Skip to main content

Configure User and Browser Policy

This allows administrators to remotely configure user and browser policies and apply them to the enrolled devices.

To enforce the User and Browser policies on the enrolled devices, follow these steps:

  1. Navigate to SureMDM WebConsole > Profiles > ChromeOS > Add > User and Browser Policy > Configure.

  2. Enter a Profile Name.

  3. Configure User and Browser Policy settings and click Save.

General

  • Maximum user session length : Sets the maximum duration of a user session before automatic logout.

Sign-in settings

  • Display password button : This enables a button to display the password on the login and lock screen.

    Enrollment Controls

  • Device Enrollment : Determines the organization's to enroll the Chromebooks during initial enrollment.

  • Asset identifier during enrollment : Allows users to add an asset ID and location for a Chromebook during enrollment.

  • Enrollment permissions : Provide users with the ability to enroll new devices or re-enroll existing devices.

Apps and extensions

  • Task Manager : Allows users to end processes using the Task Manager.

Site isolation

  • Isolated Origins : Specifies a list of websites that are not subject to site isolation on the Chrome browser.

  • Site isolation : Controls the functionality of site isolation on the Chrome browser.

    Security

  • Password manager : Enables or disables the password manager feature on the Chrome browser.

  • Lock screen : Allow locking screen.

  • Quick unlock : If configured, the device user can unlock the system using either a PIN or fingerprint method.

  • PIN Auto Submit : Enables automatic submission of the PIN on the sign-in and lock screens, displaying a smartphone-like PIN interface.

  • Lock Screen Media Playback : Allows media playback even when the Chromebook is locked.

  • Idle Settings : Sets the duration of inactivity before the Chromebook goes to sleep or signs out the user.

  • Incognito Mode : Enables browsing in Incognito mode on the Chrome browser.

  • Browser History : Controls the recording of browsing history on the Chrome browser.

  • Clear Browser History : Allows the user to delete browsing and download history on their Chrome browser.

  • Online Revocation Checks : Enables checks for certificate revocation for HTTPS certificates.

  • Geolocation : This allows websites to track the location of the Chromebook.

  • Single Sign-On : Enables single sign-on using Security Assertion Markup Language (SAML) for the Chromebook.

  • SAML SSO Login Frequency : Sets the frequency of required online sign-in for SAML-based single sign-on accounts on the login screen.

  • User Management of CA Certificates : Allows the user to import, edit, and remove certificate authority (CA) certificates.

  • User Management of Client Certificates : Allows the user to manage client and device-wide certificates.

  • CPU Task Scheduler : Configures the priority mode of the Intel Hyper-Threading Technology on the Chromebook's CPU.

  • Enable Credential Leak Detection : Activates the Chrome browser feature that checks for known leaked user credentials.

  • Ambient Authentication : Enables NTLM/Kerberos authentication without credentials on Chrome browser sessions.

  • Unsupported System Warning : Displays warnings from Chrome browser when running on an unsupported operating system or hardware.

  • Advanced Protection Program : Provides extra protections for device users enrolled in the Advanced Protection program on the Chrome browser.

  • Popup Interactions : Controls default behavior on the Chrome browser for interactions between pages and pop-up windows opened with a target of "_blank".

  • Security Token Removal : Defines the behavior when the user's smart card security token is removed from the Chromebook.

  • Removal Notification Duration : Sets the duration for displaying a notification before performing the specified action upon smart card removal.

    Remote access

  • Remote access clients : Allow only specified domain names to connect to the host device, preventing the user from changing the setting on the Chromebook.

  • Remote access hosts : Specifies an allow list of domain names that are imposed on remote access hosts, and prevents the device user from changing the setting on the Chromebook. Only hosts with accounts registered on an allow listed domain name can be shared.

  • Firewall traversa l: Controls the use of STUN and TURN servers when remote clients try to connect to the Chromebook.

Session settings

  • Show logout button in the tray : Toggles the Sign-out button on the shelf.

    Kerberos

  • Kerberos tickets : This allows Kerberos single sign-on for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on.

