ChromeOS. //"DomainReliabilityAllowed": true, // Set download directory //------------------------------------------------------------------------- // Setting the policy sets up the directory Chrome uses for downloading files. // It uses the provided directory, whether or not users specify one or turned // on the flag to be prompted for download location every time. This policy // overrides the DefaultDownloadDirectory policy. Leaving the policy unset // means Chrome uses the default download directory, and users can change it. // On Google ChromeOS it's possible to set it only to Google Drive // directories. Note: See a list of variables you can use ( // https://www.chromium.org/administrators/policy-list-3/user-data-directory- // variables ). //"DownloadDirectory": "/home/${user_name}/Downloads", // Allow download restrictions //------------------------------------------------------------------------- // Setting the policy means users can't bypass download security decisions. // There are many types of download warnings within Chrome, which roughly // break down into these categories (learn more about Safe Browsing verdicts // https://support.google.com/chrome/?p=ib_download_blocked): * Malicious, as // flagged by the Safe Browsing server * Uncommon or unwanted, as flagged by // the Safe Browsing server * A dangerous file type (e.g. all SWF downloads // and many EXE downloads) Setting the policy blocks different subsets of // these, depending on it's value: 0: No special restrictions. Default. 1: // Blocks malicious files flagged by the Safe Browsing server AND Blocks all // dangerous file types. Only recommended for OUs/browsers/users that have a // high tolerance for False Positives. 2: Blocks malicious files flagged by // the Safe Browsing server AND Blocks uncommon or unwanted files flagged by // the Safe Browsing server AND Blocks all dangerous file types. Only // recommended for OUs/browsers/users that have a high tolerance for False // Positives. 3: Blocks all downloads. Not recommended, except for special // use cases. 4: Blocks malicious files flagged by the Safe Browsing server, // does not block dangerous file types. Recommended. Note: These restrictions // apply to downloads triggered from webpage content, as well as the Download // link... menu option. They don't apply to the download of the currently // displayed page or to saving as PDF from the printing options. Read more // about Safe Browsing ( https://developers.google.com/safe-browsing ). //"DownloadRestrictions": 4, // Enable or disable bookmark editing //------------------------------------------------------------------------- // Setting the policy to True or leaving it unset lets users add, remove, or // modify bookmarks. Setting the policy to False means users can't add, // remove, or modify bookmarks. They can still use existing bookmarks. //"EditBookmarksEnabled": false, // Include non-standard port in Kerberos SPN //------------------------------------------------------------------------- // Setting the policy to Enabled and entering a nonstandard port (in other // words, a port other than 80 or 443) includes it in the generated Kerberos // SPN. Setting the policy to Disabled or leaving it unset means the // generated Kerberos SPN won't include a port. //"EnableAuthNegotiatePort": false, // Enables experimental policies //------------------------------------------------------------------------- // Allows Google Chrome to load experimental policies. WARNING: Experimental // policies are unsupported and subject to change or be removed without notice // in future version of the browser! An experimental policy may not be // finished or still have known or unknown defects. It may be changed or even // removed without any notification. By enabling experimental policies, you // could lose browser data or compromise your security or privacy. If a // policy is not in the list and it's not officially released, its value will // be ignored on Beta and Stable channel. If a policy is in the list and it's // not officially released, its value will be applied. This policy has no // effect on already released policies. //"EnableExperimentalPolicies": ["ExtensionInstallAllowlist", "ExtensionInstallBlocklist"], // Enable Google Cast //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset turns on Google Cast, // which users can launch from the app menu, page context menus, media // controls on Cast-enabled websites, and (if shown) the Cast toolbar icon. // Setting the policy to Disabled turns off Google Cast. //"EnableMediaRouter": true, // Enable online OCSP/CRL checks //------------------------------------------------------------------------- // Setting the policy to True means online OCSP/CRL checks are performed. // Setting the policy to False or leaving it unset means Google Chrome won't // perform online revocation checks in Google Chrome 19 and later. Note: // OCSP/CRL checks provide no effective security benefit. //"EnableOnlineRevocationChecks": false, // Enable TLS Encrypted ClientHello //------------------------------------------------------------------------- // Encrypted ClientHello (ECH) is an extension to TLS to encrypt sensitive // fields of the ClientHello and improve privacy. If this policy is not // configured, or is set to enabled, Google Chrome will follow the default // rollout process for ECH. If it is disabled, Google Chrome will not enable // ECH. When the feature is enabled, Google Chrome may or may not use ECH // depending on server support, availability of the HTTPS DNS record, or // rollout status. ECH is an evolving protocol, so Google Chrome's // implementation is subject to change. As such, this policy is a temporary // measure to control the initial experimental implementation. It will be // replaced with final controls as the protocol finalizes. //"EncryptedClientHelloEnabled": true, // Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store. //------------------------------------------------------------------------- // X.509 certificates may encode constraints, such as Name Constraints, in // extensions in the certificate. RFC 5280 specifies that enforcing such // constraints on trust anchor certificates is optional. Starting in Google // Chrome 112, such constraints in certificates loaded from the platform // certificate store will now be enforced. This policy exists as a temporary // opt-out in case an enterprise encounters issues with the constraints // encoded in their private roots. In that case this policy may be used to // temporarily disable enforcement of the constraints while correcting the // certificate issues. When this policy is not set, or is set to enabled, // Google Chrome will enforce constraints encoded into trust anchors loaded // from the platform trust store. When this policy is set to disabled, Google // Chrome will not enforce constraints encoded into trust anchors loaded from // the platform trust store. In Google Chrome version 112, this policy has no // effect if the ChromeRootStoreEnabled policy is disabled. This policy is // planned to be removed in Google Chrome version 118. //"EnforceLocalAnchorConstraintsEnabled": false, // Enables managed extensions to use the Enterprise Hardware Platform API //------------------------------------------------------------------------- // Setting the policy to True lets extensions installed by enterprise policy // use the Enterprise Hardware Platform API. Setting the policy to False or // leaving it unset prevents extensions from using this API. Note: This // policy also applies to component extensions, such as the Hangout Services // extension. //"EnterpriseHardwarePlatformAPIEnabled": true, // Keep browsing data when creating enterprise profile by default //------------------------------------------------------------------------- // If this policy is Enabled, the option to keep any existing browsing data // when creating an enterprise profile will be checked by default. If this // policy is unset or Disabled, the option to keep any existing browsing data // when creating an enterprise profile will not be checked by default. // Regardless of the value, the user will be able to decide whether or not to // keep any existing browsing data when creating an enterprise profile. This // policy has no effect if the option to keep existing browsing data is not // available; this happens if enterprise profile separation is strictly // enforced, or if the data would be from an already managed profile. //"EnterpriseProfileCreationKeepBrowsingData": true, // Disable download file type extension-based warnings for specified file types on domains //------------------------------------------------------------------------- // You can enable this policy to create a dictionary of file type extensions // with a corresponding list of domains that will be exempted from file type // extension-based download warnings. This lets enterprise administrators // block file type extension-based download warnings for files that are // associated with a listed domain. For example, if the "jnlp" extension is // associated with "website1.com", users would not see a warning when // downloading "jnlp" files from "website1.com", but see a download warning // when downloading "jnlp" files from "website2.com". Files with file type // extensions specified for domains identified by this policy will still be // subject to non-file type extension-based security warnings such as mixed- // content download warnings and Safe Browsing warnings. If you disable this // policy or don't configure it, file types that trigger extension-based // download warnings will show warnings to the user. If you enable this // policy: * The URL pattern should be formatted according to // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * // The file type extension entered must be in lower-cased ASCII. The leading // separator should not be included when listing the file type extension, so // list "jnlp" should be used instead of ".jnlp". Example: The following // example value would prevent file type extension-based download warnings on // swf, exe, and jnlp extensions for *.example.com domains. It will show the // user a file type extension-based download warning on any other domain for // exe and jnlp files, but not for swf files. [ { "file_extension": "jnlp", // "domains": ["example.com"] }, { "file_extension": "exe", "domains": // ["example.com"] }, { "file_extension": "swf", "domains": ["*"] } ] Note // that while the preceding example shows the suppression of file type // extension-based download warnings for "swf" files for all domains, applying // suppression of such warnings for all domains for any dangerous file type // extension is not recommended due to security concerns. It is shown in the // example merely to demonstrate the ability to do so. If this policy is // enabled alongside DownloadRestrictions and DownloadRestrictions is set to // block dangerous file types, download blocks determined by // DownloadRestrictions take precedence. For example, if this policy is set to // enable "exe" extension downloads from "website1.com", and // DownloadRestrictions is set to block malicious downloads and dangerous file // types, then "exe" extension downloads will still be blocked in all domains. // If DownloadRestrictions is not set to block dangerous file types, then file // types specified in this policy will be exempted from file-type extension- // based download warnings in the specified domains. Read more about // DownloadRestrictions // (https://chromeenterprise.google/policies/?policy=DownloadRestrictions). // See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=ExemptDomainFileTypePairsFromFileTypeDownloadWarnings // for more information about schema and formatting. //"ExemptDomainFileTypePairsFromFileTypeDownloadWarnings": [{"domains": ["https://example.com", "example2.com"], "file_extension": "jnlp"}, {"domains": ["*"], "file_extension": "swf"}], // Explicitly allowed network ports //------------------------------------------------------------------------- // There is a list of restricted ports built into Google Chrome. Connections // to these ports will fail. This setting permits bypassing that list. The // value is a comma-separated list of zero or more ports that outgoing // connections will be permitted on. Ports are restricted to prevent Google // Chrome being used as a vector to exploit various network vulnerabilities. // Setting this policy may expose your network to attacks. This policy is // intended as a temporary workaround for errors with code "ERR_UNSAFE_PORT" // while migrating a service running on a blocked port to a standard port (ie. // port 80 or 443). Malicious websites can easily detect that this policy is // set, and for what ports, and use that information to target attacks. Each // port here is labelled with a date that it can be unblocked until. After // that date the port will be restricted regardless of this setting. Leaving // the value empty or unset means that all restricted ports will be blocked. // If there is a mixture of valid and invalid values, the valid ones will be // applied. This policy overrides the "--explicitly-allowed-ports" command- // line option. //"ExplicitlyAllowedNetworkPorts": ["10080"], // Configure allowed app/extension types //------------------------------------------------------------------------- // Setting the policy controls which apps and extensions may be installed in // Google Chrome, which hosts they can interact with, and limits runtime // access. Leaving the policy unset results in no restrictions on the // acceptable extension and app types. Extensions and apps which have a type // that's not on the list won't be installed. Each value should be one of // these strings: * "extension" * "theme" * "user_script" * "hosted_app" // * "legacy_packaged_app" * "platform_app" See the Google Chrome extensions // documentation for more information on these types. Versions earlier than // 75 that use multiple comma separated extension IDs aren't supported and are // skipped. The rest of the policy applies. Note: This policy also affects // extensions and apps to be force-installed using ExtensionInstallForcelist. //"ExtensionAllowedTypes": ["hosted_app"], // Configure a list of origins that grant extended background lifetime to the connecting extensions. //------------------------------------------------------------------------- // Extensions that connect to one of these origins will be be kept running as // long as the port is connected. If unset, the policy's default values will // be used. These are app origins that offer SDKs that are known to not offer // the possibility to restart a closed connection to a previous state: - Smart // Card Connector - Citrix Receiver (stable, beta, back-up) - VMware Horizon // (stable, beta) If set, the default value list is extended with the newly // configured values. Both defaults and the policy-provided entries will grant // the exception to the connecting extensions, as long as the port is // connected. //"ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls": ["chrome-extension://abcdefghijklmnopabcdefghijklmnop/", "chrome-extension://bcdefghijklmnopabcdefghijklmnopa/"], // Configure extension installation allow list //------------------------------------------------------------------------- // Setting the policy specifies which extensions are not subject to the // blocklist. A blocklist value of * means all extensions are blocked and // users can only install extensions listed in the allow list. By default, // all extensions are allowed. But, if you prohibited extensions by policy, // use the list of allowed extensions to change that policy. //"ExtensionInstallAllowlist": ["extension_id1", "extension_id2"], // Configure extension installation blocklist //------------------------------------------------------------------------- // Allows you to specify which extensions the users can NOT install. // Extensions already installed will be disabled if blocked, without a way for // the user to enable them. Once an extension disabled due to the blocklist is // removed from it, it will automatically get re-enabled. A blocklist value // of '*' means all extensions are blocked unless they are explicitly listed // in the allowlist. If this policy is left not set the user can install any // extension in Google Chrome. //"ExtensionInstallBlocklist": ["extension_id1", "extension_id2"], // Configure the list of force-installed apps and extensions //------------------------------------------------------------------------- // Setting the policy specifies a list of apps and extensions that install // silently, without user interaction, and which users can't uninstall or turn // off. Permissions are granted implicitly, including for the // enterprise.deviceAttributes and enterprise.platformKeys extension APIs. // (These 2 APIs aren't available to apps and extensions that aren't force- // installed.) Leaving the policy unset means no apps or extensions are // autoinstalled, and users can uninstall any app or extension in Google // Chrome. This policy supersedes ExtensionInstallBlocklist policy. If a // previously force-installed app or extension is removed from this list, // Google Chrome automatically uninstalls it. The source code of any // extension may be altered by users through developer tools, potentially // rendering the extension dysfunctional. If this is a concern, set the // DeveloperToolsDisabled policy. Each list item of the policy is a string // that contains an extension ID and, optionally, an update URL separated by a // semicolon (;). The extension ID is the 32-letter string found, for example, // on chrome://extensions when in Developer mode. If specified, the update URL // should point to an Update Manifest XML document ( // https://developer.chrome.com/extensions/autoupdate ). The update URL should // use one of the following schemes: http, https or file. By default, the // Chrome Web Store's update URL is used. The update URL set in this policy is // only used for the initial installation; subsequent updates of the extension // use the update URL in the extension's manifest. The update url for // subsequent updates can be overridden using the ExtensionSettings policy, // see // http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy. // On Microsoft® Windows® instances, apps and extensions from outside the // Chrome Web Store can only be forced installed if the instance is joined to // a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active // Directory® or enrolled in Chrome Browser Cloud Management. On macOS // instances, apps and extensions from outside the Chrome Web Store can only // be force installed if the instance is managed via MDM, joined to a domain // via MCX or enrolled in Chrome Browser Cloud Management. Note: This policy // doesn't apply to Incognito mode. Read about hosting extensions ( // https://developer.chrome.com/extensions/hosting ). //"ExtensionInstallForcelist": ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx", "abcdefghijklmnopabcdefghijklmnop"], // Configure extension, app, and user script install sources //------------------------------------------------------------------------- // Setting the policy specifies which URLs may install extensions, apps, and // themes. Before Google Chrome 21, users could click on a link to a *.crx // file, and Google Chrome would offer to install the file after a few // warnings. Afterwards, such files must be downloaded and dragged to the // Google Chrome settings page. This setting allows specific URLs to have the // old, easier installation flow. Each item in this list is an extension- // style match pattern (see // https://developer.chrome.com/extensions/match_patterns). Users can easily // install items from any URL that matches an item in this list. Both the // location of the *.crx file and the page where the download is started from // (the referrer) must be allowed by these patterns. // ExtensionInstallBlocklist takes precedence over this policy. That is, an // extension on the blocklist won't be installed, even if it happens from a // site on this list. //"ExtensionInstallSources": ["https://corp.mycompany.com/*"], // Blocklist for install types of extensions //------------------------------------------------------------------------- // The blocklist controls which extensions install types are disallowed. // Setting "command_line" will block extension from being loaded from command // line. //"ExtensionInstallTypeBlocklist": ["command_line"], // Control Manifest v2 extension availability //------------------------------------------------------------------------- // Control if Manifest v2 extensions can be used by browser. Manifest v2 // extensions support will be deprecated and all extensions need to be // migrated to v3 in the future. More information and timeline of the // migration can be found at // https://developer.chrome.com/docs/extensions/mv3/mv2-sunset/. If the // policy is set to Default (0) or not set, v2 extensions loading are decided // by browser, following the timeline above. If the policy is set to Disable // (1), v2 extensions installation are blocked, existing ones are disabled. // The option is going to be treated the same as if the policy is not set // after v2 support is turned off by default. If the policy is set to Enable // (2), v2 extensions are allowed. The option is going to be treated the same // as if the policy is not set before v2 support is turned off by default. If // the policy is set to EnableForForcedExtensions (3), force installed v2 // extensions are allowed. This includes extensions that are listed by // ExtensionInstallForcelist or ExtensionSettings with installation_mode // "force_installed" or "normal_installed". All other v2 extensions are // disabled. The option is always available regardless of the migration state. // Extensions availability are still controlled by other policies. //"ExtensionManifestV2Availability": 2, // Extension management settings //------------------------------------------------------------------------- // Setting the policy controls extension management settings for Google // Chrome, including any controlled by existing extension-related policies. // The policy supersedes any legacy policies that might be set. This policy // maps an extension ID or an update URL to its specific setting only. A // default configuration can be set for the special ID "*", which applies to // all extensions without a custom configuration in this policy. With an // update URL, configuration applies to extensions with the exact update URL // stated in the extension manifest ( // http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy ). // If the 'override_update_url' flag is set to true, the extension is // installed and updated using the "update" URL specified in the // ExtensionInstallForcelist policy or in 'update_url' field in this policy. // The flag 'override_update_url' is ignored if the 'update_url' is a Chrome // Web Store url. On Microsoft® Windows® instances, apps and extensions from // outside the Chrome Web Store can only be forced installed if the instance // is joined to a Microsoft® Active Directory® domain, joined to Microsoft® // Azure® Active Directory® or enrolled in Chrome Browser Cloud Management. // On macOS instances, apps and extensions from outside the Chrome Web Store // can only be force installed if the instance is managed via MDM, joined to a // domain via MCX or enrolled in Chrome Browser Cloud Management. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=ExtensionSettings for more information about // schema and formatting. //"ExtensionSettings": {"*": {"allowed_types": ["hosted_app"], "blocked_install_message": "Custom error message.", "blocked_permissions": ["downloads", "bookmarks"], "install_sources": ["https://company-intranet/chromeapps"], "installation_mode": "blocked", "runtime_allowed_hosts": ["*://good.example.com"], "runtime_blocked_hosts": ["*://*.example.com"]}, "abcdefghijklmnopabcdefghijklmnop": {"blocked_permissions": ["history"], "file_url_navigation_allowed": true, "installation_mode": "allowed", "minimum_version_required": "1.0.1", "toolbar_pin": "force_pinned"}, "bcdefghijklmnopabcdefghijklmnopa": {"allowed_permissions": ["downloads"], "installation_mode": "force_installed", "runtime_allowed_hosts": ["*://good.example.com"], "runtime_blocked_hosts": ["*://*.example.com"], "update_url": "https://example.com/update_url"}, "cdefghijklmnopabcdefghijklmnopab": {"blocked_install_message": "Custom error message.", "installation_mode": "blocked"}, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": {"blocked_install_message": "Custom error message.", "installation_mode": "blocked"}, "fghijklmnopabcdefghijklmnopabcde": {"blocked_install_message": "Custom removal message.", "installation_mode": "removed"}, "ghijklmnopabcdefghijklmnopabcdef": {"installation_mode": "force_installed", "override_update_url": true, "update_url": "https://example.com/update_url"}, "update_url:https://www.example.com/update.xml": {"allowed_permissions": ["downloads"], "blocked_permissions": ["wallpaper"], "installation_mode": "allowed"}}, // Control availability of extensions unpublished on the Chrome Web Store. //------------------------------------------------------------------------- // If this policy is enabled, extensions that are unpublished on the Chrome // Web Store will be disabled in Google Chrome. This policy only applies to // extensions that are installed and updated from the Chrome Web Store. Off- // store extensions such as unpacked extensions installed using developer mode // and extensions installed using the command-line switch are ignored. Force- // installed extensions that are self-hosted are ignored. All version-pinned // extensions are also ignored. If the policy is set to AllowUnpublished (0) // or not set, extensions that are unpublished on the Chrome Web Store are // allowed. If the policy is set to DisableUnpublished (1), extensions that // are unpublished on the Chrome Web Store are disabled. //"ExtensionUnpublishedAvailability": 1, // Show an "Always open" checkbox in external protocol dialog. //------------------------------------------------------------------------- // This policy controls whether or not the "Always open" checkbox is shown on // external protocol launch confirmation prompts. If this policy is set // to True or not set, when an external protocol confirmation is shown, the // user can select "Always allow" to skip all future confirmation prompts for // the protocol on this site. If this policy is set to False, the // "Always allow" checkbox is not displayed and the user will be prompted each // time an external protocol is invoked. //"ExternalProtocolDialogShowAlwaysOpenCheckbox": true, // Specifies whether in-product Google Chrome surveys are shown to users. //------------------------------------------------------------------------- // Google Chrome in-product surveys collect user feedback for the browser. // Survey responses are not associated with user accounts. When this policy is // Enabled or not set, in-product surveys may be shown to users. When this // policy is Disabled, in-product surveys are not shown to users. This policy // has no effect if MetricsReportingEnabled is set to Disabled, which disables // in-product surveys as well. //"FeedbackSurveysEnabled": true, // Fetch keepalive duration on Shutdown //------------------------------------------------------------------------- // Controls the duration (in seconds) allowed for keepalive requests on // browser shutdown. When specified, browser shutdown can be blocked up to // the specified seconds, to process keepalive // (https://fetch.spec.whatwg.org/#request-keepalive-flag) requests. The // default value (0) means this feature is disabled. //"FetchKeepaliveDurationSecondsOnShutdown": 1, // Allow file or directory picker APIs to be called without prior user gesture //------------------------------------------------------------------------- // For security reasons, the showOpenFilePicker(), showSaveFilePicker() and // showDirectoryPicker() web APIs require a prior user gesture ("transient // activation") to be called or will otherwise fail. With this policy set, // admins can specify origins on which these APIs can be called without prior // user gesture. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. If this policy is unset, all // origins will require a prior user gesture to call these APIs. //"FileOrDirectoryPickerWithoutGestureAllowedForOrigins": ["https://www.example.com", "[*.]example.edu"], // Allow read access via the File System API on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can ask users to grant them read access to files or directories in the host // operating system's file system via the File System API. Leaving the policy // unset means DefaultFileSystemReadGuardSetting applies for all sites, if // it's set. If not, users' personal settings apply. URL patterns must not // conflict with FileSystemReadBlockedForUrls. Neither policy takes precedence // if a URL matches with both. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. * is not an accepted value for this // policy. //"FileSystemReadAskForUrls": ["https://www.example.com", "[*.]example.edu"], // Block read access via the File System API on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can't ask users to grant them read access to files or directories in the // host operating system's file system via the File System API. Leaving the // policy unset means DefaultFileSystemReadGuardSetting applies for all sites, // if it's set. If not, users' personal settings apply. URL patterns can't // conflict with FileSystemReadAskForUrls. Neither policy takes precedence if // a URL matches with both. For detailed information on valid url patterns, // please see https://cloud.google.com/docs/chrome-enterprise/policies/url- // patterns. * is not an accepted value for this policy. //"FileSystemReadBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Allow write access to files and directories on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can ask users to grant them write access to files or directories in the // host operating system's file system. Leaving the policy unset means // DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If // not, users' personal settings apply. URL patterns must not conflict with // FileSystemWriteBlockedForUrls. Neither policy takes precedence if a URL // matches with both. For detailed information on valid url patterns, please // see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // * is not an accepted value for this policy. //"FileSystemWriteAskForUrls": ["https://www.example.com", "[*.]example.edu"], // Block write access to files and directories on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can't ask users to grant them write access to files or directories in the // host operating system's file system. Leaving the policy unset means // DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If // not, users' personal settings apply. URL patterns can't conflict with // FileSystemWriteAskForUrls. Neither policy takes precedence if a URL matches // with both. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. //"FileSystemWriteBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Enable First-Party Sets. //------------------------------------------------------------------------- // This policy is provided as a way to opt-out of the First-Party Sets // feature. When this policy is unset or set to Enabled, the First-Party Sets // feature is enabled. When this policy is set to Disabled, the First-Party // Sets feature is disabled. It controls whether Chrome supports First-Party // Sets related integrations. This is the equivalent of the // RelatedWebsiteSetsEnabled policy. Either policy may be used, but this one // will be deprecated soon so the RelatedWebsiteSetsEnabled policy is // preferred. They both have the same effect on the browser's behavior. //"FirstPartySetsEnabled": false, // Override First-Party Sets. //------------------------------------------------------------------------- // This policy provides a way to override the list of sets the browser uses // for First-Party Sets features. Each set in the browser's list of First- // Party Sets must meet the requirements of a First-Party Set. A First-Party // Set must contain a primary site and one or more member sites. A set can // also contain a list of service sites that it owns, as well as a map from a // site to all of its ccTLD variants. See https://github.com/WICG/first-party- // sets for more information on First-Party Sets are used by Google Chrome. // All sites in a First-Party Set must be a registrable domain served over // HTTPS. Each site in a First-Party Set must also be unique, meaning a site // cannot be listed more than once in a First-Party Set. When this policy is // given an empty dictionary, the browser uses the public list of First-Party // Sets. For all sites in a First-Party Set from the replacements list, if a // site is also present on a First-Party Set in the browser's list, then that // site will be removed from the browser's First-Party Set. After this, the // policy's First-Party Set will be added to the browser's list of First-Party // Sets. For all sites in a First-Party Set from the additions list, if a // site is also present on a First-Party Set in the browser's list, then the // browser's First-Party Set will be updated so that the new First-Party Set // can be added to the browser's list. After the browser's list has been // updated, the policy's First-Party Set will be added to the browser's list // of First-Party Sets. The browser's list of First-Party Sets requires that // for all sites in its list, no site is in more than one set. This is also // required for both the replacements list and the additions list. Similarly, // a site cannot be in both the replacements list and the additions list. // Wildcards (*) are not supported as a policy value, nor within any First- // Party Set in these lists. All sets provided by the policy must be valid // First-Party Sets, if they aren't then an appropriate error will be // outputted. On Microsoft® Windows®, this policy is only available on // instances that are joined to a Microsoft® Active Directory® domain, joined // to Microsoft® Azure® Active Directory® or enrolled in Chrome Browser Cloud // Management. On macOS, this policy is only available on instances that are // managed via MDM, joined to a domain via MCX or enrolled in Chrome Browser // Cloud Management. This is the equivalent of the // RelatedWebsiteSetsOverrides policy. Either policy may be used, but this one // will be deprecated soon so the RelatedWebsiteSetsOverrides policy is // preferred. They both have the same effect on the browser's behavior. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=FirstPartySetsOverrides for more information // about schema and formatting. //"FirstPartySetsOverrides": {"additions": [{"associatedSites": ["https://associate2.test"], "ccTLDs": {"https://associate2.test": ["https://associate2.com"]}, "primary": "https://primary2.test", "serviceSites": ["https://associate2-content.test"]}], "replacements": [{"associatedSites": ["https://associate1.test"], "ccTLDs": {"https://associate1.test": ["https://associate1.co.uk"]}, "primary": "https://primary1.test", "serviceSites": ["https://associate1-content.test"]}]}, // Ephemeral profile //------------------------------------------------------------------------- // If set to enabled this policy forces the profile to be switched to // ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on // Windows) it will apply to every profile on the system; if the policy is set // as a Cloud policy it will apply only to a profile signed in with a managed // account. In this mode the profile data is persisted on disk only for the // length of the user session. Features like browser history, extensions and // their data, web data like cookies and web databases are not preserved after // the browser is closed. However this does not prevent the user from // downloading any data to disk manually, save pages or print them. If the // user has enabled sync all this data is preserved in their sync profile just // like with regular profiles. Incognito mode is also available if not // explicitly disabled by policy. If the policy is set to disabled or left // not set signing in leads to regular profiles. //"ForceEphemeralProfiles": true, // Force Google SafeSearch //------------------------------------------------------------------------- // Setting the policy to Enabled means SafeSearch in Google Search is always // active, and users can't change this setting. Setting the policy to // Disabled or leaving it unset means SafeSearch in Google Search is not // enforced. //"ForceGoogleSafeSearch": false, // Controls whether unload event handlers can be disabled. //------------------------------------------------------------------------- // unload event handlers are being deprecated. Whether they fire depends on // the unload Permissions-Policy. Currently, they are allowed by policy by // default. In the future they will gradually move to being disallowed by // default and sites must explicitly enable them using Permissions-Policy // headers. This enterprise policy can be used to opt out of this gradual // deprecation by forcing the default to remain as enabled. Pages may depend // on unload event handlers to save data or signal the end of a user session // to the server. This is not recommended as it is unreliable and impacts // performance by blocking use of BackForwardCache. Recommended alternatives // exist, however the unload event has been used for a long time. Some // applications may still rely on them. If this policy is set to false or not // set, then unload events handlers will be gradually deprecated in-line with // the deprecation rollout and sites which do not set Permissions-Policy // header will stop firing `unload` events. If this policy is set to true // then unload event handlers will continue to work by default. NOTE: This // policy had an incorrectly documented default of `true` in M117. The unload // event did and will not change in M117, so this policy has no effect in that // version. //"ForcePermissionPolicyUnloadDefaultEnabled": true, // Force minimum YouTube Restricted Mode //------------------------------------------------------------------------- // Setting the policy enforces a minimum Restricted mode on YouTube and // prevents users from picking a less restricted mode. If you set it to: * // Strict, Strict Restricted mode on YouTube is always active. * Moderate, // the user may only pick Moderate Restricted mode and Strict Restricted mode // on YouTube, but can't turn off Restricted mode. * Off or if no value is // set, Restricted mode on YouTube isn't enforced by Chrome. External policies // such as YouTube policies might still enforce Restricted mode. //"ForceYouTubeRestrict": 0, // Configure the content and order of preferred languages //------------------------------------------------------------------------- // This policy allows admins to configure the order of the preferred languages // in Google Chrome's settings. The order of the list will appear in the same // order under the "Order languages based on your preference" section in // chrome://settings/languages. Users won't be able to remove or reorder // languages set by the policy, but will be able to add languages underneath // those set by the policy. Users will also have full control over the // browser's UI language and translation/spell check settings, unless enforced // by other policies. Leaving the policy unset lets users manipulate the // entire list of preferred languages. //"ForcedLanguages": ["en-US"], // Allow fullscreen mode //------------------------------------------------------------------------- // Setting the policy to True or leaving it unset means that, with appropriate // permissions, users, apps, and extensions can enter Fullscreen mode (in // which only web content appears). Setting the policy to False means users, // apps, and extensions can't enter Fullscreen mode. //"FullscreenAllowed": true, // GSSAPI library name //------------------------------------------------------------------------- // Setting the policy specifies which GSSAPI library to use for HTTP // authentication. Set the policy to either a library name or a full path. // Leaving the policy unset means Google Chrome uses a default library name. //"GSSAPILibraryName": "libgssapi_krb5.so.2", // Settings for GenAI local foundational model //------------------------------------------------------------------------- // Configure how Google Chrome downloads the foundational GenAI model and uses // for inference locally. When the policy is set to Allowed (0) or not set, // the model is downloaded automatically, and used for inference. When the // policy is set to Disabled (1), the model will not be downloaded. Model // downloading can also be disabled by ComponentUpdatesEnabled. //"GenAILocalFoundationalModelSettings": 1, // Enable globally scoped HTTP auth cache //------------------------------------------------------------------------- // This policy configures a single global per profile cache with HTTP server // authentication credentials. If this policy is unset or disabled, the // browser will use the default behavior of cross-site auth, which as of // version 80, will be to scope HTTP server authentication credentials by top- // level site, so if two sites use resources from the same authenticating // domain, credentials will need to be provided independently in the context // of both sites. Cached proxy credentials will be reused across sites. If // the policy is enabled, HTTP auth credentials entered in the context of one // site will automatically be used in the context of another. Enabling this // policy leaves sites open to some types of cross-site attacks, and allows // users to be tracked across sites even without cookies by adding entries to // the HTTP auth cache using credentials embedded in URLs. This policy is // intended to give enterprises depending on the legacy behavior a chance to // update their login procedures, and will be removed in the future. //"GloballyScopeHTTPAuthCacheEnabled": false, // Enable Google Search Side Panel //------------------------------------------------------------------------- // If set to Enabled or not set, Google Search Side Panel is allowed on all // web pages. If set to Disabled, Google Search Side Panel is not available // on any webpage. GenAI capabilities that are part of this feature are not // available for Educational or Enterprise accounts. //"GoogleSearchSidePanelEnabled": true, // List of names that will bypass the HSTS policy check //------------------------------------------------------------------------- // Setting the policy specifies a list of hostnames that bypass preloaded HSTS // upgrades from http to https. Only single-label hostnames are allowed in // this policy, and this policy only applies to "static" HSTS-preloaded // entries (for instance, "app", "new", "search", "play"). This policy does // not prevent HSTS upgrades for servers that have "dynamically" requested // HSTS upgrades using a Strict-Transport-Security response header. Supplied // hostnames must be canonicalized: Any IDNs must be converted to their // A-label format, and all ASCII letters must be lowercase. This policy only // applies to the specific single-label hostnames specified, not to subdomains // of those names. //"HSTSPolicyBypassList": ["meet"], // Use graphics acceleration when available //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset turns on graphics // acceleration, if available. Setting the policy to Disabled turns off // graphics acceleration. //"HardwareAccelerationModeEnabled": true, // Control use of the Headless Mode //------------------------------------------------------------------------- // Setting this policy to Enabled or leaving the policy unset allows use of // the headless mode. Setting this policy to Disabled denies use of the // headless mode. //"HeadlessMode": 2, // Settings for Help Me Write //------------------------------------------------------------------------- // Help Me Write is an AI-based writing assistant for short-form content on // the web. Suggested content is based on prompts entered by the user and the // content of the web page. 0 = Enable the feature for users, and send // relevant data to Google to help train or improve AI models. Relevant data // may include prompts, inputs, outputs, and source materials, depending on // the feature. It may be reviewed by humans for the sole purpose of improving // AI models. 0 is the default value, except when noted below. 1 = Enable // the feature for users, but do not send data to Google to train or improve // AI models. 1 is the default value for Enterprise users managed by Google // Admin console. 2 = Disable the feature. 2 is the default value for // Education accounts managed by Google Workspace. For more information on // data handling for generative AI features, please see // https://support.google.com/chrome/a?p=generative_ai_settings. //"HelpMeWriteSettings": 1, // Hide the web store from the New Tab Page and app launcher //------------------------------------------------------------------------- // Hide the Chrome Web Store app and footer link from the New Tab Page and // Google ChromeOS app launcher. When this policy is set to true, the icons // are hidden. When this policy is set to false or is not configured, the // icons are visible. //"HideWebStoreIcon": true, // Enable High Efficiency Mode //------------------------------------------------------------------------- // This policy enables or disables the High Efficiency Mode setting. This // setting makes it so that tabs are discarded after some period of time in // the background to reclaim memory. If this policy is unset, the end user can // control this setting in chrome://settings/performance. //"HighEfficiencyModeEnabled": false, // Show a view of Chrome history with groups of pages //------------------------------------------------------------------------- // This policy controls the visibility of the Chrome history page organized // into groups of pages. If the policy is set to Enabled, a Chrome history // page organized into groups will be visible at chrome://history/grouped. If // the policy is set to Disabled, a Chrome history page organized into groups // will not be visible at chrome://history/grouped. If the policy is left // unset, a Chrome history page organized into groups will be visible at // chrome://history/grouped by default. Please note, if // ComponentUpdatesEnabled policy is set to Disabled, but // HistoryClustersVisible is set to Enabled or unset, a Chrome history page // organized into groups will still be available at chrome://history/grouped, // but may be less relevant to the user. //"HistoryClustersVisible": false, // Use New Tab Page as homepage //------------------------------------------------------------------------- // Setting the policy to Enabled makes the New Tab page the user's homepage, // ignoring any homepage URL location. Setting the policy to Disabled means // that their homepage is never the New Tab page, unless the user's homepage // URL is set to chrome://newtab. If you set the policy, users can't change // their homepage type in Google Chrome. If not set, the user decides whether // or not the New Tab page is their homepage. On Microsoft® Windows®, this // policy is only available on instances that are joined to a Microsoft® // Active Directory® domain, joined to Microsoft® Azure® Active Directory® or // enrolled in Chrome Browser Cloud Management. On macOS, this policy is only // available on instances that are managed via MDM, joined to a domain via MCX // or enrolled in Chrome Browser Cloud Management. //"HomepageIsNewTabPage": true, // Configure the home page URL //------------------------------------------------------------------------- // Setting the policy sets the default homepage URL in Google Chrome. You open // the homepage using the Home button. On desktop, the RestoreOnStartup // policies control the pages that open on startup. If the homepage is set to // the New Tab Page, by the user or HomepageIsNewTabPage, this policy has no // effect. The URL needs a standard scheme, such as http://example.com or // https://example.com. When this policy is set, users can't change their // homepage URL in Google Chrome. Leaving both HomepageLocation and // HomepageIsNewTabPage unset lets users choose their homepage. On Microsoft® // Windows®, this policy is only available on instances that are joined to a // Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active // Directory® or enrolled in Chrome Browser Cloud Management. On macOS, this // policy is only available on instances that are managed via MDM, joined to a // domain via MCX or enrolled in Chrome Browser Cloud Management. //"HomepageLocation": "https://www.chromium.org", // HTTP Allowlist //------------------------------------------------------------------------- // Setting the policy specifies a list of hostnames or hostname patterns (such // as '[*.]example.com') that will not be upgraded to HTTPS and will not show // an error interstitial if HTTPS-First Mode is enabled. Organizations can use // this policy to maintain access to servers that do not support HTTPS, // without needing to disable HTTPS Upgrades and/or HTTPS-First Mode. // Supplied hostnames must be canonicalized: Any IDNs must be converted to // their A-label format, and all ASCII letters must be lowercase. Blanket // host wildcards (i.e., "*" or "[*]") are not allowed. Instead, HTTPS-First // Mode and HTTPS Upgrades should be explicitly disabled via their specific // policies. Note: This policy does not apply to HSTS upgrades. //"HttpAllowlist": ["testserver.example.com", "[*.]example.org"], // Allow HTTPS-Only Mode to be enabled //------------------------------------------------------------------------- // This policy controls whether users can enable HTTPS-Only Mode (Always Use // Secure Connections) in Settings. HTTPS-Only Mode upgrades all navigations // to HTTPS. If this setting is not set or set to allowed, users will be // allowed to enable HTTPS-Only Mode. If this setting is set to disallowed, // users will not be allowed to enable HTTPS-Only Mode. If this setting is set // to force_enabled, HTTPS-Only Mode will be enabled and users will not be // able to disable it. Force enabling HTTPS-Only Mode is supported from M112 // onwards. The separate HttpAllowlist policy can be used to exempt specific // hostnames or hostname patterns from being upgraded to HTTPS by this // feature. //"HttpsOnlyMode": "disallowed", // Enable automatic HTTPS upgrades //------------------------------------------------------------------------- // Google Chrome attempts to upgrade some navigations from HTTP to HTTPS, when // possible. This policy can be used to disable this behavior. If set to // "true" or left unset, this feature will be enabled by default. The // separate HttpAllowlist policy can be used to exempt specific hostnames or // hostname patterns from being upgraded to HTTPS by this feature. See also // the HttpsOnlyMode policy. //"HttpsUpgradesEnabled": false, // Enable IPv6 reachability check override //------------------------------------------------------------------------- // Setting the policy to true overrides the IPv6 reachability check. This // means that the system will always query AAAA records when resolving host // names. It applies to all users and interfaces on the device. Setting the // policy to false or leaving it unset does not overrides the IPv6 // reachability check. The system only queries AAAA records when it is // reachable to a global IPv6 host. //"IPv6ReachabilityOverrideEnabled": true, // Delay before running idle actions //------------------------------------------------------------------------- // Triggers an action when the computer is idle. If this policy is set, it // specifies the length of time without user input (in minutes) before the // browser runs actions configured via the IdleTimeoutActions policy. If this // policy is not set, no action will be ran. The minimum threshold is 1 // minute. "User input" is defined by Operating System APIs, and includes // things like moving the mouse or typing on the keyboard. //"IdleTimeout": 30, // Actions to run when the computer is idle //------------------------------------------------------------------------- // List of actions to run when the timeout from the IdleTimeout policy is // reached. If the IdleTimeout policy is unset, this policy has no effect. // When the timeout from the IdleTimeout policy is reached, the browser runs // the actions configured in this policy. If this policy is empty or left // unset, the IdleTimeout policy has no effect. Supported actions are: // 'close_browsers': close all browser windows and PWAs for this profile. Not // supported on Android and iOS. 'close_tabs': close all open tabs in open // windows. Only supported on iOS. 'show_profile_picker': show the Profile // Picker window. Not supported on Android and iOS. 'sign_out': Signs out the // current signed in user. Only supported on iOS. 