The Chrome Enterprise policy list is moving! Please update your bookmarks to https://cloud.google.com/docs/chrome-enterprise/policies/.


Both Chromium and Google Chrome have some groups of policies that depend on each other to provide control over a feature. These sets are represented by the following policy groups. Given that policies can have multiple sources, only values coming from the highest priority source will be applied. Values coming from a lower priority source in the same group will be ignored. The order of priority is defined in https://support.google.com/chrome/a/?p=policy_order.




Policy NameDescription
ActiveDirectoryManagementMicrosoft® Active Directory® management settings
DeviceMachinePasswordChangeRateMachine password change rate
DeviceUserPolicyLoopbackProcessingModeUser policy loopback processing mode
DeviceKerberosEncryptionTypesAllowed Kerberos encryption types
DeviceGpoCacheLifetimeGPO cache lifetime
DeviceAuthDataCacheLifetimeAuthentication data cache lifetime
AttestationAttestation
AttestationEnabledForDeviceEnable remote attestation for the device
AttestationEnabledForUserEnable remote attestation for the user
AttestationExtensionAllowlistExtensions allowed to to use the remote attestation API
AttestationExtensionWhitelistExtensions allowed to to use the remote attestation API
AttestationForContentProtectionEnabledEnable the use of remote attestation for content protection for the device
BrowserSwitcherLegacy Browser Support
AlternativeBrowserPathAlternative browser to launch for configured websites.
AlternativeBrowserParametersCommand-line parameters for the alternative browser.
BrowserSwitcherChromePathPath to Chrome for switching from the alternative browser.
BrowserSwitcherChromeParametersCommand-line parameters for switching from the alternative browser.
BrowserSwitcherDelayDelay before launching alternative browser (milliseconds)
BrowserSwitcherEnabledEnable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrlURL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherExternalGreylistUrlURL of an XML file that contains URLs that should never trigger a browser switch.
BrowserSwitcherKeepLastChromeTabKeep last tab open in Chrome.
BrowserSwitcherUrlListWebsites to open in alternative browser
BrowserSwitcherUrlGreylistWebsites that should never trigger a browser switch.
BrowserSwitcherUseIeSitelistUse Internet Explorer's SiteList policy for Legacy Browser Support.
CloudReportingCloud Reporting
ReportVersionDataReport OS and Google Chrome Version Information
ReportPolicyDataReport Google Chrome Policy Information
ReportMachineIDDataReport Machine Identification information
ReportUserIDDataReport User Identification information
ReportExtensionsAndPluginsDataReport Extensions and Plugins information
CloudExtensionRequestEnabledEnables Google Chrome extension installation requests
CloudReportingEnabledEnables Google Chrome cloud reporting
CookiesSettingsCookies settings
DefaultCookiesSettingDefault cookies setting
CookiesAllowedForUrlsAllow cookies on these sites
CookiesBlockedForUrlsBlock cookies on these sites
CookiesSessionOnlyForUrlsLimit cookies from matching URLs to the current session
DateAndTimeDate and time
SystemTimezoneTimezone
SystemTimezoneAutomaticDetectionConfigure the automatic timezone detection method
DefaultSearchProviderDefault search provider
DefaultSearchProviderEnabledEnable the default search provider
DefaultSearchProviderNameDefault search provider name
DefaultSearchProviderKeywordDefault search provider keyword
DefaultSearchProviderSearchURLDefault search provider search URL
DefaultSearchProviderSuggestURLDefault search provider suggest URL
DefaultSearchProviderInstantURLDefault search provider instant URL
DefaultSearchProviderIconURLDefault search provider icon
DefaultSearchProviderEncodingsDefault search provider encodings
DefaultSearchProviderAlternateURLsList of alternate URLs for the default search provider
DefaultSearchProviderSearchTermsReplacementKeyParameter controlling search term placement for the default search provider