  • Remember Kerberos passwords : This allows the device user to let Chrome OS remember Kerberos password.

  • Kerberos accounts : This allows the device user to manage Kerberos accounts.

Network

  • Proxy mode : This allows users to configure Proxy Mode.

  • Ignore proxy on captive portals : Determines whether Chrome OS can bypass the configured proxy server for captive portal authentication. Captive portal pages are commonly encountered when connecting to public Wi-Fi networks and require users to accept terms or sign in before gaining internet access.

  • Allow Basic authentication for HTTP : Enables or disables the use of basic authentication (username/password) over non-secure HTTP connections in Chrome browser.

  • NTLMv2 authentication : Toggles NTLMv2 authentication support.

  • Minimum SSL version enabled : Sets the minimum security protocol required for internet connections in the Chrome browser.

  • SSL error override : Determines whether device users can bypass SSL warnings when accessing a page in the Chrome browser.

  • SSL error override allowed domains : Specifies a list of origins for which device users can bypass SSL warnings. This policy is only effective if the SSL error override policy allows users to proceed despite warnings.

  • WebRTC UDP ports : Restricts the use of UDP (User Datagram Protocol) with Web Real-Time Communication (WebRTC) to a specified port range in the Chrome browser.

  • Minimum port (1024-6535): Allows to set the minimum port.

  • Maximum port (1024-6535): Allows to set the maximum port

  • WebRTC ICE candidate URLs for local Ips : Sets a list of websites and domains that can view local IP addresses as WebRTC ICE candidates. This policy affects the visibility of local IP addresses.

  • QUIC protocol : Enables or disables the Quick UDP Internet Connections (QUIC) protocol in the Chrome browser.

  • Built-in DNS client : Allows toggling of the Chrome browser's built-in DNS client.

  • Integrated authentication servers : Specifies a list of server domains for Integrated Windows Authentication (IWA). When the Chrome browser receives an authentication challenge from a proxy or server in this list, integrated authentication is enabled.

  • Kerberos delegation servers : Sets a list of servers that can be used for Kerberos authentication.

  • Kerberos ticket delegation : Determines whether to respect the Key Distribution Center (KDC) policy that allows delegation of Kerberos tickets.

  • Kerberos service principal name : Specifies the source used to generate the Kerberos service principal name (SPN).

  • Kerberos SPN port : Determines whether the generated Kerberos SPN includes a non-standard port.

  • Cross-origin authentication : Allows third-party content on a webpage to prompt users for HTTP basic authentication in Chrome browser.

  • SharedArrayBuffer : Enables the use of SharedArrayBuffers by websites that are not cross-origin isolated.

  • User-Agent client hint s: Chrome browser provides identifying information about itself and the Chromebook to servers upon request.

  • Signed HTTP Exchange (SXG) support: Chrome browser can access pages served on a Signed HTTP Exchange.

  • Globally scoped HTTP authentication cache : This policy limits the scope of the Chrome browser's global cache of HTTP server authentication credentials. It allows organizations time to update their sign-in procedures that rely on legacy authentication methods.

  • Require online OCSP/CRL checks for local trust anchors : Controls whether Chrome always performs revocation checks on validated server certificates signed by locally installed CA certificates. If revocation status information is unavailable, Chrome treats the certificate as revoked.

  • HSTS policy bypass list : Specifies a list of hostnames that are exempt from the HTTP Strict Transport Security (HSTS) policy.

  • DNS interception checks enabled : Toggles DNS interception checking on the Chrome browser to test if the connection is redirected by a proxy for unknown hostnames.

  • Intranet Redirection Behavior : When enabled, single-word queries in the omnibox are treated as hostnames instead of search terms. Chrome issues a DNS request for the term and prompts the user to connect to it as a URL.

  • WPAD optimization : Toggles optimization of Web Proxy Auto-Discovery (WPAD) on the Chrome browser. WPAD helps locate cache services in a network, improving content delivery speed.

  • Login credentials for network authentication : Controls whether usernames and passwords are used to authenticate to a managed proxy secured with NTLM authentication.