'clear_browsing_history', // 'clear_download_history', 'clear_cookies_and_other_site_data', // 'clear_cached_images_and_files', 'clear_password_signing', // 'clear_autofill', 'clear_site_settings', 'clear_hosted_app_data': clear the // corresponding browsing data. See the ClearBrowsingDataOnExitList policy for // more details. The types supported on iOS are 'clear_browsing_history', // 'clear_cookies_and_other_site_data', 'clear_cached_images_and_files', // 'clear_password_signing', and 'clear_autofill' 'reload_pages': reload all // webpages. For some pages, the user may be prompted for confirmation first. // Not supported on iOS. Setting 'clear_browsing_history', // 'clear_password_signing', 'clear_autofill', and 'clear_site_settings' will // disable sync for the respective data types if neither `Chrome Sync` is // disabled by setting the SyncDisabled policy nor BrowserSignin is disabled. //"IdleTimeoutActions": ["close_browsers", "show_profile_picker"], // Allow images on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify sites // that may display images. Leaving the policy unset means // DefaultImagesSetting applies for all sites, if it's set. If not, the user's // personal setting applies. For detailed information on valid url patterns, // please see https://cloud.google.com/docs/chrome-enterprise/policies/url- // patterns. Wildcards, *, are allowed. Note that previously this policy was // erroneously enabled on Android, but this functionality has never been fully // supported on Android. //"ImagesAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block images on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify sites // that can't display images. Leaving the policy unset means // DefaultImagesSetting applies for all sites, if it's set. If not, the user's // personal setting applies. For detailed information on valid url patterns, // please see https://cloud.google.com/docs/chrome-enterprise/policies/url- // patterns. Wildcards, *, are allowed. Note that previously this policy was // erroneously enabled on Android, but this functionality has never been fully // supported on Android. //"ImagesBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Import autofill form data from default browser on first run //------------------------------------------------------------------------- // Setting the policy to Enabled imports autofill form data from the previous // default browser on first run. Setting the policy to Disabled or leaving it // unset means no autofill form data is imported on first run. Users can // trigger an import dialog and the autofill form data checkbox will be // checked or unchecked to match this policy's value. //"ImportAutofillFormData": true, // Import bookmarks from default browser on first run //------------------------------------------------------------------------- // Setting the policy to Enabled imports bookmarks from the previous default // browser on first run. Setting the policy to Disabled or leaving it unset // means no bookmarks are imported on first run. Users can trigger an import // dialog and the bookmarks checkbox will be checked or unchecked to match // this policy's value. //"ImportBookmarks": true, // Import browsing history from default browser on first run //------------------------------------------------------------------------- // Setting the policy to Enabled imports browsing history from the previous // default browser on first run. Setting the policy to Disabled or leaving it // unset means no browsing history is imported on first run. Users can // trigger an import dialog and the browsing history checkbox will be checked // or unchecked to match this policy's value. //"ImportHistory": true, // Import of homepage from default browser on first run //------------------------------------------------------------------------- // Setting the policy to Enabled imports the homepage from the previous // default browser on first run. Setting the policy to Disabled or leaving it // unset means the homepage isn't imported on first run. Users can trigger an // import dialog and the homepage checkbox will be checked or unchecked to // match this policy's value. //"ImportHomepage": true, // Import saved passwords from default browser on first run //------------------------------------------------------------------------- // This policy controls only the first run import behavior after installation. // It enables more seamless transition to Google Chrome in environments where // a different browser was extensively used prior to installing the browser. // This policy does not affect password manager capabilities for Google // accounts. Setting the policy to Enabled imports saved passwords from the // previous default browser on first run and manual importing from the // settings page is also possible. Setting the policy to Disabled means no // saved passwords are imported on first run and manual importing from the // Settings page is blocked. Leaving the policy unset means no saved passwords // are imported on first run but the user can choose to do that from the // settings page. //"ImportSavedPasswords": false, // Import search engines from default browser on first run //------------------------------------------------------------------------- // Setting the policy to Enabled imports the default search engine from the // previous default browser on first run. Setting the policy to Disabled or // leaving it unset means the default search engine isn't imported on first // run. Users can trigger an import dialog and the default search engine // checkbox will be checked or unchecked to match this policy's value. //"ImportSearchEngine": true, // Incognito mode availability //------------------------------------------------------------------------- // Specifies whether the user may open pages in Incognito mode in Google // Chrome. If 'Enabled' is selected or the policy is left unset, pages may be // opened in Incognito mode. If 'Disabled' is selected, pages may not be // opened in Incognito mode. If 'Forced' is selected, pages may be opened // ONLY in Incognito mode. Note that 'Forced' does not work for Android-on- // Chrome Note: On iOS, if the policy is changed during a session, it will // only take effect on relaunch. //"IncognitoModeAvailability": 1, // Allow insecure content on these sites //------------------------------------------------------------------------- // Allows you to set a list of url patterns that specify sites which are // allowed to display blockable (i.e. active) mixed content (i.e. HTTP content // on HTTPS sites) and for which optionally blockable mixed content upgrades // will be disabled. If this policy is left not set blockable mixed content // will be blocked and optionally blockable mixed content will be upgraded, // and users will be allowed to set exceptions to allow it for specific sites. // For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. //"InsecureContentAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block insecure content on these sites //------------------------------------------------------------------------- // Allows you to set a list of url patterns that specify sites which are not // allowed to display blockable (i.e. active) mixed content (i.e. HTTP content // on HTTPS sites), and for which optionally blockable (i.e. passive) mixed // content will be upgraded. If this policy is left not set blockable mixed // content will be blocked and optionally blockable mixed content will be // upgraded, but users will be allowed to set exceptions to allow it for // specific sites. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. //"InsecureContentBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Specifies whether to allow websites to make requests to more-private network endpoints in an insecure manner //------------------------------------------------------------------------- // Controls whether websites are allowed to make requests to more-private // network endpoints in an insecure manner. When this policy is set to true, // all Private Network Access checks are disabled for all origins. This may // allow attackers to perform CSRF attacks on private network servers. When // this policy is either not set or set to false, the default behavior for // requests to more-private network endpoints will depend on the user's // personal configuration for the BlockInsecurePrivateNetworkRequests, // PrivateNetworkAccessSendPreflights, and // PrivateNetworkAccessRespectPreflightResults feature flags, which may be set // by field trials or on the command line. This policy relates to the Private // Network Access specification. See https://wicg.github.io/private-network- // access/ for more details. A network endpoint is more private than another // if: 1) Its IP address is localhost and the other is not. 2) Its IP address // is private and the other is public. In the future, depending on spec // evolution, this policy might apply to all cross-origin requests directed at // private IPs or localhost. When this policy is set to true, websites are // allowed to make requests to any network endpoint, subject to other cross- // origin checks. //"InsecurePrivateNetworkRequestsAllowed": false, // Allow the listed sites to make requests to more-private network endpoints in an insecure manner. //------------------------------------------------------------------------- // List of URL patterns. Requests initiated from websites served by matching // origins are not subject to Private Network Access checks. If unset, this // policy behaves as if set to the empty list. For origins not covered by the // patterns specified here, the global default value will be used either from // the InsecurePrivateNetworkRequestsAllowed policy, if it is set, or the // user's personal configuration otherwise. For detailed information on valid // URL patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. //"InsecurePrivateNetworkRequestsAllowedForUrls": ["http://www.example.com:8080", "[*.]example.edu"], // Control the IntensiveWakeUpThrottling feature. //------------------------------------------------------------------------- // When enabled the IntensiveWakeUpThrottling feature causes JavaScript timers // in background tabs to be aggressively throttled and coalesced, running no // more than once per minute after a page has been backgrounded for 5 minutes // or more. This is a web standards compliant feature, but it may break // functionality on some websites by causing certain actions to be delayed by // up to a minute. However, it results in significant CPU and battery savings // when enabled. See https://bit.ly/30b1XR4 for more details. If this policy // is set to enabled then the feature will be force enabled, and users will // not be able to override this. If this policy is set to disabled then the // feature will be force disabled, and users will not be able to override // this. If this policy is left unset then the feature will be controlled by // its own internal logic, which can be manually configured by users. Note // that the policy is applied per renderer process, with the most recent value // of the policy setting in force when a renderer process starts. A full // restart is required to ensure that all loaded tabs receive a consistent // policy setting. It is harmless for processes to be running with different // values of this policy. //"IntensiveWakeUpThrottlingEnabled": true, // Intranet Redirection Behavior //------------------------------------------------------------------------- // This policy configures behavior for intranet redirection via DNS // interception checks. The checks attempt to discover whether the browser is // behind a proxy that redirects unknown host names. If this policy is not // set, the browser will use the default behavior of DNS interception checks // and intranet redirect suggestions. In M88, they are enabled by default but // will be disabled by default in the future release. // DNSInterceptionChecksEnabled is a related policy that may also disable DNS // interception checks; this policy is a more flexible version which may // separately control intranet redirection infobars and may be expanded in the // future. If either DNSInterceptionChecksEnabled or this policy requests to // disable interception checks, the checks will be disabled. //"IntranetRedirectBehavior": 1, // Enable Site Isolation for specified origins //------------------------------------------------------------------------- // Setting the policy means each of the named origins in a comma-separated // list runs in a dedicated process. Each named origin's process will only be // allowed to contain documents from that origin and its subdomains. For // example, specifying https://a1.example.com/ allows // https://a2.a1.example.com/ in the same process, but not https://example.com // or https://b.example.com. Since Google Chrome 77, you can also specify a // range of origins to isolate using a wildcard. For example, specifying // https://[*.]corp.example.com will give every origin underneath // https://corp.example.com its own dedicated process, including // https://corp.example.com itself, https://a1.corp.example.com, and // https://a2.a1.corp.example.com. Note that all sites (i.e., scheme plus // eTLD+1, such as https://example.com) are already isolated by default on // Desktop platforms, as noted in the SitePerProcess policy. This // IsolateOrigins policy is useful to isolate specific origins at a finer // granularity (e.g., https://a.example.com). Also note that origins isolated // by this policy will be unable to script other origins in the same site, // which is otherwise possible if two same-site documents modify their // document.domain values to match. Administrators should confirm this // uncommon behavior is not used on an origin before isolating it. Setting // the policy to off or leaving it unset lets users change this setting. // Note: For Android, use the IsolateOriginsAndroid policy instead. //"IsolateOrigins": "https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com", // Allow JavaScript on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can run JavaScript. Leaving the policy unset means // DefaultJavaScriptSetting applies for all sites, if it's set. If not, the // user's personal setting applies. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. //"JavaScriptAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block JavaScript on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can't run JavaScript. Leaving the policy unset means // DefaultJavaScriptSetting applies for all sites, if it's set. If not, the // user's personal setting applies. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. //"JavaScriptBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Allow JavaScript to use JIT on these sites //------------------------------------------------------------------------- // Allows you to set a list of site url patterns that specify sites which are // allowed to run JavaScript with JIT (Just In Time) compiler enabled. For // detailed information on valid site url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. JavaScript JIT policy exceptions will only be // enforced at a site granularity (eTLD+1). A policy set for only // subdomain.site.com will not correctly apply to site.com or // subdomain.site.com since they both resolve to the same eTLD+1 (site.com) // for which there is no policy. In this case, policy must be set on site.com // to apply correctly for both site.com and subdomain.site.com. This policy // applies on a frame-by-frame basis and not based on top level origin url // alone, so e.g. if site-one.com is listed in the // JavaScriptJitAllowedForSites policy but site-one.com loads a frame // containing site-two.com then site-one.com will have JavaScript JIT enabled, // but site-two.com will use the policy from DefaultJavaScriptJitSetting, if // set, or default to JavaScript JIT enabled. If this policy is not set for a // site then the policy from DefaultJavaScriptJitSetting applies to the site, // if set, otherwise Javascript JIT is enabled for the site. //"JavaScriptJitAllowedForSites": ["[*.]example.edu"], // Block JavaScript from using JIT on these sites //------------------------------------------------------------------------- // Allows you to set a list of site url patterns that specify sites which are // not allowed to run JavaScript JIT (Just In Time) compiler enabled. // Disabling the JavaScript JIT will mean that Google Chrome may render web // content more slowly, and may also disable parts of JavaScript including // WebAssembly. Disabling the JavaScript JIT may allow Google Chrome to render // web content in a more secure configuration. For detailed information on // valid url patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. JavaScript // JIT policy exceptions will only be enforced at a site granularity (eTLD+1). // A policy set for only subdomain.site.com will not correctly apply to // site.com or subdomain.site.com since they both resolve to the same eTLD+1 // (site.com) for which there is no policy. In this case, policy must be set // on site.com to apply correctly for both site.com and subdomain.site.com. // This policy applies on a frame-by-frame basis and not based on top level // origin url alone, so e.g. if site-one.com is listed in the // JavaScriptJitBlockedForSites policy but site-one.com loads a frame // containing site-two.com then site-one.com will have JavaScript JIT // disabled, but site-two.com will use the policy from // DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled. // If this policy is not set for a site then the policy from // DefaultJavaScriptJitSetting applies to the site, if set, otherwise // JavaScript JIT is enabled for the site. //"JavaScriptJitBlockedForSites": ["[*.]example.edu"], // Revert to legacy SameSite behavior for cookies on these sites //------------------------------------------------------------------------- // Cookies set for domains matching these patterns will revert to legacy // SameSite behavior. Reverting to legacy behavior causes cookies that don't // specify a SameSite attribute to be treated as if they were "SameSite=None", // removes the requirement for "SameSite=None" cookies to carry the "Secure" // attribute, and skips the scheme comparison when evaluating if two sites are // same-site. See https://www.chromium.org/administrators/policy- // list-3/cookie-legacy-samesite-policies for full description. For cookies // on domains not covered by the patterns specified here, or for all cookies // if this policy is not set, the global default value will be the user's // personal configuration. For detailed information on valid patterns, please // see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Note that patterns you list here are treated as domains, not URLs, so you // should not specify a scheme or port. //"LegacySameSiteCookieBehaviorEnabledForDomainList": ["www.example.com", "[*.]example.edu"], // Allow Google Lens button to be shown in the search box on the New Tab page if supported. //------------------------------------------------------------------------- // Leaving the policy unset or setting it to Enabled allows users to view and // use the Google Lens button in the search box on the New Tab page. Setting // the policy to Disabled means users will not see the Google Lens button in // the search box on the New Tab page. //"LensDesktopNTPSearchEnabled": true, // Settings for the Lens Overlay feature //------------------------------------------------------------------------- // Lens Overlay lets users issue Google searches by interacting with a // screenshot of the current page laid over the actual web contents. There is // no user setting to control this feature, it is generally made available to // all users with Google as their default search engine unless disabled by // this policy. When policy is set to 0 - Enabled or not set, the feature // will be available to users. When policy is set to 1 - Disabled, the feature // will not be available. //"LensOverlaySettings": 1, // Allow Google Lens region search menu item to be shown in context menu if supported. //------------------------------------------------------------------------- // Leaving the policy unset or setting it to Enabled allows users to view and // use the Google Lens region search menu item in the context menu. Setting // the policy to Disabled means users will not see the Google Lens region // search menu item in the context menu when Google Lens region search is // supported. //"LensRegionSearchEnabled": true, // Allow Local Fonts permission on these sites //------------------------------------------------------------------------- // Sets a list of site url patterns that specify sites which will // automatically grant the local fonts permission. This will extend the // ability of sites to see information about local fonts. For detailed // information on valid site url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. This policy only matches based on origin, so any // path in the URL pattern is ignored. If this policy is not set for a site // then the policy from DefaultLocalFontsSetting applies to the site, if set, // otherwise the permission will follow the browser's defaults and allow users // to choose this permission per site. //"LocalFontsAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block Local Fonts permission on these sites //------------------------------------------------------------------------- // Sets a list of site url patterns that specify sites which will // automatically deny the local fonts permission. This will limit the ability // of sites to see information about local fonts. For detailed information on // valid site url patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy // only matches based on origin, so any path in the URL pattern is ignored. // If this policy is not set for a site then the policy from // DefaultLocalFontsSetting applies to the site, if set, otherwise the // permission will follow the browser's defaults and allow users to choose // this permission per site. //"LocalFontsBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Suppress lookalike domain warnings on domains //------------------------------------------------------------------------- // This policy prevents the display of lookalike URL warnings on the sites // listed. These warnings are typically shown on sites that Google Chrome // believes might be trying to spoof another site the user is familiar with. // If the policy is enabled and set to one or more domains, no lookalike // warnings pages will be shown when the user visits pages on that domain. If // the policy is not set, or set to an empty list, warnings may appear on any // site the user visits. A hostname can be allowed with a complete host // match, or any domain match. For example, a URL like // "https://foo.example.com/bar" may have warnings suppressed if this list // includes either "foo.example.com" or "example.com". //"LookalikeWarningAllowlistDomains": ["foo.example.com", "example.org"], // Add restrictions on managed accounts //------------------------------------------------------------------------- // Default behavior (Policy unset) When an account is added in the content // area a small dialog may appear asking the user to create a new profile. // This dialog is dismissable. ManagedAccountsSigninRestriction = // 'primary_account' If a user signs into a Google service for the first time // in a Google Chrome browser, a dialog will appear asking the user to create // a new profile for their enterprise account. The user may click Cancel and // get signed out, or Continue to create a new profile. Any existing browsing // data will not be added to the new profile. The newly created profile is // allowed to have secondary accounts, for example the user can sign into // another account in the content area. ManagedAccountsSigninRestriction = // 'primary_account_strict' This is the same behavior as 'primary_account' // except the newly created profile is not allowed to have secondary accounts. // ManagedAccountsSigninRestriction = 'primary_account_keep_existing_data' // This is the same behavior as 'primary_account' except a checkbox will be // added to the dialog to allow the user to keep local browsing data. If the // user checks the box, then the existing profile data becomes associated with // the Managed account. - All existing browsing data will be present in the // new profile. - This data includes bookmarks, history, password, autofill // data, open tabs, cookies, cache, web storage, extensions, etc. If the user // does not check the box: - The old profile will continue to exist, no data // will be lost. - A new profile will be created. // ManagedAccountsSigninRestriction = // 'primary_account_strict_keep_existing_data' This is the same behavior as // 'primary_account_keep_existing_data' except the newly created profile is // not allowed to have secondary accounts. //"ManagedAccountsSigninRestriction": "primary_account", // Managed Bookmarks //------------------------------------------------------------------------- // Setting the policy sets up a list of bookmarks where each one is a // dictionary with the keys "name" and "url". These keys hold the bookmark's // name and target. Admins can set up a subfolder by defining a bookmark // without a "url" key, but with an additional "children" key. This key also // has a list of bookmarks, some of which can also be folders. Chrome amends // incomplete URLs as if they were submitted through the address bar. For // example, "google.com" becomes "https://google.com/". Users can't change // the folders the bookmarks are placed in (though they can hide it from the // bookmark bar). The default folder name for managed bookmarks is "Managed // bookmarks" but it can be changed by adding a new sub-dictionary to the // policy with a single key named "toplevel_name" with the desired folder name // as its value. Managed bookmarks are not synced to the user account and // extensions can't modify them. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=ManagedBookmarks for more information about // schema and formatting. //"ManagedBookmarks": [{"toplevel_name": "My managed bookmarks folder"}, {"name": "Google", "url": "google.com"}, {"name": "Youtube", "url": "youtube.com"}, {"children": [{"name": "Chromium", "url": "chromium.org"}, {"name": "Chromium Developers", "url": "dev.chromium.org"}], "name": "Chrome links"}], // Sets managed configuration values to websites to specific origins //------------------------------------------------------------------------- // Setting the policy defines the return value of Managed Configuration API // for given origin. Managed configuration API is a key-value configuration // that can be accessed via navigator.managed.getManagedConfiguration() // javascript call. This API is only available to origins which correspond to // force-installed web applications via WebAppInstallForceList. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=ManagedConfigurationPerOrigin for more // information about schema and formatting. //"ManagedConfigurationPerOrigin": [{"managed_configuration_hash": "asd891jedasd12ue9h", "managed_configuration_url": "https://gstatic.google.com/configuration.json", "origin": "https://www.google.com"}, {"managed_configuration_hash": "djio12easd89u12aws", "managed_configuration_url": "https://gstatic.google.com/configuration2.json", "origin": "https://www.example.com"}], // Maximal number of concurrent connections to the proxy server //------------------------------------------------------------------------- // Setting the policy specifies the maximal number of simultaneous connections // to the proxy server. Some proxy servers can't handle a high number of // concurrent connections per client, which is solved by setting this policy // to a lower value. The value should be lower than 100 and higher than 6. // Some web apps are known to consume many connections with hanging GETs, so // setting a value below 32 may lead to browser networking hangs if there are // too many web apps with hanging connections open. Lower below the default at // your own risk. Leaving the policy unset means a default of 32 is used. //"MaxConnectionsPerProxy": 32, // Maximum fetch delay after a policy invalidation //------------------------------------------------------------------------- // Setting the policy specifies the maximum delay in milliseconds between // receiving a policy invalidation and fetching the new policy from the device // management service. Valid values range from 1,000 (1 second) to 300,000 (5 // minutes). Values outside this range will be clamped to the respective // boundary. Leaving the policy unset means Google Chrome uses the default // value of 10 seconds. //"MaxInvalidationFetchDelay": 10000, // Enable Media Recommendations //------------------------------------------------------------------------- // By default the browser will show media recommendations that are // personalized to the user. Setting this policy to Disabled will result in // these recommendations being hidden from the user. Setting this policy to // Enabled or leaving it unset will result in the media recommendations being // shown to the user. //"MediaRecommendationsEnabled": true, // Allow Google Cast to connect to Cast devices on all IP addresses. //------------------------------------------------------------------------- // Unless EnableMediaRouter is set to Disabled, setting // MediaRouterCastAllowAllIPs to Enabled connects Google Cast to Cast devices // on all IP addresses, not just RFC1918/RFC4193 private addresses. Setting // the policy to Disabled connects Google Cast to Cast devices only on // RFC1918/RFC4193. Leaving the policy unset connects Google Cast to Cast // devices only on RFC1918/RFC4193, unless the CastAllowAllIPs feature is // turned on. //"MediaRouterCastAllowAllIPs": false, // Change Memory Saver Mode Savings //------------------------------------------------------------------------- // This policy changes the savings level of Memory Saver. This only takes // effect when Memory Saver is enabled through settings or through the // HighEfficiencyModeEnabled policy, and will effect how heuristics are used // to determine when to discard tabs. For example, reducing the lifetime of an // inactive tab before discarding it can save memory, but it also means that // tabs will be reloaded more frequently which can lead to bad user experience // and cost more network traffic. Setting the policy to 0 - Memory Saver will // get moderate memory savings. Tabs become inactive after a longer period of // time Setting the policy to 1 - Memory Saver will get balanced memory // savings. Tabs become inactive after an optimal period of time. Setting the // policy to 2 - Memory Saver will get maximum memory savings. Tabs become // inactive after a shorter period of time. If this policy is unset, the end // user can control this setting in chrome://settings/performance. //"MemorySaverModeSavings": 0, // Enable reporting of usage and crash-related data //------------------------------------------------------------------------- // When this policy is Enabled, anonymous reporting of usage and crash-related // data about Google Chrome to Google is recommended to be enabled by default. // Users will still be able to change this setting. When this policy is // Disabled, anonymous reporting is disabled and no usage or crash data is // sent to Google. Users won't be able to change this setting. When this // policy is not set, users can choose the anonymous reporting behavior at // installation or first run, and can change this setting later. On // Microsoft® Windows®, this policy is only available on instances that are // joined to a Microsoft® Active Directory® domain, joined to Microsoft® // Azure® Active Directory® or enrolled in Chrome Browser Cloud Management. // On macOS, this policy is only available on instances that are managed via // MDM, joined to a domain via MCX or enrolled in Chrome Browser Cloud // Management. (For Google ChromeOS, see DeviceMetricsReportingEnabled.) //"MetricsReportingEnabled": true, // Re-enable deprecated/removed Mutation Events //------------------------------------------------------------------------- // This policy provides a temporary opt-back-in to a deprecated and removed // set of platform events called Mutation Events. When this policy is Enabled, // mutation events will continue to be fired, even if they've been disabled by // default for normal web users. When this policy is Disabled or unset, these // events may not be fired. This policy is a temporary workaround, and will be // removed in M135. //"MutationEventsEnabled": true, // Show cards on the New Tab Page //------------------------------------------------------------------------- // This policy controls the visibility of cards on the New Tab Page. Cards // surface entry points to launch common user journeys based on the user's // browsing behavior. If the policy is set to Enabled, the New Tab Page will // show cards if content is available. If the policy is set to Disabled, the // New Tab Page won't show cards. If the policy is not set, the user can // control the card visibility. The default is visible. //"NTPCardsVisible": true, // Allow users to customize the background on the New Tab page //------------------------------------------------------------------------- // If the policy is set to false, the New Tab page won't allow users to // customize the background. Any existing custom background will be // permanently removed even if the policy is set to true later. If the policy // is set to true or unset, users can customize the background on the New Tab // page. //"NTPCustomBackgroundEnabled": true, // Show the middle slot announcement on the New Tab Page //------------------------------------------------------------------------- // This policy controls the visibility of the middle slot announcement on the // New Tab Page. If the policy is set to Enabled, the New Tab Page will show // the middle slot announcement if it is available. If the policy is set to // Disabled, the New Tab Page will not show the middle slot announcement even // if it is available. //"NTPMiddleSlotAnnouncementVisible": true, // Configure native messaging allowlist //------------------------------------------------------------------------- // Setting the policy specifies which native messaging hosts aren't subject to // the deny list. A deny list value of * means all native messaging hosts are // denied, unless they're explicitly allowed. All native messaging hosts are // allowed by default. But, if all native messaging hosts are denied by // policy, the admin can use the allow list to change that policy. //"NativeMessagingAllowlist": ["com.native.messaging.host.name1", "com.native.messaging.host.name2"], // Configure native messaging blocklist //------------------------------------------------------------------------- // Setting the policy specifies which native messaging hosts shouldn't be // loaded. A deny list value of * means all native messaging hosts are denied, // unless they're explicitly allowed. Leaving the policy unset means Google // Chrome loads all installed native messaging hosts. //"NativeMessagingBlocklist": ["com.native.messaging.host.name1", "com.native.messaging.host.name2"], // Allow user-level Native Messaging hosts (installed without admin permissions) //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset means Google Chrome can // use native messaging hosts installed at the user level. Setting the policy // to Disabled means Google Chrome can only use these hosts if installed at // the system level. //"NativeMessagingUserLevelHosts": false, // Enable network prediction //------------------------------------------------------------------------- // This policy controls network prediction in Google Chrome. It controls DNS // prefetching, TCP, and SSL preconnection and prerendering of webpages. If // you set the policy, users can't change it. Leaving it unset turns on // network prediction, but the user can change it. //"NetworkPredictionOptions": 1, // Enable the network service sandbox //------------------------------------------------------------------------- // This policy controls whether or not the network service process runs // sandboxed. If this policy is enabled, the network service process will run // sandboxed. If this policy is disabled, the network service process will run // unsandboxed. This leaves users open to additional security risks related to // running the network service unsandboxed. If this policy is not set, the // default configuration for the network sandbox will be used. This may vary // depending on Google Chrome release, currently running field trials, and // platform. This policy is intended to give enterprises flexibility to // disable the network sandbox if they use third party software that // interferes with the network service sandbox. //"NetworkServiceSandboxEnabled": true, // Configure the New Tab page URL //------------------------------------------------------------------------- // Setting the policy configures the default New Tab page URL and prevents // users from changing it. The New Tab page opens with new tabs and windows. // This policy doesn't decide which pages open on start up. Those are // controlled by the RestoreOnStartup policies. This policy does affect the // homepage, if that's set to open the New Tab page, as well as the startup // page if it's set to open the New Tab page. It is a best practice to // provide fully canonicalized URL, if the URL is not fully canonicalized // Google Chrome will default to https://. Leaving the policy unset or empty // puts the default New Tab page in use. On Microsoft® Windows®, this policy // is only available on instances that are joined to a Microsoft® Active // Directory® domain, joined to Microsoft® Azure® Active Directory® or // enrolled in Chrome Browser Cloud Management. On macOS, this policy is only // available on instances that are managed via MDM, joined to a domain via MCX // or enrolled in Chrome Browser Cloud Management. //"NewTabPageLocation": "https://www.chromium.org", // Allow notifications on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can display notifications. Leaving the policy unset means // DefaultNotificationsSetting applies for all sites, if it's set. If not, the // user's personal setting applies. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. //"NotificationsAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block notifications on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can't display notifications. Leaving the policy unset means // DefaultNotificationsSetting applies for all sites, if it's set. If not, the // user's personal setting applies. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. Wildcards, *, are allowed. //"NotificationsBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Enable NTLMv2 authentication. //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset turns NTLMv2 on. Setting // the policy to Disabled turns NTLMv2 off. All recent versions of Samba and // Microsoft® Windows® servers support NTLMv2. This should only be turned off // for backward compatibility as it reduces the security of authentication. //"NtlmV2Enabled": true, // Out-of-process print drivers allowed //------------------------------------------------------------------------- // Controls if Google Chrome interacts with printer drivers from a separate // service process. Platform printing calls to query available printers, get // print driver settings, and submit documents for printing to local printers // are made from a service process. Moving such calls out of the browser // process helps improve stability and reduce frozen UI behavior in Print // Preview. When this policy is set to Enabled or not set, Google Chrome will // use a separate service process for platform printing tasks. When this // policy is set to Disabled, Google Chrome will use the browser process for // platform printing tasks. This policy will be removed in the future, after // the out-of-process print drivers feature has fully rolled out. //"OopPrintDriversAllowed": true, // Allows origin-keyed agent clustering by default. //------------------------------------------------------------------------- // This policy allows origin-keyed agent clustering by default. The Origin- // Agent-Cluster HTTP header controls whether a document is isolated in an // origin-keyed agent cluster, or in a site-keyed agent cluster. This has // security implications since an origin-keyed agent cluster allows isolating // documents by origin. The developer-visible consequence of this is that the // document.domain accessor can no longer be set. The default behaviour - // when no Origin-Agent-Cluster header has been set - changes in M111 from // site-keyed to origin-keyed. If this policy is enabled or not set, the // browser will follow this new default from that version on. If this policy // is disabled this change is reversed and documents without Origin-Agent- // Cluster headers will be assigned to site-keyed agent clusters. As a // consequence, the document.domain accessor remains settable by default. This // matches the legacy behaviour. See // https://developer.chrome.com/blog/immutable-document-domain/ for additional // details. //"OriginAgentClusterDefaultEnabled": false, // Enable system DNS resolution outside of the network service //------------------------------------------------------------------------- // Setting this policy to true causes system DNS resolution (getaddrinfo()) to // possibly run outside of the network process, depending on system // configuration and feature flags. Setting this policy to false causes // system DNS resolution (getaddrinfo()) to run in the network process rather // than the browser process. This may force the network service sandbox to be // disabled, degrading the security of Google Chrome. If this policy is not // set, system DNS resolution may run in the network service, outside of the // network service, or partially inside and partially outside, depending on // system configuration and feature flags. //"OutOfProcessSystemDnsResolutionEnabled": false, // Origins or hostname patterns for which restrictions on insecure origins should not apply //------------------------------------------------------------------------- // Setting the policy specifies a list of origins (URLs) or hostname patterns // (such as *.example.com) for which security restrictions on insecure origins // won't apply. Organizations can specify origins for legacy applications that // can't deploy TLS or set up a staging server for internal web development, // so developers can test out features requiring secure contexts without // having to deploy TLS on the staging server. This policy also prevents the // origin from being labeled "Not Secure" in the address bar. Setting a list // of URLs in this policy amounts to setting the command-line flag --unsafely- // treat-insecure-origin-as-secure to a comma-separated list of the same URLs. // The policy overrides the command-line flag and // UnsafelyTreatInsecureOriginAsSecure, if present. For more information on // secure contexts, see Secure Contexts ( https://www.w3.org/TR/secure- // contexts ). //"OverrideSecurityRestrictionsOnInsecureOrigin": ["http://testserver.example.com/", "*.example.org"], // Enable dismissing compromised password alerts for entered credentials //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset gives the user the option // to dismiss/restore compromised password alerts. If you disable this // setting, users will not be able to dismiss alerts about compromised // passwords. If enabled, users will be able to dismiss alerts about // compromised passwords. //"PasswordDismissCompromisedAlertEnabled": true, // Enable leak detection for entered credentials //------------------------------------------------------------------------- // Setting the policy to Enabled lets users have Google Chrome check whether // usernames and passwords entered were part of a leak. If the policy is set, // users can't change it in Google Chrome. If not set, credential leak // checking is allowed, but the user can turn it off. This behavior will not // trigger if Safe Browsing is disabled (either by policy or by the user). In // order to force Safe Browsing on, use the SafeBrowsingEnabled policy or the // SafeBrowsingProtectionLevel policy. //"PasswordLeakDetectionEnabled": true, // Enable saving passwords to the password manager //------------------------------------------------------------------------- // This policy controls the browser's ability to automatically remember // passwords on websites and save them in the built-in password manager. It // does not limit access or change the contents of passwords saved in the // password manager and possibly synchronized to the Google account profile // and Android. Setting the policy to Enabled means users have Google Chrome // remember passwords and provide them the next time they sign in to a site. // Setting the policy to Disabled means users can't save new passwords, but // previously saved passwords will still work. If the policy is set, users // can't change it in Google Chrome. If not set, the user can turn off // password saving. //"PasswordManagerEnabled": false, // Configure the change password URL. //------------------------------------------------------------------------- // Setting the policy sets the URL for users to change their password after // seeing a warning in the browser. The password protection service sends // users to the URL (HTTP and HTTPS protocols only) you designate through this // policy. For Google Chrome to correctly capture the salted hash of the new // password on this change password page, make sure your change password page // follows these guidelines ( https://www.chromium.org/developers/design- // documents/create-amazing-password-forms ). Turning the policy off or // leaving it unset means the service sends users to // https://myaccount.google.com to change their password. On Microsoft® // Windows®, this policy is only available on instances that are joined to a // Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active // Directory® or enrolled in Chrome Browser Cloud Management. On macOS, this // policy is only available on instances that are managed via MDM, joined to a // domain via MCX or enrolled in Chrome Browser Cloud Management. //"PasswordProtectionChangePasswordURL": "https://mydomain.com/change_password.html", // Configure the list of enterprise login URLs where password protection service should capture salted hashes of passwords. //------------------------------------------------------------------------- // Setting the policy sets the list of enterprise login URLs (HTTP and HTTPS // protocols only). Password protection service will capture salted hashes of // passwords on these URLs and use them for password reuse detection. For // Google Chrome to correctly capture password salted hashes, ensure your // sign-in pages follow these guidelines ( // https://www.chromium.org/developers/design-documents/create-amazing- // password-forms ). Turning this setting off or leaving it unset means the // password protection service only captures the password salted hashes on // https://accounts.google.com. On Microsoft® Windows®, this policy is only // available on instances that are joined to a Microsoft® Active Directory® // domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome // Browser Cloud Management. On macOS, this policy is only available on // instances that are managed via MDM, joined to a domain via MCX or enrolled // in Chrome Browser Cloud Management. //"PasswordProtectionLoginURLs": ["https://mydomain.com/login.html", "https://login.mydomain.com"], // Password protection warning trigger //------------------------------------------------------------------------- // Setting the policy lets you control the triggering of password protection // warning. Password protection alerts users when they reuse their protected // password on potentially suspicious sites. Use PasswordProtectionLoginURLs // and PasswordProtectionChangePasswordURL to set which password to protect. // If this policy is set to: * PasswordProtectionWarningOff, no password // protection warning will be shown. * // PasswordProtectionWarningOnPasswordReuse, password protection warning will // be shown when the user reuses their protected password on a non-allowed // site. * PasswordProtectionWarningOnPhishingReuse, password protection // warning will be shown when the user reuses their protected password on a // phishing site. Leaving the policy unset has the password protection // service only protect Google passwords, but users can change this setting. //"PasswordProtectionWarningTrigger": 1, // Enable sharing user credentials with other users //------------------------------------------------------------------------- // Setting the policy to Enabled lets users send to and receive from family // members (according to Family Service) their passwords. When the policy is // Enabled or not set, there is a button in the Password Manager allowing to // send a password. The received passwords are stored into user's account and // are available in the Password Manager. Setting the policy to Disabled // means users can't send passwords from Password Manager to other users, and // can't receive passwords from other users. The feature is not available if // synchronization of Passwords is turned off (either via user settings or // SyncDisabled policy is Enabled). Managed accounts aren't eligible to join // or create a family group and therefore cannot share passwords. //"PasswordSharingEnabled": true, // Allow websites to query for available payment methods. //------------------------------------------------------------------------- // Allows you to set whether websites are allowed to check if the user has // payment methods saved. If this policy is set to disabled, websites that // use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument // API will be informed that no payment methods are available. If the setting // is enabled or not set then websites are allowed to check if the user has // payment methods saved. //"PaymentMethodQueryEnabled": true, // Allow local file access to file:// URLs on these sites in the PDF Viewer //------------------------------------------------------------------------- // Setting this policy allows the domains listed to access file:// URLs in the // PDF Viewer. Adding to the policy allows the domain to access file:// URLs // in the PDF Viewer. Removing from the policy disallows the domain from // accessing file:// URLs in the PDF Viewer. Leaving the policy unset // disallows all domains from accessing file:// URLs in the PDF Viewer. //"PdfLocalFileAccessAllowedForDomains": ["example.com", "google.com"], // Use Skia renderer for PDF rendering //------------------------------------------------------------------------- // Controls whether the PDF viewer in Google Chrome uses Skia renderer. When // this policy is enabled, the PDF viewer uses Skia renderer. When this // policy is disabled, the PDF viewer uses its current AGG renderer. When // this policy is not set, the PDF renderer will be chosen by the browser. //"PdfUseSkiaRendererEnabled": true, // Use out-of-process iframe PDF Viewer //------------------------------------------------------------------------- // Controls whether the PDF viewer in Google Chrome uses an out-of-process // iframe (OOPIF). This will be the new PDF viewer architecture in the future, // as it is simpler and makes adding new features easier. The existing // GuestView PDF viewer is an outdated, complex architecture that is being // deprecated. When this policy is set to Enabled or not set, Google Chrome // will be able to use the OOPIF PDF viewer architecture. Once Enabled or not // set, the default behavior will be decided by Google Chrome. When this // policy is set to Disabled, Google Chrome will strictly use the existing // GuestView PDF viewer. It embeds a web page with a separate frame tree into // another web page. This policy will be removed in the future, after the // OOPIF PDF viewer feature has fully rolled out. //"PdfViewerOutOfProcessIframeEnabled": true, // Enables the concept of policy atomic groups //------------------------------------------------------------------------- // Setting the policy to Enabled means policies coming from an atomic group // that don't share the source with the highest priority from that group get // ignored. Setting the policy to Disabled means no policy is ignored because // of its source. Policies are ignored only if there's a conflict, and the // policy doesn't have the highest priority. If this policy is set from a // cloud source, it can't target a specific user. //"PolicyAtomicGroupsEnabled": true, // Allow merging dictionary policies from different sources //------------------------------------------------------------------------- // Setting the policy allows merging of selected policies when they come from // different sources, with the same scopes and level. This merging is in the // first level keys of the dictionary from each source. The key coming from // the highest priority source takes precedence. Use the wildcard character // '*' to allow merging of all supported dictionary policies. If a policy is // in the list and there's conflict between sources with: * The same scopes // and level: The values merge into a new policy dictionary. * Different // scopes or level: The policy with the highest priority applies. If a policy // isn't in the list and there's conflict between sources, scopes, or level, // the policy with the highest priority applies. //"PolicyDictionaryMultipleSourceMergeList": ["ExtensionSettings"], // Allow merging list policies from different sources //------------------------------------------------------------------------- // Setting the policy allows merging of selected policies when they come from // different sources, with the same scopes and level. Use the wildcard // character '*' to allow merging of all list policies. If a policy is in the // list and there's conflict between sources with: * The same scopes and // level: The values merge into a new policy list. * Different scopes or // level: The policy with the highest priority applies. If a policy isn't in // the list and there's conflict between sources, scopes, or level, the policy // with the highest priority applies. //"PolicyListMultipleSourceMergeList": ["ExtensionInstallAllowlist", "ExtensionInstallBlocklist"], // Refresh rate for user policy //------------------------------------------------------------------------- // Setting the policy specifies the period in milliseconds at which the device // management service is queried for user policy information. Valid values // range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside // this range will be clamped to the respective boundary. Leaving the policy // unset uses the default value of 3 hours. Note: Policy notifications force // a refresh when the policy changes, making frequent refreshes unnecessary. // So, if the platform supports these notifications, the refresh delay is 24 // hours (ignoring defaults and the value of this policy). //"PolicyRefreshRate": 3600000, // Allow pop-ups on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can open pop-ups. Leaving the policy unset means // DefaultPopupsSetting applies for all sites, if it's set. If not, the user's // personal setting applies. For detailed information on valid url patterns, // please see https://cloud.google.com/docs/chrome-enterprise/policies/url- // patterns. Wildcards, *, are allowed. //"PopupsAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block pop-ups on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can't open pop-ups. Leaving the policy unset means // DefaultPopupsSetting applies for all sites, if it's set. If not, the user's // personal setting applies. For detailed information on valid url patterns, // please see https://cloud.google.com/docs/chrome-enterprise/policies/url- // patterns. Wildcards, *, are allowed. //"PopupsBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Enable post-quantum key agreement for TLS //------------------------------------------------------------------------- // This policy configures whether Google Chrome will offer Kyber, a post- // quantum key agreement algorithm, in TLS. This allows supporting servers to // protect user traffic from being later decrypted by quantum computers. If // this policy is Enabled, Google Chrome will offer Kyber in TLS connections. // TLS connections will be protected with Kyber key agreement when // communicating with compatible servers that select Kyber during the TLS // handshake. If this policy is Disabled, Google Chrome will not offer Kyber // in TLS connections. User traffic will then be unprotected from quantum // computers. If this policy is not set, Google Chrome will follow the // default rollout process for offering Kyber. Offering Kyber is backwards- // compatible. Existing TLS servers and networking middleware are expected to // ignore the new option and continue selecting previous options. However, // devices that do not correctly implement TLS may malfunction when offered // the new option. For example, they may disconnect in response to // unrecognized options or the resulting larger messages. Such devices are not // post-quantum-ready and will interfere with an enterprise's post-quantum // transition. If encountered, administrators should contact the vendor for a // fix. This policy is a temporary measure and will be removed in future // versions of Google Chrome. It may be Enabled to allow you to test for // issues, and may be Disabled while issues are being resolved. //"PostQuantumKeyAgreementEnabled": true, // Manage the deprecated prefixed video fullscreen API's availability //------------------------------------------------------------------------- // Setting the policy to enabled will allow the prefixed video-specific // fullscreen APIs (e.g. Video.webkitEnterFullscreen()) to be used from // Javascript. Setting the policy to disabled will prevent the prefixed // video-specific fullscreen APIs from being used in Javascript, leaving only // the standard fullscreen APIs (e.g. Element.requestFullscreen()). Setting // the policy to runtime-enabled will allow the PrefixedFullscreenVideo // runtime enabled feature flag to determine whether the prefixed video- // specific fullscreen APIs are available to websites. If the policy is // unset, the behavior defaults to runtime-enabled. Note: this policy is a // temporary solution to help transition away from webkit-prefixed fullscreen // APIs. It will tentatively be removed in M130, or in the few following // releases. //"PrefixedVideoFullscreenApiAvailability": "disabled", // Print Headers and Footers //------------------------------------------------------------------------- // Setting the policy to Enabled turns headers and footers on in print // preview. Setting the policy to Disabled turns them off in print preview. // If you set the policy, users can't change it. If unset, users decides // whether headers and footers appear. //"PrintHeaderFooter": false, // Print PDF as Image Default //------------------------------------------------------------------------- // Controls if Google Chrome makes the Print as image option default to set // when printing PDFs. When this policy is set to Enabled, Google Chrome will // default to setting the Print as image option in the Print Preview when // printing a PDF. When this policy is set to Disabled or not set Google // Chrome then the user selection for Print as image option will be initially // unset. The user will be allowed to select it for each individual PDFs // print job, if the option is available. For Microsoft® Windows® or macOS // this policy only has an effect if PrintPdfAsImageAvailability is also // enabled. //"PrintPdfAsImageDefault": true, // Use System Default Printer as Default //------------------------------------------------------------------------- // Setting the policy to Enabled means Google Chrome uses the OS default // printer as the default destination for print preview. Setting the policy // to Disabled or leaving it unset means Google Chrome uses the most recently // used printer as the default destination for print preview. //"PrintPreviewUseSystemDefaultPrinter": false, // Print Rasterize PDF DPI //------------------------------------------------------------------------- // Controls print image resolution when Google Chrome prints PDFs with // rasterization. When printing a PDF using the Print to image option, it can // be beneficial to specify a print resolution other than a device's printer // setting or the PDF default. A high resolution will significantly increase // the processing and printing time while a low resolution can lead to poor // imaging quality. This policy allows a particular resolution to be // specified for use when rasterizing PDFs for printing. If this policy is // set to zero or not set at all then the system default resolution will be // used during rasterization of page images. //"PrintRasterizePdfDpi": 300, // Disable printer types on the deny list //------------------------------------------------------------------------- // The printers of types placed on the deny list will be disabled from being // discovered or having their capabilities fetched. Placing all printer types // on the deny list effectively disables printing, as there would be no // available destinations to send a document for printing. In versions before // 102, including cloud on the deny list has the same effect as setting the // CloudPrintSubmitEnabled policy to false. In order to keep Google Cloud // Print destinations discoverable, the CloudPrintSubmitEnabled policy must be // set to true and cloud must not be on the deny list. Beginning in version // 102, Google Cloud Print destinations are not supported and will not appear // regardless of policy values. If the policy is not set, or is set to an // empty list, all printer types will be available for discovery. Extension // printers are also known as print provider destinations, and include any // destination that belongs to a Google Chrome extension. Local printers are // also known as native printing destinations, and include destinations // available to the local machine and shared network printers. //"PrinterTypeDenyList": ["local", "pdf"], // Restrict background graphics printing mode //------------------------------------------------------------------------- // Restricts background graphics printing mode. Unset policy is treated as no // restriction. //"PrintingAllowedBackgroundGraphicsModes": "enabled", // Default background graphics printing mode //------------------------------------------------------------------------- // Overrides default background graphics printing mode. //"PrintingBackgroundGraphicsDefault": "enabled", // Enable printing //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset lets users print in // Google Chrome, and users can't change this setting. Setting the policy to // Disabled means users can't print from Google Chrome. Printing is off in the // three dots menu, extensions, and JavaScript applications. //"PrintingEnabled": true, // Default printing page size //------------------------------------------------------------------------- // Overrides default printing page size. name should contain one of the // listed formats or 'custom' if required paper size is not in the list. If // 'custom' value is provided custom_size property should be specified. It // describes the desired height and width in micrometers. Otherwise // custom_size property shouldn't be specified. Policy that violates these // rules is ignored. If the page size is unavailable on the printer chosen by // the user this policy is ignored. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=PrintingPaperSizeDefault for more information // about schema and formatting. //"PrintingPaperSizeDefault": {"custom_size": {"height": 297000, "width": 210000}, "name": "custom"}, // Choose whether the Privacy Sandbox ad measurement setting can be disabled //------------------------------------------------------------------------- // A policy to control whether the Privacy Sandbox Ad measurement setting can // be disabled for your users. If you set this policy to Disabled, then the // Ad measurement setting will be turned off for your users. If you set this // policy to Enabled or keep it unset, your users will be able to turn on or // off the Privacy Sandbox Ad measurement setting on their device. Setting // this policy requires setting the PrivacySandboxPromptEnabled policy to // Disabled. //"PrivacySandboxAdMeasurementEnabled": false, // Choose whether the Privacy Sandbox Ad topics setting can be disabled //------------------------------------------------------------------------- // A policy to control whether the Privacy Sandbox Ad topics setting can be // disabled for your users. If you set this policy to Disabled, then the Ad // topics setting will be turned off for your users. If you set this policy to // Enabled or keep it unset, your users will be able to turn on or off the // Privacy Sandbox Ad topics setting on their device. Setting this policy // requires setting the PrivacySandboxPromptEnabled policy to Disabled. //"PrivacySandboxAdTopicsEnabled": false, // Choose whether the Privacy Sandbox prompt can be shown to your users //------------------------------------------------------------------------- // A policy to control whether your users see the Privacy Sandbox prompt. The // prompt is a user-blocking flow which informs your users of the Privacy // Sandbox settings. See https://privacysandbox.com for details about Chrome’s // effort to deprecate third-party cookies. If you set this policy to // Disabled, then Google Chrome won’t show the Privacy Sandbox prompt. If you // set this policy to Enabled or keep it unset, then Google Chrome determines // whether the Privacy Sandbox prompt can be shown or not and then show it if // possible. If any of the following policies are set, it’s required to set // this policy to Disabled: PrivacySandboxAdTopicsEnabled // PrivacySandboxSiteEnabledAdsEnabled PrivacySandboxAdMeasurementEnabled //"PrivacySandboxPromptEnabled": false, // Choose whether the Privacy Sandbox Site-suggested ads setting can be disabled //------------------------------------------------------------------------- // A policy to control whether the Privacy Sandbox Site-suggested ads setting // can be disabled for your users. If you set this policy to Disabled, then // the Site-suggested ads setting will be turned off for your users. If you // set this policy to Enabled or keep it unset, your users will be able to // turn on or off the Privacy Sandbox Site-suggested ads setting on their // device. Setting this policy requires setting the // PrivacySandboxPromptEnabled policy to Disabled. //"PrivacySandboxSiteEnabledAdsEnabled": false, // Specifies whether to apply restrictions to requests to more-private network endpoints //------------------------------------------------------------------------- // When this policy is set to Enabled, any time when a warning is supposed to // be displayed in the DevTools due to Private Network Access checks failing, // the main request will be blocked instead. When this policy is set to // Disabled or unset, all Private Network Access warnings will not be enforced // and the requests will not be blocked. See https://wicg.github.io/private- // network-access/ for Private Network Access restrictions. //"PrivateNetworkAccessRestrictionsEnabled": true, // Profile picker availability on startup //------------------------------------------------------------------------- // Specifies whether the profile picker is enabled, disabled or forced at the // browser startup. By default the profile picker is not shown if the browser // starts in guest or incognito mode, a profile directory and/or urls are // specified by command line, an app is explicitly requested to open, the // browser was launched by a native notification, there is only one profile // available or the policy ForceBrowserSignin is set to true. If 'Enabled' // (0) is selected or the policy is left unset, the profile picker will be // shown at startup by default, but users will be able to enable/disable it. // If 'Disabled' (1) is selected, the profile picker will never be shown, and // users will not be able to change the setting. If 'Forced' (2) is selected, // the profile picker cannot be suppressed by the user. The profile picker // will be shown even if there is only one profile available. //"ProfilePickerOnStartupAvailability": 0, // Prompt users to re-authenticate to the profile //------------------------------------------------------------------------- // When set to DoNotPrompt or left unset, Google Chrome does not automatically // prompt the user to re-authenticate to the browser. When set to // PromptInTab, when the user's authentication expires, immediately open a new // tab with the Google login page. This only happens if using Chrome Sync. //"ProfileReauthPrompt": 1, // Enterprise profile separation secondary domain allowlist //------------------------------------------------------------------------- // If this policy is unset, account logins will not be required to create a // new separate profile. If this policy is set, account logins from the // listed domains will not be required to create a new separate profile. This // policy can be set to an empty string so that all account logins are // required to create a new separate profile. //"ProfileSeparationDomainExceptionList": ["domain.com", "otherdomain.com"], // Enable showing full-tab promotional content //------------------------------------------------------------------------- // Setting the policy to True or leaving it unset lets Google Chrome show // users product information as full-tab content. Setting the policy to False // prevents Google Chrome from showing product information as full-tab // content. Setting the policy controls the presentation of the welcome pages // that help users sign in to Google Chrome, set Google Chrome as users' // default browser, or otherwise inform them of product features. //"PromotionalTabsEnabled": false, // Ask where to save each file before downloading //------------------------------------------------------------------------- // Setting the policy to Enabled means users are asked where to save each file // before downloading. Setting the policy to Disabled has downloads start // immediately, and users aren't asked where to save the file. Leaving the // policy unset lets users change this setting. //"PromptForDownloadLocation": false, // Prompt when multiple certificates match //------------------------------------------------------------------------- // This policy controls whether the user is prompted to select a client // certificate when more than one certificate matches // AutoSelectCertificateForUrls. If this policy is set to Enabled, the user is // prompted to select a client certificate whenever the auto-selection policy // matches multiple certificates. If this policy is set to Disabled or not // set, the user may only be prompted when no certificate matches the auto- // selection. //"PromptOnMultipleMatchingCertificates": true, // Proxy settings //------------------------------------------------------------------------- // Setting the policy configures the proxy settings for Chrome and ARC-apps, // which ignore all proxy-related options specified from the command line. // Leaving the policy unset lets users choose their proxy settings. Setting // the ProxySettings policy accepts the following fields: * ProxyMode, // which lets you specify the proxy server Chrome uses and prevents users from // changing proxy settings * ProxyPacUrl, a URL to a proxy .pac file * // ProxyPacMandatory, which prevents the network stack from falling back to // direct connections with invalid or unavailable PAC script * ProxyServer, // a URL of the proxy server * ProxyBypassList, a list of hosts for which // the proxy will be bypassed The ProxyServerMode field is deprecated in // favor of the ProxyMode field. For ProxyMode, if you choose the value: // * direct, a proxy is never used and all other fields are ignored. * // system, the systems's proxy is used and all other fields are ignored. * // auto_detect, all other fields are ignored. * fixed_servers, the // ProxyServer and ProxyBypassList fields are used. * pac_script, the // ProxyPacUrl, ProxyPacMandatory and ProxyBypassList fields are used. Note: // For more detailed examples, visit The Chromium Projects ( // https://www.chromium.org/developers/design-documents/network-settings#TOC- // Command-line-options-for-proxy-sett ). See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=ProxySettings for more information about schema // and formatting. //"ProxySettings": {"ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyMode": "fixed_servers", "ProxyServer": "123.123.123.123:8080"}, // Allow QUIC protocol //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset allows the use of QUIC // protocol in Google Chrome. Setting the policy to Disabled disallows the // use of QUIC protocol. //"QuicAllowed": true, // Note: this policy is supported only in recommended mode. // The JSON file should be placed in /etc/opt/chrome/policies/recommended. // Register protocol handlers //------------------------------------------------------------------------- // Setting the policy (as recommended only) lets you register a list of // protocol handlers, which merge with the ones that the user registers, // putting both sets in use. Set the property "protocol" to the scheme, such // as "mailto", and set the property "URL" to the URL pattern of the // application that handles the scheme specified in the "protocol" field. The // pattern can include a "%s" placeholder, which the handled URL replaces. // Users can't remove a protocol handler registered by policy. However, by // installing a new default handler, they can change the protocol handlers // installed by policy. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=RegisteredProtocolHandlers for more information // about schema and formatting. //"RegisteredProtocolHandlers": [{"default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s"}], // Enable Related Website Sets //------------------------------------------------------------------------- // This policy allows to control the Related Website Sets feature enablement. // This policy overrides the FirstPartySetsEnabled policy. When this policy // is unset or set to True, the Related Website Sets feature is enabled. When // this policy is set to False, the Related Website Sets feature is disabled. //"RelatedWebsiteSetsEnabled": false, // Override Related Website Sets. //------------------------------------------------------------------------- // This policy provides a way to override the list of sets the browser uses // for Related Website Sets features. This policy overrides the // FirstPartySetsOverrides policy. Each set in the browser's list of Related // Website Sets must meet the requirements of a Related Website Set. A Related // Website Set must contain a primary site and one or more member sites. A set // can also contain a list of service sites that it owns, as well as a map // from a site to all of its ccTLD variants. See // https://github.com/WICG/first-party-sets for more information on how Google // Chrome uses Related Website Sets. All sites in a Related Website Set must // be a registrable domain served over HTTPS. Each site in a Related Website // Set must also be unique, meaning a site cannot be listed more than once in // a Related Website Set. When this policy is given an empty dictionary, the // browser uses the public list of Related Website Sets. For all sites in a // Related Website Set from the replacements list, if a site is also present // on a Related Website Set in the browser's list, then that site will be // removed from the browser's Related Website Set. After this, the policy's // Related Website Set will be added to the browser's list of Related Website // Sets. For all sites in a Related Website Set from the additions list, if a // site is also present on a Related Website Set in the browser's list, then // the browser's Related Website Set will be updated so that the new Related // Website Set can be added to the browser's list. After the browser's list // has been updated, the policy's Related Website Set will be added to the // browser's list of Related Website Sets. The browser's list of Related // Website Sets requires that for all sites in its list, no site is in more // than one set. This is also required for both the replacements list and the // additions list. Similarly, a site cannot be in both the replacements list // and the additions list. Wildcards (*) are not supported as a policy value, // nor within any Related Website Set in these lists. All sets provided by // the policy must be valid Related Website Sets, if they aren't then an // appropriate error will be outputted. On Microsoft® Windows®, this policy // is only available on instances that are joined to a Microsoft® Active // Directory® domain, joined to Microsoft® Azure® Active Directory® or // enrolled in Chrome Browser Cloud Management. On macOS, this policy is only // available on instances that are managed via MDM, joined to a domain via MCX // or enrolled in Chrome Browser Cloud Management. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=RelatedWebsiteSetsOverrides for more // information about schema and formatting. //"RelatedWebsiteSetsOverrides": {"additions": [{"associatedSites": ["https://associate2.test"], "ccTLDs": {"https://associate2.test": ["https://associate2.com"]}, "primary": "https://primary2.test", "serviceSites": ["https://associate2-content.test"]}], "replacements": [{"associatedSites": ["https://associate1.test"], "ccTLDs": {"https://associate1.test": ["https://associate1.co.uk"]}, "primary": "https://primary1.test", "serviceSites": ["https://associate1-content.test"]}]}, // Notify a user that a browser relaunch or device restart is recommended or required //------------------------------------------------------------------------- // Notify users that Google Chrome must be relaunched or Google ChromeOS must // be restarted to apply a pending update. This policy setting enables // notifications to inform the user that a browser relaunch or device restart // is recommended or required. If not set, Google Chrome indicates to the user // that a relaunch is needed via subtle changes to its menu, while Google // ChromeOS indicates such via a notification in the system tray. If set to // 'Recommended', a recurring warning will be shown to the user that a // relaunch is recommended. The user can dismiss this warning to defer the // relaunch. If set to 'Required', a recurring warning will be shown to the // user indicating that a browser relaunch will be forced once the // notification period passes. The default period is seven days for Google // Chrome and four days for Google ChromeOS, and may be configured via the // RelaunchNotificationPeriod policy setting. The user's session is restored // following the relaunch/restart. //"RelaunchNotification": 1, // Set the time period for update notifications //------------------------------------------------------------------------- // Allows you to set the time period, in milliseconds, over which users are // notified that Google Chrome must be relaunched or that a Google ChromeOS // device must be restarted to apply a pending update. Over this time period, // the user will be repeatedly informed of the need for an update. For Google // ChromeOS devices, a restart notification appears in the system tray // according to the RelaunchHeadsUpPeriod policy. For Google Chrome browsers, // the app menu changes to indicate that a relaunch is needed once one third // of the notification period passes. This notification changes color once two // thirds of the notification period passes, and again once the full // notification period has passed. The additional notifications enabled by the // RelaunchNotification policy follow this same schedule. If not set, the // default period of 604800000 milliseconds (one week) is used. //"RelaunchNotificationPeriod": 604800000, // Set the time interval for relaunch //------------------------------------------------------------------------- // Specify a target time window for the end of the relaunch notification // period. Users are notified of the need for a browser relaunch or device // restart based on the RelaunchNotification and RelaunchNotificationPeriod // policy settings. Browsers and devices are forcibly restarted at the end of // the notification period when the RelaunchNotification policy is set to // 'Required'. This RelaunchWindow policy can be used to defer the end of the // notification period so that it falls within a specific time window. If // this policy is not set, the default target time window for Google ChromeOS // is between 2 AM and 4 AM. The default target time window for Google Chrome // is the whole day (i.e., the end of the notification period is never // deferred). Note: Though the policy can accept multiple items in entries, // all but the first item are ignored. Warning: Setting this policy may delay // application of software updates. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=RelaunchWindow for more information about // schema and formatting. //"RelaunchWindow": {"entries": [{"duration_mins": 240, "start": {"hour": 2, "minute": 15}}]}, // Enable or disable PIN-less authentication for remote access hosts //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset lets users pair clients // and hosts at connection time, eliminating the need to enter a PIN every // time. Setting the policy to Disabled makes this feature unavailable. //"RemoteAccessHostAllowClientPairing": false, // Allow remote access users to transfer files to/from the host //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset allows users connected to // a remote access host to transfer files between the client and the host. // This doesn't apply to remote assistance connections, which don't support // file transfer. Setting the policy to Disabled disallows file transfer. //"RemoteAccessHostAllowFileTransfer": false, // Allow PIN and pairing authentication methods for remote access hosts //------------------------------------------------------------------------- // Setting the policy to Enabled allows the remote access host to use PIN and // pairing authentications when accepting client connections. Setting the // policy to Disabled disallows PIN or pairing authentications. Leaving it // unset lets the host decide whether PIN and/or pairing authentications can // be used. Note: If the setting results in no mutually supported // authentication methods by both the host and the client, then the connection // will be rejected. //"RemoteAccessHostAllowPinAuthentication": true, // Enable the use of relay servers by the remote access host //------------------------------------------------------------------------- // If RemoteAccessHostFirewallTraversal is set to Enabled, setting // RemoteAccessHostAllowRelayedConnection to Enabled or leaving it unset // allows the use of remote clients to use relay servers to connect to this // machine when a direct connection is not available, for example, because of // firewall restrictions. Setting the policy to Disabled doesn't turn remote // access off, but only allows connections from the same network (not NAT // traversal or relay). //"RemoteAccessHostAllowRelayedConnection": false, // Allow remote access connections to this machine //------------------------------------------------------------------------- // If this policy is Disabled, the remote access host service cannot be // started or configured to accept incoming connections. This policy does not // affect remote support scenarios. This policy has no effect if it is set to // Enabled, left empty, or is not set. //"RemoteAccessHostAllowRemoteAccessConnections": false, // Allow remote support connections to this machine //------------------------------------------------------------------------- // If this policy is disabled, the remote support host cannot be started or // configured to accept incoming connections. This policy does not affect // remote access scenarios. This policy does not prevent enterprise admins // from connecting to managed Google ChromeOS devices. This policy has no // effect if enabled, left empty, or is not set. //"RemoteAccessHostAllowRemoteSupportConnections": false, // Allow remote access users to open host-side URLs in their local client browser //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset may allow users connected // to a remote access host to open host-side URLs in their local client // browser. Setting the policy to Disabled will prevent the remote access // host from sending URLs to the client. This setting doesn't apply to remote // assistance connections as the feature is not supported for that connection // mode. Note: This feature is not yet generally available so enabling it // does not mean that the feature will be visible in the client UI. //"RemoteAccessHostAllowUrlForwarding": false, // Configure the required domain names for remote access clients //------------------------------------------------------------------------- // Setting the policy specifies the client domain names that are imposed on // remote access clients, and users can't change them. Only clients from one // of the specified domains can connect to the host. Setting the policy to an // empty list or leaving it unset applies the default policy for the // connection type. For remote assistance, this allows clients from any domain // to connect to the host. For anytime remote access, only the host owner can // connect. See also RemoteAccessHostDomainList. Note: This setting // overrides RemoteAccessHostClientDomain, if present. //"RemoteAccessHostClientDomainList": ["my-awesome-domain.com", "my-auxiliary-domain.com"], // The maximum size, in bytes, that can be transferred between client and host via clipboard synchronization //------------------------------------------------------------------------- // If this policy is set, clipboard data sent to and from the host will be // truncated to the limit set by this policy. If a value of 0 is set, then // clipboard sync is disabled. This policy affects both remote access and // remote support scenarios. This policy has no effect if it is not set. // Setting the policy to a value that is not within the min/max range may // prevent the host from starting. Please note that the actual upper bound // for the clipboard size is based on the maximum WebRTC data channel message // size which this policy does not control. //"RemoteAccessHostClipboardSizeBytes": 1048576, // Configure the required domain names for remote access hosts //------------------------------------------------------------------------- // Setting the policy specifies the host domain names that are imposed on // remote access hosts, and users can't change them. Hosts can be shared only // using accounts registered on one of the specified domain names. Setting // the policy to an empty list or leaving it unset means hosts can be shared // using any account. See also RemoteAccessHostClientDomainList. Note: This // setting will override RemoteAccessHostDomain, if present. //"RemoteAccessHostDomainList": ["my-awesome-domain.com", "my-auxiliary-domain.com"], // Enable firewall traversal from remote access host //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset allows the usage of STUN // servers, letting remote clients discover and connect to this machine, even // if separated by a firewall. Setting the policy to Disabled when outgoing // UDP connections are filtered by the firewall means the machine only allows // connections from client machines within the local network. //"RemoteAccessHostFirewallTraversal": false, // Require that the name of the local user and the remote access host owner match //------------------------------------------------------------------------- // Setting the policy to Enabled has the remote access host compare the name // of the local user the host is associated with and the name of the Google // Account registered as the host owner ("johndoe," if the host is owned by // "johndoe@example.com"). This host won't start if the host owner's name // differs from the name of the local user that the host is associated with. // To enforce that the owner's Google Account is associated with a specific // domain, use the policy with RemoteAccessHostDomain. Setting the policy to // Disabled or leaving it unset means the remote access host can be associated // with any local user. //"RemoteAccessHostMatchUsername": false, // Maximum session duration allowed for remote access connections //------------------------------------------------------------------------- // If this policy is set, remote access connections will automatically // disconnect after the number of minutes defined in the policy have elapsed. // This does not prevent the client from reconnecting after the maximum // session duration has been reached. Setting the policy to a value that is // not within the min/max range may prevent the host from starting. This // policy does not affect remote support scenarios. This policy has no effect // if it is not set. In this case, remote access connections will have no // maximum duration on this machine. //"RemoteAccessHostMaximumSessionDurationMinutes": 1200, // Enable curtaining of remote access hosts //------------------------------------------------------------------------- // Setting the policy to Enabled turns off remote access hosts' physical input // and output devices during a remote connection. Setting the policy to // Disabled or leaving it unset lets both local and remote users interact with // the host while it's shared. //"RemoteAccessHostRequireCurtain": false, // Restrict the UDP port range used by the remote access host //------------------------------------------------------------------------- // Setting the policy restricts the UDP port range used by the remote access // host in this machine. Leaving the policy unset or set to an empty string // means the remote access host can use any available port. Note: If // RemoteAccessHostFirewallTraversal is Disabled, the remote access host will // use UDP ports in the 12400-12409 range. //"RemoteAccessHostUdpPortRange": "12400-12409", // Allow remote debugging //------------------------------------------------------------------------- // Controls whether users may use remote debugging. If this policy is set to // Enabled or not set, users may use remote debugging by specifying --remote- // debugging-port and --remote-debugging-pipe command line switches. If this // policy is set to Disabled, users are not allowed to use remote debugging. //"RemoteDebuggingAllowed": true, // Require online OCSP/CRL checks for local trust anchors //------------------------------------------------------------------------- // Setting the policy to True means Google Chrome always performs revocation // checking for successfully validated server certificates signed by locally // installed CA certificates. If Google Chrome can't get revocation status // information, Google Chrome treats these certificates as revoked (hard- // fail). Setting the policy to False or leaving it unset means Google Chrome // uses existing online revocation-checking settings. On macOS, this policy // has no effect if the ChromeRootStoreEnabled policy is set to False. //"RequireOnlineRevocationChecksForLocalAnchors": false, // Action on startup //------------------------------------------------------------------------- // Setting the policy lets you specify system behavior on startup. Turning // this setting off amounts to leaving it unset as Google Chrome must have // specified start up behavior. If you set the policy, users can't change it // in Google Chrome. If not set, users can change it. Setting this policy to // RestoreOnStartupIsLastSession or RestoreOnStartupIsLastSessionAndURLs turns // off some settings that rely on sessions or that perform actions on exit, // such as clearing browsing data on exit or session-only cookies. If this // policy is set to RestoreOnStartupIsLastSessionAndURLs, browser will restore // previous session and open a separate window to show URLs that are set from // RestoreOnStartupURLs. Note that users can choose to keep those URLs open // and they will also be restored in the future session. On Microsoft® // Windows®, this policy is only available on instances that are joined to a // Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active // Directory® or enrolled in Chrome Browser Cloud Management. On macOS, this // policy is only available on instances that are managed via MDM, joined to a // domain via MCX or enrolled in Chrome Browser Cloud Management. //"RestoreOnStartup": 4, // URLs to open on startup //------------------------------------------------------------------------- // If RestoreOnStartup is set to RestoreOnStartupIsURLs, then setting // RestoreOnStartupURLs to a list of URLs specify which URLs open. If not // set, the New Tab page opens on start up. On Microsoft® Windows®, this // policy is only available on instances that are joined to a Microsoft® // Active Directory® domain, joined to Microsoft® Azure® Active Directory® or // enrolled in Chrome Browser Cloud Management. //"RestoreOnStartupURLs": ["https://example.com", "https://www.chromium.org"], // Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome //------------------------------------------------------------------------- // Contains a regular expression which is used to determine which Google // accounts can be set as browser primary accounts in Google Chrome (i.e. the // account that is chosen during the Sync opt-in flow). An appropriate error // is displayed if a user tries to set a browser primary account with a // username that does not match this pattern. If this policy is left not set // or blank, then the user can set any Google account as a browser primary // account in Google Chrome. //"RestrictSigninToPattern": ".*@example\\.com", // Set the roaming profile directory //------------------------------------------------------------------------- // Configures the directory that Google Chrome will use for storing the // roaming copy of the profiles. If you set this policy, Google Chrome will // use the provided directory to store the roaming copy of the profiles if the // RoamingProfileSupportEnabled policy has been enabled. If the // RoamingProfileSupportEnabled policy is disabled or left unset the value // stored in this policy is not used. See // https://www.chromium.org/administrators/policy-list-3/user-data-directory- // variables for a list of variables that can be used. On non-Windows // platforms, this policy must be set for roaming profiles to work. On // Windows, if this policy is left unset, the default roaming profile path // will be used. //"RoamingProfileLocation": "${roaming_app_data}\\chrome-profile", // Enable the creation of roaming copies for Google Chrome profile data //------------------------------------------------------------------------- // If you enable this setting, the settings stored in Google Chrome profiles // like bookmarks, autofill data, passwords, etc. will also be written to a // file stored in the Roaming user profile folder or a location specified by // the Administrator through the RoamingProfileLocation policy. Enabling this // policy disables cloud sync. If this policy is disabled or left not set // only the regular local profiles will be used. //"RoamingProfileSupportEnabled": true, // Allow proceeding from the SSL warning page //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset lets users click through // warning pages Google Chrome shows when users navigate to sites that have // SSL errors. Setting the policy to Disabled prevent users from clicking // through any warning pages. //"SSLErrorOverrideAllowed": true, // Allow proceeding from the SSL warning page on specific origins //------------------------------------------------------------------------- // If SSLErrorOverrideAllowed is Disabled, setting the policy lets you set a // list of origin patterns that specify the sites where a user can click // through warning pages Google Chrome shows when users navigate to sites that // have SSL errors. Users will not be able to click through SSL warning pages // on origins that are not on this list. If SSLErrorOverrideAllowed is // Enabled or unset, this policy does nothing. Leaving the policy unset means // SSLErrorOverrideAllowed applies for all sites. For detailed information on // valid input patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. * is not an accepted value for this // policy. This policy only matches based on origin, so any path in the URL // pattern is ignored. //"SSLErrorOverrideAllowedForOrigins": ["https://www.example.com", "[*.]example.edu"], // Configure the list of domains on which Safe Browsing will not trigger warnings. //------------------------------------------------------------------------- // Setting the policy to Enabled means Safe Browsing will trust the domains // you designate. It won't check them for dangerous resources such as // phishing, malware, or unwanted software. Safe Browsing's download // protection service won't check downloads hosted on these domains. Its // password protection service won't check for password reuse. Leaving the // policy unset means default Safe Browsing protection applies to all // resources. This policy does not support regular expressions; however, // subdomains of a given domain are allowlisted. Fully qualified domain names // (FQDNs) are not required. On Microsoft® Windows®, this policy is only // available on instances that are joined to a Microsoft® Active Directory® // domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome // Browser Cloud Management. On macOS, this policy is only available on // instances that are managed via MDM, joined to a domain via MCX or enrolled // in Chrome Browser Cloud Management. //"SafeBrowsingAllowlistDomains": ["mydomain.com", "myuniversity.edu"], // Allow download deep scanning for Safe Browsing-enabled users //------------------------------------------------------------------------- // When this policy is enabled or left unset, Google Chrome can send // suspicious downloads from Safe Browsing-enabled users to Google to scan for // malware, or prompt users to provide a password for encrypted archives. When // this policy is disabled, this scanning will not be performed. This policy // does not impact download content analysis configured by Chrome Enterprise // Connectors. //"SafeBrowsingDeepScanningEnabled": true, // Enable Safe Browsing Extended Reporting //------------------------------------------------------------------------- // Setting the policy to Enabled turns on Google Chrome's Safe Browsing // Extended Reporting, which sends some system information and page content to // Google servers to help detect dangerous apps and sites. Setting the policy // to Disabled means reports are never sent. If you set this policy, users // can't change it. If not set, users can decide whether to send reports or // not. See more about Safe Browsing ( https://developers.google.com/safe- // browsing ). //"SafeBrowsingExtendedReportingEnabled": true, // Safe Browsing Protection Level //------------------------------------------------------------------------- // Allows you to control whether Google Chrome's Safe Browsing feature is // enabled and the mode it operates in. If this policy is set to // 'NoProtection' (value 0), Safe Browsing is never active. If this policy is // set to 'StandardProtection' (value 1, which is the default), Safe Browsing // is always active in the standard mode. If this policy is set to // 'EnhancedProtection' (value 2), Safe Browsing is always active in the // enhanced mode, which provides better security, but requires sharing more // browsing information with Google. If you set this policy as mandatory, // users cannot change or override the Safe Browsing setting in Google Chrome. // If this policy is left not set, Safe Browsing will operate in Standard // Protection mode but users can change this setting. See // https://support.google.com/chrome?p=safe_browsing_preferences for more info // on Safe Browsing. //"SafeBrowsingProtectionLevel": 2, // Allow Safe Browsing Proxied Real Time Checks //------------------------------------------------------------------------- // This controls whether Safe Browsing's standard protection mode is allowed // to send partial hashes of URLs to Google through a proxy via Oblivious HTTP // in order to determine whether they are safe to visit. The proxy allows // browsers to upload partial hashes of URLs to Google without them being // linked to the user's IP address. The policy also allows browsers to upload // the partial hashes of URLs with higher frequency for better Safe Browsing // protection quality. This policy will be ignored if Safe Browsing is // disabled or set to enhanced protection mode. Setting the policy to Enabled // or leaving it unset allows the higher-protection proxied lookups. Setting // the policy to Disabled disallows the higher-protection proxied lookups. // Partial hashes of URLs will be uploaded to Google directly with much lower // frequency, which will degrade protection. //"SafeBrowsingProxiedRealTimeChecksAllowed": true, // Allow Safe Browsing Surveys //------------------------------------------------------------------------- // When this policy is enabled or left unset, the user may receive surveys // related to Safe Browsing. When this policy is disabled, the user will not // receive surveys related to Safe Browsing. //"SafeBrowsingSurveysEnabled": true, // Control SafeSites adult content filtering. //------------------------------------------------------------------------- // Setting the policy controls the SafeSites URL filter, which uses the Google // Safe Search API to classify URLs as pornographic or not. When this policy // is set to: * Do not filter sites for adult content, or not set, sites // aren't filtered * Filter top level sites for adult content, pornographic // sites are filtered //"SafeSitesFilterBehavior": 0, // Allow Same Origin Tab capture by these origins //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that can capture // tabs with their same Origin. Leaving the policy unset means that sites // will not be considered for an override at this level of capture. Note that // windowed Chrome Apps with the same origin as this site will still be // allowed to be captured. If a site matches a URL pattern in this policy, // the following policies will not be considered: TabCaptureAllowedByOrigins, // WindowCaptureAllowedByOrigins, ScreenCaptureAllowedByOrigins, // ScreenCaptureAllowed. For detailed information on valid url patterns, // please see https://cloud.google.com/docs/chrome-enterprise/policies/url- // patterns. This policy only matches based on origin, so any path in the URL // pattern is ignored. //"SameOriginTabCaptureAllowedByOrigins": ["https://www.example.com", "[*.]example.edu"], // Allow Chrome to block navigations toward external protocols in sandboxed iframes //------------------------------------------------------------------------- // Chrome will block navigations toward external protocols inside sandboxed // iframe. See https://chromestatus.com/features/5680742077038592. When True, // this lets Chrome blocks those navigations. When False, this prevents // Chrome from blocking those navigations. This defaults to True: security // feature enabled. This can be used by administrators who need more time to // update their internal website affected by this new restriction. This // Enterprise policy is temporary; it's intended to be removed after Google // Chrome version 117. //"SandboxExternalProtocolBlocked": true, // Disable saving browser history //------------------------------------------------------------------------- // Setting the policy to Enabled means browsing history is not saved, tab // syncing is off and users can't change this setting. Setting the policy to // Disabled or leaving it unset saves browsing history. //"SavingBrowserHistoryDisabled": true, // Allow or deny screen capture //------------------------------------------------------------------------- // If enabled or not configured (default), a Web page can use screen-share // APIs (e.g., getDisplayMedia() or the Desktop Capture extension API) to // prompt the user to select a tab, window or desktop to capture. When this // policy is disabled, any calls to screen-share APIs will fail with an error; // however this policy is not considered (and a site will be allowed to use // screen-share APIs) if the site matches an origin pattern in any of the // following policies: ScreenCaptureAllowedByOrigins, // WindowCaptureAllowedByOrigins, TabCaptureAllowedByOrigins, // SameOriginTabCaptureAllowedByOrigins. //"ScreenCaptureAllowed": false, // Allow Desktop, Window, and Tab capture by these origins //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that can use // Desktop, Window, and Tab Capture. Leaving the policy unset means that // sites will not be considered for an override at this level of Capture. // This policy is not considered if a site matches a URL pattern in any of the // following policies: WindowCaptureAllowedByOrigins, // TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins. If a // site matches a URL pattern in this policy, the ScreenCaptureAllowed will // not be considered. For detailed information on valid url patterns, please // see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // This policy only matches based on origin, so any path in the URL pattern is // ignored. //"ScreenCaptureAllowedByOrigins": ["https://www.example.com", "[*.]example.edu"], // Allow screen capture without prior user gesture //------------------------------------------------------------------------- // For security reasons, the getDisplayMedia() web API requires a prior user // gesture ("transient activation") to be called or will otherwise fail. With // this policy set, admins can specify origins on which this API can be called // without prior user gesture. For detailed information on valid url // patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. * is not an accepted value for this // policy. If this policy is unset, all origins will require a prior user // gesture to call this API. //"ScreenCaptureWithoutGestureAllowedForOrigins": ["https://www.example.com", "[*.]example.edu"], // Enable scrolling to text specified in URL fragments //------------------------------------------------------------------------- // This feature allows for hyperlinks and address bar URL navigations to // target specific text within a web page, which will be scrolled to once the // loading of the web page is complete. If you enable or don't configure this // policy, web page scrolling to specific text fragments via URL will be // enabled. If you disable this policy, web page scrolling to specific text // fragments via URL will be disabled. //"ScrollToTextFragmentEnabled": false, // Enable search suggestions //------------------------------------------------------------------------- // Setting the policy to True turns on search suggestions in Google Chrome's // address bar. Setting the policy to False turns off these search // suggestions. Suggestions based on bookmarks or history are unaffected by // the policy. If you set the policy, users can't change it. If not set, // search suggestions are on at first, but users can turn them off any time. //"SearchSuggestEnabled": true, // URLs/domains automatically permitted direct Security Key attestation //------------------------------------------------------------------------- // Setting the policy specifies WebAuthn RP IDs for which no prompt appears // when attestation certificates from security keys are requested. A signal is // also sent to the security key indicating that enterprise attestation may be // used. Without this, when sites request attestation of security keys, users // are prompted in Google Chrome version 65 and later. //"SecurityKeyPermitAttestation": ["example.com"], // Allow access to sensors on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can access sensors like motion and light sensors. Leaving the // policy unset means DefaultSensorsSetting applies for all sites, if it's // set. If not, the user's personal setting applies. If the same URL pattern // exists in both this policy and the SensorsBlockedForUrls policy, the latter // is prioritized and access to motion or light sensors will be blocked. For // detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. //"SensorsAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block access to sensors on these sites //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that specify the // sites that can't access sensors like motion and light sensors. Leaving the // policy unset means DefaultSensorsSetting applies for all sites, if it's // set. If not, the user's personal setting applies. If the same URL pattern // exists in both this policy and the SensorsAllowedForUrls policy, this // policy is prioritized and access to motion or light sensors will be // blocked. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. //"SensorsBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Automatically grant permission to sites to connect all serial ports. //------------------------------------------------------------------------- // Setting the policy allows you to list sites which are automatically granted // permission to access all available serial ports. The URLs must be valid, // otherwise the policy is ignored. Only the origin (scheme, host and port) of // the URL is considered. On Google ChromeOS, this policy only applies to // affiliated users. This policy overrides DefaultSerialGuardSetting, // SerialAskForUrls, SerialBlockedForUrls and the user's preferences. //"SerialAllowAllPortsForUrls": ["https://www.example.com"], // Automatically grant permission to sites to connect to USB serial devices. //------------------------------------------------------------------------- // Setting the policy allows you to list sites which are automatically granted // permission to access USB serial devices with vendor and product IDs // matching the vendor_id and product_id fields. Omitting the product_id field // allows the given sites permission to access devices with a vendor ID // matching the vendor_id field and any product ID. The URLs must be valid, // otherwise the policy is ignored. Only the origin (scheme, host and port) of // the URL is considered. On ChromeOS, this policy only applies to affiliated // users. This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, // SerialBlockedForUrls and the user's preferences. This policy only affects // access to USB devices through the Web Serial API. To grant access to USB // devices through the WebUSB API see the WebUsbAllowDevicesForUrls policy. // See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=SerialAllowUsbDevicesForUrls for more // information about schema and formatting. //"SerialAllowUsbDevicesForUrls": [{"devices": [{"product_id": 5678, "vendor_id": 1234}], "urls": ["https://specific-device.example.com"]}, {"devices": [{"vendor_id": 1234}], "urls": ["https://all-vendor-devices.example.com"]}], // Allow the Serial API on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can ask users to grant them access to a serial port. Leaving the policy // unset means DefaultSerialGuardSetting applies for all sites, if it's set. // If not, users' personal settings apply. For URL patterns which do not // match the policy SerialBlockedForUrls (if there is a match), // DefaultSerialGuardSetting (if set), or the users' personal settings take // precedence, in that order. URL patterns must not conflict with // SerialBlockedForUrls. Neither policy takes precedence if a URL matches with // both. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. //"SerialAskForUrls": ["https://www.example.com", "[*.]example.edu"], // Block the Serial API on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can't ask users to grant them access to a serial port. Leaving the policy // unset means DefaultSerialGuardSetting applies for all sites, if it's set. // If not, the user's personal setting applies. For URL patterns which do not // match the policy SerialAskForUrls (if there is a match), // DefaultSerialGuardSetting (if set), or the users' personal settings take // precedence, in that order. URL patterns can't conflict with // SerialAskForUrls. Neither policy takes precedence if a URL matches with // both. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. //"SerialBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context //------------------------------------------------------------------------- // Specifies whether SharedArrayBuffers can be used in a non cross-origin- // isolated context. Google Chrome will require cross-origin isolation when // using SharedArrayBuffers from Google Chrome 91 onward (2021-05-25) for Web // Compatibility reasons. Additional details can be found on: // https://developer.chrome.com/blog/enabling-shared-array-buffer/. When set // to Enabled, sites can use SharedArrayBuffer with no restrictions. When set // to Disabled or not set, sites can only use SharedArrayBuffers when cross- // origin isolated. //"SharedArrayBufferUnrestrictedAccessAllowed": false, // Enable the Shared Clipboard Feature //------------------------------------------------------------------------- // Enable the Shared Clipboard feature which allows users to send text between // Chrome Desktops and an Android device when Sync is enabled and the user is // Signed-in. If this policy is set to true, the capability of sending text, // cross device, for chrome user is enabled. If this policy is set to false, // the capability of sending text, cross device, for chrome user is disabled. // If you set this policy, users cannot change or override it. If this policy // is left unset, the shared clipboard feature is enabled by default. It is // up to the admins to set policies in all platforms they care about. It's // recommended to set this policy to one value in all platforms. //"SharedClipboardEnabled": true, // Allow the shopping list feature to be enabled //------------------------------------------------------------------------- // This policy controls the availability of the shopping list feature. If // enabled, users will be presented with UI to track the price of the product // displayed on the current page. The tracked product will be shown in the // bookmarks side panel. If this policy is set to Enabled or not set, the // shopping list feature will be available to users. If this policy is set to // Disabled, the shopping list feature will be unavailable. //"ShoppingListEnabled": true, // Show the apps shortcut in the bookmark bar //------------------------------------------------------------------------- // Setting the policy to True displays the apps shortcut. Setting the policy // to False means this shortcut never appears. If you set the policy, users // can't change it. If not set, users decide to show or hide the apps shortcut // from the bookmark bar context menu. //"ShowAppsShortcutInBookmarkBar": false, // Show the Google Cast toolbar icon //------------------------------------------------------------------------- // Setting the policy to Enabled displays the Cast toolbar icon on the toolbar // or the overflow menu, and users can't remove it. Setting the policy to // Disabled or leaving it unset lets users pin or remove the icon through its // contextual menu. If the policy EnableMediaRouter is set to Disabled, then // this policy's value has no effect, and the toolbar icon doesn't appear. //"ShowCastIconInToolbar": false, // Show media controls for Google Cast sessions started by other devices on the local network //------------------------------------------------------------------------- // When this policy is enabled, media playback controls UI is available for // Google Cast sessions started by other devices on the local network. When // this policy is unset for enterprise users or is disabled, media playback // controls UI is unavailable for Google Cast sessions started by other // devices on the local network. If the policy EnableMediaRouter is disabled, // then this policy's value has no effect, as the entire Google Cast // functionality is disabled. //"ShowCastSessionsStartedByOtherDevices": false, // Show Full URLs //------------------------------------------------------------------------- // This feature enables display of the full URL in the address bar. If this // policy is set to True, then the full URL will be shown in the address bar, // including schemes and subdomains. If this policy is set to False, then the // default URL display will apply. If this policy is left unset, then the // default URL display will apply and the user will be able to toggle between // default and full URL display with a context menu option. //"ShowFullUrlsInAddressBar": false, // Show Home button on toolbar //------------------------------------------------------------------------- // Setting the policy to Enabled shows the Home button on Google Chrome's // toolbar. Setting the policy to Disabled keeps the Home button from // appearing. If you set the policy, users can't change it in Google Chrome. // If not set, users chooses whether to show the Home button. //"ShowHomeButton": true, // Allow showing the most recent default search engine results page in a Browser side panel //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving the policy unset means that users // can bring up their most recent default search engine results page in a side // panel via toggling an icon in the toolbar. Setting the policy to Disabled // removes the icon from the toolbar that opens the side panel with the // default search engine results page. //"SideSearchEnabled": false, // Enable Signed HTTP Exchange (SXG) support //------------------------------------------------------------------------- // Setting the policy to True or leaving it unset means Google Chrome will // accept web contents served as Signed HTTP Exchanges. Setting the policy to // False prevents Signed HTTP Exchanges from loading. //"SignedHTTPExchangeEnabled": true, // Enable signin interception //------------------------------------------------------------------------- // This settings enables or disables signin interception. When this policy // not set or is enabled, the signin interception dialog triggers when a // Google account is added on the web, and the user may benefit from moving // this account to another (new or existing) profile. When this is disabled, // the signin interception dialog does not trigger. When this is disabled, a // dialog will still be shown if managed account profile separation is // enforced by ManagedAccountsSigninRestriction. //"SigninInterceptionEnabled": true, // Require Site Isolation for every site //------------------------------------------------------------------------- // Since Google Chrome 67, site isolation has been enabled by default on all // Desktop platforms, causing every site to run in its own process. A site is // a scheme plus eTLD+1 (e.g., https://example.com). Setting this policy to // Enabled does not change that behavior; it only prevents users from opting // out (for example, using Disable site isolation in chrome://flags). Since // Google Chrome 76, setting the policy to Disabled or leaving it unset // doesn't turn off site isolation, but instead allows users to opt out. // IsolateOrigins might also be useful for isolating specific origins at a // finer granularity than site (e.g., https://a.example.com). On Google // ChromeOS version 76 and earlier, set the DeviceLoginScreenSitePerProcess // device policy to the same value. (If the values don't match, a delay can // occur when entering a user session.) Note: For Android, use the // SitePerProcessAndroid policy instead. //"SitePerProcess": true, // Enable or disable spell checking web service //------------------------------------------------------------------------- // Setting the policy to Enabled puts a Google web service in use to help // resolve spelling errors. This policy only controls the use of the online // service. Setting the policy to Disabled means this service is never used. // Leaving the policy unset lets users choose whether to use the spellcheck // service. The spell check can always use a downloaded dictionary locally // unless the feature is disabled by SpellcheckEnabled in which case this // policy will have no effect. //"SpellCheckServiceEnabled": false, // Enable spellcheck //------------------------------------------------------------------------- // Setting the policy to Enabled turns spellcheck on, and users can't turn it // off. On Microsoft® Windows®, Google ChromeOS and Linux®, spellcheck // languages can be switched on or off individually, so users can still turn // spellcheck off by switching off every spellcheck language. To avoid that, // use the SpellcheckLanguage to force-enable specific spellcheck languages. // Setting the policy to Disabled turns off spellcheck from all sources, and // users can't turn it on. The SpellCheckServiceEnabled, SpellcheckLanguage // and SpellcheckLanguageBlocklist policies have no effect when this policy is // set to False. Leaving the policy unset lets users turn spellcheck on or // off in the language settings. //"SpellcheckEnabled": false, // Force enable spellcheck languages //------------------------------------------------------------------------- // Force-enables spellcheck languages. Unrecognized languages in the list will // be ignored. If you enable this policy, spellcheck will be enabled for the // languages specified, in addition to the languages for which the user has // enabled spellcheck. If you do not set this policy, or disable it, there // will be no change to the user's spellcheck preferences. If the // SpellcheckEnabled policy is set to false, this policy will have no effect. // If a language is included in both this policy and the // SpellcheckLanguageBlocklist policy, this policy is prioritized and the // spellcheck language is enabled. The currently supported languages are: af, // bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es- // ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, // nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi. //"SpellcheckLanguage": ["fr", "es"], // Force disable spellcheck languages //------------------------------------------------------------------------- // Force-disables spellcheck languages. Unrecognized languages in that list // will be ignored. If you enable this policy, spellcheck will be disabled // for the languages specified. The user can still enable or disable // spellcheck for languages not in the list. If you do not set this policy, // or disable it, there will be no change to the user's spellcheck // preferences. If the SpellcheckEnabled policy is set to false, this policy // will have no effect. If a language is included in both this policy and the // SpellcheckLanguage policy, the latter is prioritized and the spellcheck // language will be enabled. The currently supported languages are: af, bg, // ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, // es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, // pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi. //"SpellcheckLanguageBlocklist": ["fr", "es"], // Enable strict MIME type checking for worker scripts //------------------------------------------------------------------------- // This policy enables strict MIME type checking for worker scripts. When // enabled or unset, then worker scripts will use strict MIME type checking // for JavaScript, which is the new default behaviour. Worker scripts with // legacy MIME types will be rejected. When disabled, then worker scripts // will use lax MIME type checking, so that worker scripts with legacy MIME // types, e.g. text/ascii, will continue to be loaded and executed. Browsers // traditionally used lax MIME type checking, so that resources with a number // of legacy MIME types were supported. E.g. for JavaScript resources, // text/ascii is a legacy supported MIME type. This may cause security issues, // by allowing to load resources as scripts that were never intended to be // used as such. Chrome will transition to use strict MIME type checking in // the near future. The enabled policy will track the default behaviour. // Disabling this policy allows administrators to retain the legacy behaviour, // if desired. See // https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguage for // details about JavaScript / ECMAScript media types. //"StrictMimetypeCheckForWorkerScriptsEnabled": false, // Suppress JavaScript Dialogs triggered from different origin subframes //------------------------------------------------------------------------- // As described in https://www.chromestatus.com/feature/5148698084376576 , // JavaScript modal dialogs, triggered by window.alert, window.confirm, and // window.prompt, will be blocked in Google Chrome if triggered from a // subframe whose origin is different from the main frame origin. This policy // allows overriding that change. If the policy is set to enabled or unset, // JavaScript dialogs triggered from a different origin subframe will be // blocked. If the policy is set to disabled, JavaScript dialogs triggered // from a different origin subframe will not be blocked. This policy will be // removed from Google Chrome in the future. //"SuppressDifferentOriginSubframeDialogs": true, // Suppress the unsupported OS warning //------------------------------------------------------------------------- // Setting the policy to Enabled suppresses the warning that appears when // Google Chrome is running on an unsupported computer or operating system. // Setting the policy to Disabled or leaving it unset means the warnings // appear on unsupported systems. //"SuppressUnsupportedOSWarning": true, // Disable synchronization of data with Google //------------------------------------------------------------------------- // Setting the policy to Enabled turns off data synchronization in Google // Chrome using Google-hosted synchronization services. To fully turn off // Chrome Sync services, we recommend that you turn off the service in the // Google Admin console. If the policy is set to Disabled or not set, users // are allowed to choose whether to use Chrome Sync. Note: Do not turn on // this policy when RoamingProfileSupportEnabled is Enabled, because that // feature shares the same client-side functionality. The Google-hosted // synchronization is off completely in this case. //"SyncDisabled": true, // List of types that should be excluded from synchronization //------------------------------------------------------------------------- // If this policy is set all specified data types will be excluded from // synchronization both for Chrome Sync as well as for roaming profile // synchronization. This can be beneficial to reduce the size of the roaming // profile or limit the type of data uploaded to the Chrome Sync Servers. The // current data types for this policy are: "apps", "autofill", "bookmarks", // "extensions", "preferences", "passwords", "payments", "readingList", // "savedTabGroups", "tabs", "themes", "typedUrls", "wifiConfigurations". // Those names are case sensitive! Notes: Dynamic Policy Refresh is supported // only in Google Chrome version 123 and later. Disabling "autofill" also // disables "payments". "typedUrls" refers to all browsing history. //"SyncTypesListDisabled": ["bookmarks"], // Allow Tab capture by these origins //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that can use Tab // Capture. Leaving the policy unset means that sites will not be considered // for an override at this level of capture. Note that windowed Chrome Apps // will still be allowed to be captured. This policy is not considered if a // site matches a URL pattern in the SameOriginTabCaptureAllowedByOrigins // policy. If a site matches a URL pattern in this policy, the following // policies will not be considered: WindowCaptureAllowedByOrigins, // ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed. For detailed // information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // This policy only matches based on origin, so any path in the URL pattern is // ignored. //"TabCaptureAllowedByOrigins": ["https://www.example.com", "[*.]example.edu"], // URL pattern Exceptions to tab discarding //------------------------------------------------------------------------- // This policy makes it so that any URL matching one or more of the patterns // it specifies (using the URLBlocklist filter format) will never be discarded // by the browser. This applies to memory pressure and high efficiency mode // discarding. A discarded page is unloaded and its resources fully reclaimed. // The tab its associated with remains in the tabstrip, but making it visible // will trigger a full reload. //"TabDiscardingExceptions": ["example.com", "https://*", "*"], // Settings for Tab Organizer //------------------------------------------------------------------------- // Tab Organizer is an AI-based tool that automatically creates tab groups // based on a user's open tabs. Suggestions are based on open tabs (but not // page content). 0 = Enable the feature for users, and send relevant data to // Google to help train or improve AI models. Relevant data may include // prompts, inputs, outputs, and source materials, depending on the feature. // It may be reviewed by humans for the sole purpose of improving AI models. // 0 is the default value, except when noted below. 1 = Enable the feature // for users, but do not send data to Google to train or improve AI models. 1 // is the default value for Enterprise users managed by Google Admin console. // 2 = Disable the feature. 