DefaultSearchProviderImageURLParameter providing search-by-image feature for the default search provider
DefaultSearchProviderNewTabURLDefault search provider new tab page URL
DefaultSearchProviderSearchURLPostParamsParameters for search URL which uses POST
DefaultSearchProviderSuggestURLPostParamsParameters for suggest URL which uses POST
DefaultSearchProviderInstantURLPostParamsParameters for instant URL which uses POST
DefaultSearchProviderImageURLPostParamsParameters for image URL which uses POST
DisplayDisplay
DeviceDisplayResolutionSet display resolution and scale factor
DisplayRotationDefaultSet default display rotation, reapplied on every reboot
DriveDrive
DriveDisabledDisable Drive in the Google Chrome OS Files app
DriveDisabledOverCellularDisable Google Drive over cellular connections in the Google Chrome OS Files app
ExtensionsExtensions
ExtensionInstallAllowlistConfigure extension installation allow list
ExtensionInstallBlocklistConfigure extension installation blocklist
ExtensionInstallBlacklistConfigure extension installation blacklist
ExtensionInstallWhitelistConfigure extension installation whitelist
ExtensionInstallForcelistConfigure the list of force-installed apps and extensions
ExtensionInstallSourcesConfigure extension, app, and user script install sources
ExtensionAllowedTypesConfigure allowed app/extension types
ExtensionAllowInsecureUpdatesAllow insecure algorithms in integrity checks on extension updates and installs
ExtensionSettingsExtension management settings
GoogleCastGoogle Cast
CastReceiverEnabledEnable casting content to the device
CastReceiverNameName of the Google Cast destination
HomepageHomepage
HomepageLocationConfigure the home page URL
HomepageIsNewTabPageUse New Tab Page as homepage
NewTabPageLocationConfigure the New Tab page URL
ShowHomeButtonShow Home button on toolbar
ImageSettingsImage settings
DefaultImagesSettingDefault images setting
ImagesAllowedForUrlsAllow images on these sites
ImagesBlockedForUrlsBlock images on these sites
JavascriptSettingsJavascript settings
DefaultJavaScriptSettingDefault JavaScript setting
JavaScriptAllowedForUrlsAllow JavaScript on these sites
JavaScriptBlockedForUrlsBlock JavaScript on these sites
KeygenSettingsKeygen settings
DefaultKeygenSettingDefault key generation setting
KeygenAllowedForUrlsAllow key generation on these sites
KeygenBlockedForUrlsBlock key generation on these sites
KioskKiosk settings
DeviceLocalAccountsDevice-local accounts
DeviceLocalAccountAutoLoginIdDevice-local account for auto-login
DeviceLocalAccountAutoLoginDelayDevice-local account auto-login timer
DeviceLocalAccountAutoLoginBailoutEnabledEnable bailout keyboard shortcut for auto-login
DeviceLocalAccountPromptForNetworkWhenOfflineEnable network configuration prompt when offline
LegacySameSiteCookieBehaviorSettingsLegacy SameSite cookie behavior settings
LegacySameSiteCookieBehaviorEnabledDefault legacy SameSite cookie behavior setting
LegacySameSiteCookieBehaviorEnabledForDomainListRevert to legacy SameSite behavior for cookies on these sites
LoginScreenOriginsLogin and screen origins
DeviceLoginScreenIsolateOriginsEnable Site Isolation for specified origins
DeviceLoginScreenSitePerProcessEnable Site Isolation for every site
NativeMessagingNative messaging
NativeMessagingBlacklistConfigure native messaging blocklist
NativeMessagingBlocklistConfigure native messaging blacklist
NativeMessagingAllowlistConfigure native messaging allowlist
NativeMessagingWhitelistConfigure native messaging whitelist
NativeMessagingUserLevelHostsAllow user-level Native Messaging hosts (installed without admin permissions)
NetworkFileSharesNetwork File Shares settings
NetworkFileSharesAllowedContorls Network File Shares for ChromeOS availability
NetBiosShareDiscoveryEnabledControls Network File Share discovery via NetBIOS
NTLMShareAuthenticationEnabledControls enabling NTLM as an authentication protocol for SMB mounts
NetworkFileSharesPreconfiguredSharesList of preconfigured network file shares.