  • CECPQ2 post-quantum key-agreement for TLS : CECPQ2 evaluates the performance of post-quantum key-exchange algorithms but may trigger bugs in some networking hardware due to larger TLS messages.

Android Application

  • Control Android backup and restore service : Enables users to back up and restore content, data, and settings from Android apps to their Google Account.

  • Google location services : This allows Android apps to track the physical location of the Chromebook.

  • Certificate synchronization : Syncs Chrome OS certificates to Android apps.

Startup

  • Home button : Toggles the display of the Home button on the Chrome browser toolbar.

  • Homepage : Sets the specified webpage as the home page on the Chrome browser.

  • New tab page : Sets the address of a new tab on the Chrome browser. If left empty, a default page will be used.

  • New tab page background : Enables custom backgrounds on Google's new tab page.

  • Pages to load on startup : Specifies a list of webpages to open in separate tabs when the Chrome browser starts.

Content

  • Safe Search for Google Search queries : Enables SafeSearch filtering to remove explicit content from search results.

  • Screenshot : Allows users to take screenshots on the Chromebook.

  • Screen video capture : Allows websites to prompt users to stream their Chrome browser screen.

  • Client certificates : Specifies a list of approved client certificates for specific URL patterns.

  • Security key attestation : Allows certain websites to use security keys without prompting the user.

  • 3D content : Enables websites to use interactive 3D graphics using the WebGL API.

  • Cookies : This allows websites to store browsing information.

  • Allow cookies for URL patterns : This setting allows cookies to be stored and accessed by websites that match specific URL patterns.

  • Block cookies for URL patterns : This setting prevents websites that match specific URL patterns from storing and accessing cookies on your device.

  • Allow session-only cookies for URL patterns : This setting allows websites that match specific URL patterns to store session-only cookies, which are deleted when the browsing session ends.

  • Third-party cookie blocking : This setting prevents third-party cookies from being stored and accessed by websites. Third-party cookies are cookies that are set by a domain other than the one you are currently visiting.

  • Default legacy SameSite cookie behavior : This setting determines the default behavior for legacy SameSite cookies, which are used to protect against cross-site request forgery attacks.

  • Per-site legacy SameSite cookie behavior : This setting allows you to customize the behavior of legacy SameSite cookies for specific websites

  • Images : Controls whether websites can display images on the Chrome browser.

  • Show images on these sites : This setting allows images to be displayed on specific websites that you specify.

  • Block images on these sites : This setting prevents images from being displayed on specific websites that you specify.

  • JavaScript : Controls whether websites can run JavaScript on the Chrome browser.

  • Allow these sites to run JavaScript : This setting allows JavaScript code to be executed on specific websites that you specify.

  • Block JavaScript on these sites : This setting prevents JavaScript code from being executed on specific websites that you specify.

  • JavaScript Intensive WakeUp Throttling : This setting controls the throttling of JavaScript wakeups that interrupt the device's standby mode, helping to optimize battery usage.

  • Notifications : Allows websites to display desktop notifications.

  • Allow these sites to show notifications : This setting allows websites to show notifications on your device for specific websites that you specify.

  • Block notifications on these sites : This setting prevents websites from showing notifications on your device for specific websites that you specify.

  • Autoplay video : Specifies websites that can automatically play videos with sound.

  • Auto open downloaded files : Specifies file types that can automatically open after download.

  • Pop-ups : Controls whether websites can open pop-up windows.

  • Auto open URLs : Specifies a list of approved websites and domains that have permission to automatically open file types specified in the "Auto open downloaded files" policy.

  • Allow popup on these sites : This setting allows popups to be displayed on specific websites that you specify.

  • Block popup on these sites : This setting prevents popups from being displayed on specific websites that you specify.

  • Cross-origin JavaScript dialogs : This setting controls the display of JavaScript dialogs initiated by cross-origin websites.

  • URL blocking : Blocks specific URLs on the Chromebook.

  • Blocked URL exceptions : This setting allows you to specify exceptions for websites that are currently blocked, allowing them to be accessed.

  • Google Drive syncing : Controls syncing with Google Drive on the Chromebook.