2 is the default value for education accounts // managed by Google Workspace. For more information on data handling for // generative AI features, please see // https://support.google.com/chrome/a?p=generative_ai_settings. //"TabOrganizerSettings": 1, // Enable ending processes in Task Manager //------------------------------------------------------------------------- // Setting the policy to Disabled prevents users from ending processes in the // Task Manager. Setting the policy to Enabled or leaving it unset lets users // end processes in the Task Manager. //"TaskManagerEndProcessEnabled": true, // Block third-party storage partitioning for these origins //------------------------------------------------------------------------- // Allows you to set a list of url patterns that specify top-level (the url in // the tab's address bar) origins which block third-party storage partitioning // (partitioning of cross-origin iframe storage). If this policy is left not // set or a top-level origin doesn't match then the value from // DefaultThirdPartyStoragePartitioningSetting will be used. For detailed // information on valid patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Note // that patterns you list here are treated as origins, not URLs, so you should // not specify a path. For detailed information on third-party storage // partitioning, please see https://developer.chrome.com/docs/privacy- // sandbox/storage-partitioning/. //"ThirdPartyStoragePartitioningBlockedForOrigins": ["www.example.com", "[*.]example.edu"], // Managed toolbar avatar label setting //------------------------------------------------------------------------- // Leaving this policy unset or setting it to // display_management_label_permanent (value 0) will show a Work or School // label next to the toolbar avatar. These labels will only be shown if the // signed in account is managed. Setting it to // display_management_label_transient (value 1) will show a Work or School // label next to the toolbar avatar for 30 seconds after opening the profile. //"ToolbarAvatarLabelSettings": 1, // Enable Translate //------------------------------------------------------------------------- // Setting the policy to True provides translation functionality when it's // appropriate for users by showing an integrated translate toolbar in Google // Chrome and a translate option on the right-click context menu. Setting the // policy to False shuts off all built-in translate features. If you set the // policy, users can't change this function. Leaving it unset lets them change // the setting. //"TranslateEnabled": true, // Allow access to a list of URLs //------------------------------------------------------------------------- // Setting the policy provides access to the listed URLs, as exceptions to // URLBlocklist. See that policy's description for the format of entries of // this list. For example, setting URLBlocklist to * will block all requests, // and you can use this policy to allow access to a limited list of URLs. Use // it to open exceptions to certain schemes, subdomains of other domains, // ports, or specific paths, using the format specified at ( // https://support.google.com/chrome/a?p=url_blocklist_filter_format ). The // most specific filter determines if a URL is blocked or allowed. The // URLAllowlist policy takes precedence over URLBlocklist. This policy is // limited to 1,000 entries. This policy also allows enabling the automatic // invocation by the browser of external application registered as protocol // handlers for the listed protocols like "tel:" or "ssh:". Leaving the // policy unset allows no exceptions to URLBlocklist. From Google Chrome // version 92, this policy is also supported in the headless mode. //"URLAllowlist": ["example.com", "https://ssl.server.com", "hosting.com/good_path", "https://server:8080/path", ".exact.hostname.com"], // Block access to a list of URLs //------------------------------------------------------------------------- // Setting the URLBlocklist policy stops web pages with prohibited URLs from // loading. Administrators can specify the list of URL patterns to be blocked. // If left unset, no URLs are blocked in the browser. Up to 1,000 exceptions // can be defined in URLAllowlist. See how to format a URL pattern ( // https://support.google.com/chrome/a?p=url_blocklist_filter_format ). Note: // This policy does not apply to in-page JavaScript URLs with dynamically // loaded data. If you blocked example.com/abc, then example.com could still // load it using XMLHTTPRequest. Additionally, this policy does not prevent // web pages from updating the URL shown in the omnibox to a blocked one using // the JavaScript History API. From Google Chrome version 73, you can block // javascript://* URLs. But, this only affects JavaScript entered in the // address bar or, for example, bookmarklets. From Google Chrome version 92, // this policy is also supported in the headless mode. Note: Blocking // internal chrome://* and chrome-untrusted://* URLs can lead to unexpected // errors or can be circumvented in some cases. Instead of blocking certain // internal URLs, see if there are more specific policies available. For // example: - Instead of blocking chrome://settings/certificates, use // CACertificateManagementAllowed. - Instead of blocking chrome- // untrusted://crosh, use SystemFeaturesDisableList. //"URLBlocklist": ["example.com", "https://ssl.server.com", "hosting.com/bad_path", "https://server:8080/path", ".exact.hostname.com", "file://*", "custom_scheme:*", "*"], // Enable URL-keyed anonymized data collection //------------------------------------------------------------------------- // Setting the policy to Enabled means URL-keyed anonymized data collection, // which sends URLs of pages the user visits to Google to make searches and // browsing better, is always active. Setting the policy to Disabled results // in no URL-keyed anonymized data collection. If this policy is left unset, // the user will be able to change this setting manually. In Google ChromeOS // Kiosk, this policy doesn't offer the option to "Allow the user to decide". // If this policy is unset for Google ChromeOS Kiosk, URL-keyed anonymized // data collection is always active. When set for Google ChromeOS Kiosk, this // policy enables URL-keyed metrics collection for kiosk apps. //"UrlKeyedAnonymizedDataCollectionEnabled": true, // Enable or disable the User-Agent Reduction. //------------------------------------------------------------------------- // The User-Agent HTTP request header is scheduled to be reduced. In order to // facilitate testing and compatibility, this policy can enable the reduction // feature for all websites, or disable the ability for origin trials or field // trials to enable the feature. To learn more about the User-Agent Reduction // and its timeline, read here: https://blog.chromium.org/2021/09/user-agent- // reduction-origin-trial-and-dates.html //"UserAgentReduction": 0, // Limits the number of user data snapshots retained for use in case of emergency rollback. //------------------------------------------------------------------------- // Following each major version update, Chrome will create a snapshot of // certain portions of the user's browsing data for use in case of a later // emergency version rollback. If an emergency rollback is performed to a // version for which a user has a corresponding snapshot, the data in the // snapshot is restored. This allows users to retain such settings as // bookmarks and autofill data. If this policy is not set, the default value // of 3 is used If the policy is set, old snapshots are deleted as needed to // respect the limit. If the policy is set to 0, no snapshots will be taken //"UserDataSnapshotRetentionLimit": 3, // Allow user feedback //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset lets users send feedback // to Google through Menu > Help > Report an Issue or key combination. // Setting the policy to Disabled means users can't send feedback to Google. //"UserFeedbackAllowed": true, // Allow or deny video capture //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset means that, with the // exception of URLs set in the VideoCaptureAllowedUrls list, users get // prompted for video capture access. Setting the policy to Disabled turns // off prompts, and video capture is only available to URLs set in the // VideoCaptureAllowedUrls list. Note: The policy affects all video input // (not just the built-in camera). //"VideoCaptureAllowed": false, // URLs that will be granted access to video capture devices without prompt //------------------------------------------------------------------------- // Setting the policy means you specify the URL list whose patterns get // matched to the security origin of the requesting URL. A match grants access // to video capture devices without prompt For detailed information on valid // url patterns, please see https://cloud.google.com/docs/chrome- // enterprise/policies/url-patterns. //"VideoCaptureAllowedUrls": ["https://www.example.com/", "https://[*.]example.edu/"], // Enable WPAD optimization //------------------------------------------------------------------------- // Setting the policy to Enabled or leaving it unset turns on WPAD (Web Proxy // Auto-Discovery) optimization in Google Chrome. Setting the policy to // Disabled turns off WPAD optimization, causing Google Chrome to wait longer // for DNS-based WPAD servers. Whether or not this policy is set, users can't // change the WPAD optimization setting. //"WPADQuickCheckEnabled": true, // Configure list of force-installed Web Apps //------------------------------------------------------------------------- // Setting the policy specifies a list of web apps that install silently, // without user interaction, and which users can't uninstall or turn off. // Each list item of the policy is an object with a mandatory member: url (the // URL of the web app to install) and 6 optional members: - // default_launch_container (for how the web app opens—a new tab is the // default) - create_desktop_shortcut (True if you want to create Linux and // Microsoft® Windows® desktop shortcuts). - fallback_app_name (Starting with // Google Chrome version 90, allows you to override the app name if it is not // a Progressive Web App (PWA), or the app name that is temporarily installed // if it is a PWA but authentication is required before the installation can // be completed. If both custom_name and fallback_app_name are provided, the // latter will be ignored.) - custom_name (Starting with Google ChromeOS // version 99, and version 112 on all other desktop operating systems, allows // you to permanently override the app name for all web apps and PWAs.) - // custom_icon (Starting with Google ChromeOS version 99, and version 112 on // all other desktop operating systems, allows you to override the app icon of // installed apps. The icons have to be square, maximal 1 MB in size, and in // one of the following formats: jpeg, png, gif, webp, ico. The hash value has // to be the SHA256 hash of the icon file.) - install_as_shortcut (Starting // with Google Chrome version 107). If enabled the given url will be installed // as a shortcut, as if done via the "Create Shortcut..." option in the // desktop browser GUI. Note that when installed as a shortcut it won't be // updated if the manifest in url changes. If disabled or unset, the web app // at the given url will be installed normally. See PinnedLauncherApps for // pinning apps to the Google ChromeOS shelf. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=WebAppInstallForceList for more information // about schema and formatting. //"WebAppInstallForceList": [{"create_desktop_shortcut": true, "default_launch_container": "window", "url": "https://www.google.com/maps"}, {"default_launch_container": "tab", "url": "https://docs.google.com"}, {"default_launch_container": "window", "fallback_app_name": "Editor", "url": "https://docs.google.com/editor"}, {"custom_name": "My important document", "default_launch_container": "window", "install_as_shortcut": true, "url": "https://docs.google.com/document/d/ds187akjqih89"}, {"custom_icon": {"hash": "c28f469c450e9ab2b86ea47038d2b324c6ad3b1e9a4bd8960da13214afd0ca38", "url": "https://mydomain.example.com/sunny_icon.png"}, "url": "https://weather.example.com"}], // Web App management settings //------------------------------------------------------------------------- // This policy allows an admin to specify settings for installed web apps. // This policy maps a Web App ID to its specific setting. A default // configuration can be set using the special ID *, which applies to all web // apps without a custom configuration in this policy. The manifest_id field // is the Manifest ID for the Web App. See // https://developer.chrome.com/blog/pwa-manifest-id/ for instructions on how // to determine the Manifest ID for an installed web app. The run_on_os_login // field specifies if a web app can be run during OS login. If this field is // set to blocked, the web app will not run during OS login and the user will // not be able to enable this later. If this field is set to run_windowed, the // web app will run during OS login and the user will not be able to disable // this later. If this field is set to allowed, the user will be able to // configure the web app to run at OS login. The default configuration only // allows the allowed and blocked values. (Since version 117) The // prevent_close_after_run_on_os_login field specifies if a web app shall be // prevented from closing in any way (e.g. by the user, task manager, web // APIs). This behavior can only be enabled if run_on_os_login is set to // run_windowed. If the app were already running, this property will only come // into effect after the app is restarted. If this field is not defined, apps // will be closable by users. (Since version 118) The // force_unregister_os_integration field specifies if all OS integration for a // web app, i.e. shortcuts, file handlers, protocol handlers etc will be // removed or not. If an app is already running, this property will come into // effect after the app has restarted. This should be used with caution, since // this can override any OS integration that is set automatically during the // startup of the web applications system. Currently only works on Windows, // Mac and Linux platforms. See https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=WebAppSettings for more information about // schema and formatting. //"WebAppSettings": [{"manifest_id": "https://foo.example/index.html", "run_on_os_login": "allowed"}, {"manifest_id": "https://bar.example/index.html", "run_on_os_login": "allowed"}, {"manifest_id": "https://foobar.example/index.html", "prevent_close_after_run_on_os_login": true, "run_on_os_login": "run_windowed"}, {"manifest_id": "*", "run_on_os_login": "blocked"}, {"force_unregister_os_integration": true, "manifest_id": "https://foo.example/index.html"}], // Automatically grant permission to sites to connect to any HID device. //------------------------------------------------------------------------- // Setting the policy allows you to list sites which are automatically granted // permission to access all available devices. The URLs must be valid, // otherwise the policy is ignored. Only the origin (scheme, host and port) of // the URL is considered. On ChromeOS, this policy only applies to affiliated // users. This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, // WebHidBlockedForUrls and the user's preferences. //"WebHidAllowAllDevicesForUrls": ["https://google.com", "https://chromium.org"], // Automatically grant permission to these sites to connect to HID devices with the given vendor and product IDs. //------------------------------------------------------------------------- // Setting the policy lets you list the URLs that specify which sites are // automatically granted permission to access a HID device with the given // vendor and product IDs. Each item in the list requires both devices and // urls fields for the item to be valid, otherwise the item is ignored. Each // item in the devices field must have a vendor_id and may have a product_id // field. Omitting the product_id field will create a policy matching any // device with the specified vendor ID. An item which has a product_id field // without a vendor_id field is invalid and is ignored. Leaving the policy // unset means DefaultWebHidGuardSetting applies, if it's set. If not, the // user's personal setting applies. URLs in this policy shouldn't conflict // with those configured through WebHidBlockedForUrls. If they do, this policy // takes precedence over WebHidBlockedForUrls. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=WebHidAllowDevicesForUrls for more information // about schema and formatting. //"WebHidAllowDevicesForUrls": [{"devices": [{"product_id": 5678, "vendor_id": 1234}], "urls": ["https://google.com", "https://chromium.org"]}], // Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage. //------------------------------------------------------------------------- // Setting the policy lets you list the URLs that specify which sites are // automatically granted permission to access a HID device containing a top- // level collection with the given HID usage. Each item in the list requires // both usages and urls fields for the policy to be valid. Each item in the // usages field must have a usage_page and may have a usage field. Omitting // the usage field will create a policy matching any device containing a top- // level collection with a usage from the specified usage page. An item which // has a usage field without a usage_page field is invalid and is ignored. // Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's // set. If not, the user's personal setting applies. URLs in this policy // shouldn't conflict with those configured through WebHidBlockedForUrls. If // they do, this policy takes precedence over WebHidBlockedForUrls. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=WebHidAllowDevicesWithHidUsagesForUrls for more // information about schema and formatting. //"WebHidAllowDevicesWithHidUsagesForUrls": [{"urls": ["https://google.com", "https://chromium.org"], "usages": [{"usage": 5678, "usage_page": 1234}]}], // Allow the WebHID API on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can ask users to grant them access to a HID device. Leaving the policy // unset means DefaultWebHidGuardSetting applies for all sites, if it's set. // If not, users' personal settings apply. For URL patterns which do not // match the policy, the following take precedence, in this order: * // WebHidBlockedForUrls (if there is a match), * DefaultWebHidGuardSetting // (if set), or * Users' personal settings. URL patterns must not conflict // with WebHidBlockedForUrls. Neither policy takes precedence if a URL matches // with both. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. //"WebHidAskForUrls": ["https://google.com", "https://chromium.org"], // Block the WebHID API on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can't ask users to grant them access to a HID device. Leaving the policy // unset means DefaultWebHidGuardSetting applies for all sites, if it's set. // If not, users' personal settings apply. For URL patterns which do not // match the policy, the following take precedence, in this order: * // WebHidAskForUrls (if there is a match), * DefaultWebHidGuardSetting (if // set), or * Users' personal settings. URL patterns can't conflict with // WebHidAskForUrls. Neither policy takes precedence if a URL matches with // both. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. //"WebHidBlockedForUrls": ["https://google.com", "https://chromium.org"], // Allow collection of WebRTC event logs from Google services //------------------------------------------------------------------------- // Setting the policy to Enabled means Google Chrome can collect WebRTC event // logs from Google services such as Hangouts Meet and upload them to Google. // These logs have diagnostic information for debugging issues with audio or // video meetings in Google Chrome, such as the time and size of RTP packets, // feedback about congestion on the network, and metadata about time and // quality of audio and video frames. These logs have no audio or video // content from the meeting. To make debugging easier, Google might associate // these logs, by means of a session ID, with other logs collected by the // Google service itself. Setting the policy to Disabled results in no // collection or uploading of such logs. Leaving the policy unset on versions // up to and including M76 means Google Chrome defaults to not being able to // collect and upload these logs. Starting at M77, Google Chrome defaults to // being able to collect and upload these logs from most profiles affected by // cloud-based, user-level enterprise policies. From M77 up to and including // M80, Google Chrome can also collect and upload these logs by default from // profiles affected by Google Chrome on-premise management. //"WebRtcEventLogCollectionAllowed": true, // The IP handling policy of WebRTC //------------------------------------------------------------------------- // This policy allows restricting which IP addresses and interfaces WebRTC // uses when attempting to find the best available connection. See RFC 8828 // section 5.2 (https://tools.ietf.org/html/rfc8828.html#section-5.2). When // unset, defaults to using all available interfaces. //"WebRtcIPHandling": "default", // URLs for which local IPs are exposed in WebRTC ICE candidates //------------------------------------------------------------------------- // Patterns in this list will be matched against the security origin of the // requesting URL. If a match is found or chrome://flags/#enable-webrtc-hide- // local-ips-with-mdns is Disabled, the local IP addresses are shown in WebRTC // ICE candidates. Otherwise, local IP addresses are concealed with mDNS // hostnames. Please note that this policy weakens the protection of local IPs // if needed by administrators. //"WebRtcLocalIpsAllowedUrls": ["https://www.example.com", "*example.com*"], // Allow WebRTC text logs collection from Google Services //------------------------------------------------------------------------- // Setting the policy to enabled means Google Chrome can collect WebRTC text // logs from Google services such as Google Meet and upload them to Google. // These logs have diagnostic information for debugging issues with audio or // video meetings in Google Chrome, such as textual metadata describing // incoming and outgoing WebRTC streams, WebRTC specific log entries and // additional system information. These logs have no audio or video content // from the meeting. Setting the policy to disabled results in no uploading of // such logs to Google. Logs would still accumulate locally on the user's // device. Leaving the policy unset means Google Chrome defaults to being able // to collect and upload these logs. //"WebRtcTextLogCollectionAllowed": true, // Restrict the range of local UDP ports used by WebRTC //------------------------------------------------------------------------- // If the policy is set, the UDP port range used by WebRTC is restricted to // the specified port interval (endpoints included). If the policy is not // set, or if it is set to the empty string or an invalid port range, WebRTC // is allowed to use any available local UDP port. //"WebRtcUdpPortRange": "10000-11999", // Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs. //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // are automatically granted permission to access a USB device with the given // vendor and product IDs. Each item in the list requires both devices and // urls fields for the policy to be valid. Each item in the devices field can // have a vendor_id and product_id field. Omitting the vendor_id field will // create a policy matching any device. Omitting the product_id field will // create a policy matching any device with the given vendor ID. A policy // which has a product_id field without a vendor_id field is invalid. The USB // permission model will grant the specified URL permission to access the USB // device as a top-level origin. If embedded frames need to access USB // devices, the 'usb' feature-policy header should be used to grant access. // The URL must be valid, otherwise the policy is ignored. Deprecated: The // USB permission model used to support specifying both the requesting and // embedding URLs. This is deprecated and only supported for backwards // compatibility in this manner: if both a requesting and embedding URL is // specified, then the embedding URL will be granted the permission as top- // level origin and the requesting URL will be ignored entirely. This policy // overrides DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls // and the user's preferences. This policy only affects access to USB devices // through the WebUSB API. To grant access to USB devices through the Web // Serial API see the SerialAllowUsbDevicesForUrls policy. See // https://cloud.google.com/docs/chrome- // enterprise/policies/?policy=WebUsbAllowDevicesForUrls for more information // about schema and formatting. //"WebUsbAllowDevicesForUrls": [{"devices": [{"product_id": 5678, "vendor_id": 1234}], "urls": ["https://google.com"]}], // Allow WebUSB on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can ask users to grant them access to a USB device. Leaving the policy // unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. // If not, users' personal settings apply. URL patterns must not conflict // with WebUsbAskForUrls. Neither policy takes precedence if a URL matches // with both. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. //"WebUsbAskForUrls": ["https://www.example.com", "[*.]example.edu"], // Block WebUSB on these sites //------------------------------------------------------------------------- // Setting the policy lets you list the URL patterns that specify which sites // can't ask users to grant them access to a USB device. Leaving the policy // unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. // If not, the user's personal setting applies. URL patterns can't conflict // with WebUsbAskForUrls. Neither policy takes precedence if a URL matches // with both. For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is // not an accepted value for this policy. //"WebUsbBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Allow Window and Tab capture by these origins //------------------------------------------------------------------------- // Setting the policy lets you set a list of URL patterns that can use Window // and Tab Capture. Leaving the policy unset means that sites will not be // considered for an override at this level of Capture. This policy is not // considered if a site matches a URL pattern in any of the following // policies: TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins. // If a site matches a URL pattern in this policy, the following policies will // not be considered: ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed. // For detailed information on valid url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // This policy only matches based on origin, so any path in the URL pattern is // ignored. //"WindowCaptureAllowedByOrigins": ["https://www.example.com", "[*.]example.edu"], // Allow Window Management permission on these sites //------------------------------------------------------------------------- // Allows you to set a list of site url patterns that specify sites which will // automatically grant the window management permission. This will extend the // ability of sites to see information about the device's screens and use that // information to open and place windows or request fullscreen on specific // screens. For detailed information on valid site url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. This policy only matches based on origin, so any // path in the URL pattern is ignored. If this policy is not set for a site // then the policy from DefaultWindowManagementSetting applies to the site, if // set, otherwise the permission will follow the browser's defaults and allow // users to choose this permission per site. This replaces the deprecated // WindowPlacementAllowedForUrls policy. //"WindowManagementAllowedForUrls": ["https://www.example.com", "[*.]example.edu"], // Block Window Management permission on these sites //------------------------------------------------------------------------- // Allows you to set a list of site url patterns that specify sites which will // automatically deny the window management permission. This will limit the // ability of sites to see information about the device's screens and use that // information to open and place windows or request fullscreen on specific // screens. For detailed information on valid site url patterns, please see // https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. // Wildcards, *, are allowed. This policy only matches based on origin, so any // path in the URL pattern is ignored. If this policy is not set for a site // then the policy from DefaultWindowManagementSetting applies to the site, if // set, otherwise the permission will follow the browser's defaults and allow // users to choose this permission per site. This replaces the deprecated // WindowPlacementBlockedForUrls policy. //"WindowManagementBlockedForUrls": ["https://www.example.com", "[*.]example.edu"], // Enable zstd content-encoding support //------------------------------------------------------------------------- // This feature enables the use of "zstd" in the Accept-Encoding request // header, and support for decompressing zstd-compressed web content. Setting // the policy to Enabled or leaving it unset means Google Chrome will accept // web contents compressed with zstd. Setting the policy to Disabled turns off // the zstd content-encoding feature. This policy is intended to be temporary // and will be removed in the future. //"ZstdContentEncodingEnabled": true }