NotificationsSettingsNotification settings
DefaultNotificationsSettingDefault notification setting
NotificationsAllowedForUrlsAllow notifications on these sites
NotificationsBlockedForUrlsBlock notifications on these sites
PasswordManagerPassword manager
PasswordManagerEnabledEnable saving passwords to the password manager
PasswordManagerAllowShowPasswordsAllow users to show passwords in Password Manager (deprecated)
PasswordProtectionPassword protection
PasswordProtectionWarningTriggerPassword protection warning trigger
PasswordProtectionLoginURLsConfigure the list of enterprise login URLs where password protection service should capture salted hashes of passwords.
PasswordProtectionChangePasswordURLConfigure the change password URL.
PinUnlockPin unlock
PinUnlockMinimumLengthSet the minimum length of the lock screen PIN
PinUnlockMaximumLengthSet the maximum length of the lock screen PIN
PinUnlockWeakPinsAllowedEnable users to set weak PINs for the lock screen PIN
PinUnlockAutosubmitEnabledEnable PIN auto-submit feature on the lock and login screen.
PluginVmPluginVm
PluginVmAllowedAllow devices to use a PluginVm on Google Chrome OS
PluginVmDataCollectionAllowedAllow PluginVm Product Analytics
PluginVmImagePluginVm image
PluginVmLicenseKeyPluginVm license key
PluginVmRequiredFreeDiskSpaceRequired free disk space for PluginVm
PluginVmUserIdPluginVm user id
UserPluginVmAllowedAllow users to use a PluginVm on Google Chrome OS
PluginsSettingsPlugins settings
DefaultPluginsSettingDefault Flash setting
PluginsAllowedForUrlsAllow the Flash plugin on these sites
PluginsBlockedForUrlsBlock the Flash plugin on these sites
PopupsSettingsPopups settings
DefaultPopupsSettingDefault popups setting
PopupsAllowedForUrlsAllow popups on these sites
PopupsBlockedForUrlsBlock popups on these sites
PrivateNetworkRequestSettingsPrivate network request settings
InsecurePrivateNetworkRequestsAllowedSpecifies whether to allow insecure websites to make requests to more-private network endpoints
InsecurePrivateNetworkRequestsAllowedForUrlsAllow the listed sites to make requests to more-private network endpoints from insecure contexts.
ProxyProxy
ProxyModeChoose how to specify proxy server settings
ProxyServerModeChoose how to specify proxy server settings
ProxyServerAddress or URL of proxy server
ProxyPacUrlURL to a proxy .pac file
ProxyBypassListProxy bypass rules
ProxySettingsProxy settings
QuickUnlockQuick unlock
QuickUnlockModeAllowlistConfigure allowed quick unlock modes
QuickUnlockModeWhitelistConfigure allowed quick unlock modes
QuickUnlockTimeoutSet how often user has to enter password to use quick unlock
RemoteAccessRemote access
RemoteAccessClientFirewallTraversalEnable firewall traversal from remote access client
RemoteAccessHostClientDomainConfigure the required domain name for remote access clients
RemoteAccessHostClientDomainListConfigure the required domain names for remote access clients
RemoteAccessHostFirewallTraversalEnable firewall traversal from remote access host
RemoteAccessHostDomainConfigure the required domain name for remote access hosts
RemoteAccessHostDomainListConfigure the required domain names for remote access hosts
RemoteAccessHostRequireTwoFactorEnable two-factor authentication for remote access hosts
RemoteAccessHostTalkGadgetPrefixConfigure the TalkGadget prefix for remote access hosts
RemoteAccessHostRequireCurtainEnable curtaining of remote access hosts
RemoteAccessHostAllowClientPairingEnable or disable PIN-less authentication for remote access hosts
RemoteAccessHostAllowGnubbyAuthAllow gnubby authentication for remote access hosts
RemoteAccessHostAllowRelayedConnectionEnable the use of relay servers by the remote access host
RemoteAccessHostUdpPortRangeRestrict the UDP port range used by the remote access host
RemoteAccessHostMatchUsernameRequire that the name of the local user and the remote access host owner match
RemoteAccessHostTokenUrlURL where remote access clients should obtain their authentication token
RemoteAccessHostTokenValidationUrlURL for validating remote access client authentication token
RemoteAccessHostTokenValidationCertificateIssuerClient certificate for connecting to RemoteAccessHostTokenValidationUrl
RemoteAccessHostDebugOverridePoliciesPolicy overrides for Debug builds of the remote access host
RemoteAccessHostAllowUiAccessForRemoteAssistanceAllow remote users to interact with elevated windows in remote assistance sessions
RemoteAccessHostAllowFileTransferAllow remote access users to transfer files to/from the host
RemoteAccessHostEnableUserInterfaceEnable or disable the display of connection related UI on the host desktop when a connection is active.