  • Google Drive syncing over cellular : This setting determines whether Google Drive can sync files over a cellular network, or if it is restricted to Wi-Fi connections only.

  • Cast : Allows users to use a Chromecast device to cast from a Chrome tab.

  • Allow insecure content on these sites : This setting allows insecure content to be loaded on specific websites that you specify.

  • Block insecure content on these sites : This setting prevents insecure content from being loaded on specific websites that you specify.

  • Insecure forms : This setting determines how the browser handles insecure forms that are submitted to an insecure website.

  • Insecure content : Controls whether websites can display mixed content (HTTP on HTTPS sites).

  • Network file shares : Controls network file sharing on the Chromebook.

  • Preconfigured network file shares : This setting allows you to configure network file shares that are pre-set and accessible by the browser.

  • Scroll to text fragment : Allows links to scroll to specific text on a webpage.

  • Enable URL-keyed anonymized data collection : Toggles anonymous data collection for URLs visited.

  • AppCache : Allows websites to use the deprecated application cache technology.

  • Web Bluetooth API : Specifies whether websites can access Bluetooth devices.

  • PDF Annotations : Allows annotations on the PDF viewer.

Printing

  • Printing : Enables or disables the printing function.

  • Deprecated Privet Printing : Controls the display of Privet cloud printers in the print preview dialog.

  • Printer management : Allows users to add local printers and manage printer settings.

  • Default Color Printing Mode : Determines whether to print in color or black and white as the default setting. Users can still choose the color mode for individual print jobs.

  • Restrict Color Printing Mode : Forces printing in either color or black and white, restricting the user from changing the mode.

  • Default Page Sides : Sets the default number of paper sides to print on. Users can choose between one-sided or two-sided printing for each print job.

  • Restrict Page Sides : Enforces either one-sided or two-sided printing, preventing users from choosing the other option. Only applicable to duplex printers.

  • Background Graphics Printing Default : Controls whether to print background graphics by default. Users still have the option to include or exclude background graphics for each print job.

  • Background Graphics Printing Restriction : Forces whether to print background graphics, removing the user's choice.

  • CUPS Print Job Information : Enables or disables tracking user account and file name in print jobs sent using IPP over HTTPS.

  • Print Job History Retention Period : Determines how long completed print job metadata is stored on the Chromebook.

  • Print Job History Deletion : Allows users to delete their print job history either through the print management app or by clearing their browser history.

  • Restrict PIN Printing Mode : Requires PIN authentication for print jobs on PIN-compatible printers.

  • Default PIN Printing Mode : Sets whether print jobs on PIN-compatible printers require PIN authentication by default.

  • Maximum Sheets : Sets the maximum number of paper sheets that can be used in a single print job.

  • Default printing page size : Sets the default page size for printing. If the selected printer does not support the defined size, the policy is ignored.

  • Print headers and footers : Mandatory printing of headers and footers on all printouts.

User Experience

  • Managed bookmarks : Specifies the position and behavior of the bookmarks bar on the Chrome browser.

  • Shelf auto-hiding : Toggles the automatic hiding of the shelf on the Chrome browser.

  • Bookmark editing : Allows the user to add, edit, or remove items from the bookmarks bar on the Chrome browser.

  • Download location : Specifies the default location for downloaded files on the Chrome browser.

  • Download location prompt : Specifies whether to prompt the user for the download location on the Chrome browser.

  • Spell check : Toggles spell check on the Chrome browser.

  • Disabled spellcheck languages : Allows to disable spellcheck.

  • Spell check service : Toggles Google's online spell-checking service on the Chrome browser.

  • Google Translate : Toggle Google Translate on the Chrome browser for translating different languages.

  • Alternate error pages : Allows the user to set the use of alternate error pages or allows the user to decide.

  • Developer tools : The allows access to developer tools on the Chrome browser.

  • Payment methods : This allows websites to check if the user has stored payment methods on the Chrome browser.

  • Emoji suggestions : Toggle emoji suggestions as the user types on the Chrome browser.

  • Multiple sign-in access : Allows multiple user accounts to sign in simultaneously on a Chromebook. This setting allows device users to switch between multiple accounts on the Chromebook without having to sign out.