RestoreOnStartupAction on startup
RestoreOnStartupAction on startup
RestoreOnStartupURLsURLs to open on startup
SAMLSAML
DeviceSamlLoginAuthenticationTypeSAML login authentication type
DeviceTransferSAMLCookiesTransfer SAML IdP cookies during login
SafeBrowsingSafe Browsing settings
SafeBrowsingEnabledEnable Safe Browsing
SafeBrowsingExtendedReportingEnabledEnable Safe Browsing Extended Reporting
SafeBrowsingProtectionLevelSafe Browsing Protection Level
SafeBrowsingWhitelistDomainsConfigure the list of domains on which Safe Browsing will not trigger warnings.
SafeBrowsingAllowlistDomainsConfigure the list of domains on which Safe Browsing will not trigger warnings.
SensorsSettingsSensors settings
DefaultSensorsSettingDefault sensors setting
SensorsAllowedForUrlsAllow access to sensors on these sites
SensorsBlockedForUrlsBlock access to sensors on these sites
SupervisedUsersSupervised users
SupervisedUsersEnabledEnable supervised users
SupervisedUserCreationEnabledEnable creation of supervised users
SupervisedUserContentProviderEnabledEnable the supervised user content provider
UserAndDeviceReportingUser and device reporting
ReportDeviceVersionInfoReport OS and firmware version
ReportDeviceBootModeReport device boot mode
ReportDeviceUsersReport device users
ReportDeviceActivityTimesReport device activity times
ReportDeviceLocationReport device location
ReportDeviceNetworkInterfacesReport device network interfaces
ReportDeviceHardwareStatusReport hardware status
ReportDeviceSessionStatusReport information about active kiosk sessions
ReportDeviceGraphicsStatusReport display and graphics statuses
ReportDeviceCrashReportInfoReport information about crash reports.
ReportDeviceOsUpdateStatusReport OS update status
ReportDeviceBoardStatusReport board status
ReportDeviceCpuInfoReport CPU info
ReportDeviceTimezoneInfoReport Timezone info
ReportDeviceMemoryInfoReport memory info
ReportDeviceBacklightInfoReport backlight info
ReportDevicePowerStatusReport power status
ReportDeviceStorageStatusReport storage status
ReportDeviceAppInfoReport applications information
ReportDeviceBluetoothInfoReport Bluetooth info
ReportDeviceFanInfoReport fan info
ReportDeviceVpdInfoReport VPD info
ReportDeviceSystemInfoReport system info
ReportUploadFrequencyFrequency of device status report uploads
ReportArcStatusEnabledReport information about status of Android
HeartbeatEnabledSend network packets to the management server to monitor online status
HeartbeatFrequencyFrequency of monitoring network packets
LogUploadEnabledSend system logs to the management server
DeviceMetricsReportingEnabledEnable metrics reporting
WebUsbSettingsWeb USB settings
DefaultWebUsbGuardSettingControl use of the WebUSB API
DeviceLoginScreenWebUsbAllowDevicesForUrlsAutomatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.
WebUsbAllowDevicesForUrlsAutomatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
WebUsbAskForUrlsAllow WebUSB on these sites
WebUsbBlockedForUrlsBlock WebUSB on these sites
WiFiWiFi
DeviceWiFiFastTransitionEnabledEnable 802.11r Fast Transition
DeviceWiFiAllowedEnable WiFi