  • Sign-in to secondary accounts : Allows switching between accounts in Chrome browser and Google Play.

  • Allowed domains : Specifies a list of allowed Google Workspace domains for user accounts.

  • Unified Desktop (BETA): Allows spanning an app across multiple displays.

  • WebRTC event log collection : Allows collecting WebRTC events for troubleshooting audio and video meetings in Google services for opt-in users.

  • Dinosaur game : Toggles the dinosaur game easter egg.

  • Previously installed app recommendations : Toggles app recommendations in the launcher for apps installed on other devices.

  • Suggested content : Toggles online content recommendations in the launcher.

  • URLs in the address bar : Toggles displaying the full URL in the address bar on Chrome browser.

  • Shared clipboard : Allows copying and pasting text between devices with Chrome sync enabled.

  • Fullscreen mode : Allows full screen mode for user accounts, apps, and extensions.

  • Show cards on the New Tab Page : Toggle content cards on the New Tab Page for recent searches.

  • Maximize window on first run : Toggles whether Chrome browser maximizes its first window on launch.

  • Allow user feedback : Allows sending feedback to Google on Chrome browser.

  • Media recommendations : Toggle personalized media recommendations based on browsing and search behavior on Chrome browser.

Connected Device

  • Smart Lock : Allows users to sign in or unlock a Chromebook using a paired Android device with one click.

  • Instant Tethering : Automatically connects a Chromebook to a paired Android device's mobile data connection via Wi-Fi hotspot when no nearby Wi-Fi access points are available.

  • Messages : Syncs SMS messages between a phone and a Chromebook.

  • Click to Call : Enables phone numbers from the Chromebook to be shared with and dialled on an Android device.

  • Phone Hub : Allows users to control and receive select features and notifications on an Android phone from a Chromebook.

Accessibility

  • Spoken feedback : Enables the screen reader feature known as ChromeVox.

  • Select to speak : Allows selective screen reading, including text selections and sections of the screen.

  • High contrast : Changes the font and background color scheme to improve readability.

  • Screen magnifier : Zooms in on the screen by up to 20x.

  • Sticky keys : This allows key combinations to be inputted separately and in sequence instead of simultaneously.

  • On-screen keyboard : Enables the use of an on-screen keyboard.

  • Dictation : Converts speech-to-text input.

  • Keyboard focus highlighting : Enhances object highlighting during keyboard navigation.

  • Caret highlight : Adds a ring around the typing cursor during typing.

  • Auto-click enabled : Enables mouse clicking when the cursor stops moving.

  • Large cursor : Increases the size of the mouse cursor.

  • Cursor highlight : Adds a ring around the mouse cursor during movement.

  • Primary mouse button : Specifies the primary mouse button for interactions.

  • Mono audio : Enables single-channel audio.

  • Accessibility shortcuts : Toggles built-in accessibility shortcuts.

  • Accessibility options in the system tray menu : Toggles the accessibility options entry in the system tray menu.

  • Image descriptions : Toggles automatically generated text descriptions for online images that lack descriptions.

Power and Shutdown

  • Wake Locks : This allows the Chromebook to prevent the screen from turning off or going into sleep mode.

Search Provider

  • Search suggest : Toggle the feature that enables predictive search queries and suggestions in the address bar of the Chrome browser.

Hardware

  • External storage devices : This allows users to connect and use external storage devices with their Chromebook.

  • Controls which websites can ask for USB access : Determines whether websites on the Chrome browser can request access to USB devices connected to the Chromebook.

  • Allow these sites to ask for USB access : Specifies a list of websites and domains that are allowed to request access to connected USB devices without user consent.

  • Block these sites from asking for USB access : Specifies a list of websites and domains that are not allowed to request access to connected USB devices.

  • Audio input (microphone): Controls whether websites on the Chrome browser can request access to the Chromebook's microphone for audio input.

  • Audio input allowed URLs : Specifies a list of websites and domains that are allowed to access the Chromebook's microphone for audio input without user consent.

  • Audio output : Toggles the availability of all audio output devices on the Chromebook, including internal speakers and connected audio devices.

  • Built-in camera access : Controls whether websites and apps can access the Chromebook's integrated webcam or connected video devices for video input.

  • Video input allowed URLs : Specifies a list of websites, domains, and apps that are allowed to access video input devices on the Chromebook without user consent.

  • Keyboard : Defines the behavior of the top row of keys on the Chromebook's keyboard.

  • Web Serial API : Controls whether websites on the Chrome browser can access serial ports available through the Web Serial API.

  • Allow the Serial API on these sites : Specifies a list of websites and domains that are allowed to request access to serial ports on the Chromebook.

  • Block the Serial API on these sites : Specifies a list of websites and domains that are not allowed to request access to serial ports on the Chromebook.

  • Privacy screen : Enables or disables the integrated hardware privacy screen on compatible Chromebooks.

  • File system read access : Determines whether websites on the Chrome browser can request read access to the Chromebook's file system.

  • Allow file system read access on these sites : Specifies a list of websites and domains that are allowed to read files from the Chromebook's file system without user consent.

  • Block file system read access on these sites : Specifies a list of websites and domains that are not allowed to read files from the Chromebook's file system.

  • File system write access : Controls whether websites on the Chrome browser can request write access to the Chromebook's file system.

  • Allow write access to files and directories on these sites : Specifies a list of websites and domains that are allowed to write files to the Chromebook's file system without user consent.

  • Block write access to files and directories on these sites : Specifies a list of websites and domains that are not allowed to write files to the Chromebook's file system.

  • Sensors : Determines whether websites on the Chrome browser can access the built-in motion and light sensors on the Chromebook.

  • Allow access to sensors on these sites : Specifies a list of websites and domains that are allowed to access the Chromebook's sensors without user consent.

  • Block access to sensors on these sites : Specifies a list of websites and domains that are not allowed to access the Chromebook's sensors.

  • Enterprise Hardware Platform API : Enables extensions added by a managed profile to use the Enterprise Hardware Platform API for obtaining information about the Chromebook's manufacturer and model.

User Verification

  • Verified mode : Controls whether Verified Access can attest the Chromebook if it boots in developer mode.

  • Service accounts which are allowed to receive user data : Specifies an allowlist of email addresses of service accounts that have full access to the Google Verified Access API. These are the service accounts created in the Google API Console.

  • Services accounts which can verify users but do not receive user data : Specifies an allowlist of email addresses of service accounts that have limited access to the Google Verified Access API. These are the service accounts created in the Google API Console.

Chrome Safe Browsing

  • Help Improve Safe Browsing : Enable or disable sending extra information to help improve Safe Browsing.

  • Download restrictions : This prevents the downloading of dangerous files on the Chrome browser.

  • Disable Bypassing Safe Browsing warnings : Allows or prevents access to deceptive or dangerous websites and potentially harmful file downloads.

  • Password alert : Warns users when trying to save passwords on dangerous sites.

  • SafeSites URL filter : Filter top level sites (but not embedded iframes) for adult content.

  • Sites with Intrusive ads : Allows/block ads on websites known to have intrusive ads.

  • Abusive Experience intervention : Restricts websites flagged as containing abusive experiences from opening new windows or tabs.

Chrome updates

  • Component updates : Allows to enable or disable updates for all components

Virtual machines (VMs) and developers

  • Command line access : Controls command line tools on the virtual machine management console.

  • Linux virtual machines : Allow or block usage for virtual machines needed to support Linux apps for users.

  • Port forwarding : Allows configuring port forwarding into Linux containers.

  • Android apps from untrusted sources: Controls the installation of Android apps from untrusted sources.

The newly created profile will be listed in the Profiles section.

  1. Go back to the Home tab and select the required group(s).

  2. Click Apply to launch Apply Job/Profile To Device prompt.

  3. In the Apply Job/Profile To Device prompt, select the created policy and click Apply.

:::not Unlike other platforms, the ChromeOS policy cannot be assigned to individual devices; it can only be assigned to the ChromeOS group. :::