• Chromium OS (Chromium OS) since version 27

If this policy is set to true, Accessibility options always appear in system tray menu.

If this policy is set to false, Accessibility options never appear in system tray menu.

If you set this policy, users cannot change or override it.

If this policy is left unset, Accessibility options will not appear in the system tray menu, but the user can cause the Accessibility options to appear via the Settings page.

• Chromium OS (Chromium OS) since version 29

Enable the large cursor accessibility feature.

If this policy is set to true, the large cursor will always be enabled.

If this policy is set to false, the large cursor will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the large cursor is disabled initially but can be enabled by the user anytime.

• Chromium OS (Chromium OS) since version 29

Enable the spoken feedback accessibility feature.

If this policy is set to true, spoken feedback will always be enabled.

If this policy is set to false, spoken feedback will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, spoken feedback is disabled initially but can be enabled by the user anytime.

• Chromium OS (Chromium OS) since version 29

Enable the high contrast mode accessibility feature.

If this policy is set to true, high contrast mode will always be enabled.

If this policy is set to false, high contrast mode will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, high contrast mode is disabled initially but can be enabled by the user anytime.

• Chromium OS (Chromium OS) since version 34

Enable the on-screen keyboard accessibility feature.

If this policy is set to true, the on-screen keyboard will always be enabled.

If this policy is set to false, the on-screen keyboard will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the on-screen keyboard is disabled initially but can be enabled by the user anytime.

• Chromium OS (Chromium OS) since version 35

Changes the default behaviour of the top row keys to function keys.

If this policy is set to true, the keyboard's top row of keys will produce function key commands per default. The search key has to be pressed to revert their behavior back to media keys.

If this policy is set to false or left unset, the keyboard will produce media key commands per default and function key commands when the search key is held.

• Chromium OS (Chromium OS) since version 29

If this policy is set, it controls the type of screen magnifier that is enabled. Setting the policy to "None" disables the screen magnifier.

If you set this policy, users cannot change or override it.

If this policy is left unset, the screen magnifier is disabled initially but can be enabled by the user anytime.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled

• Chromium OS (Chromium OS) since version 29

Set the default state of the large cursor accessibility feature on the login screen.

If this policy is set to true, the large cursor will be enabled when the login screen is shown.

If this policy is set to false, the large cursor will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling the large cursor. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the large cursor is disabled when the login screen is first shown. Users can enable or disable the large cursor anytime and its status on the login screen is persisted between users.

• Chromium OS (Chromium OS) since version 29

Set the default state of the spoken feedback accessibility feature on the login screen.

If this policy is set to true, spoken feedback will be enabled when the login screen is shown.

If this policy is set to false, spoken feedback will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling spoken feedback. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, spoken feedback is disabled when the login screen is first shown. Users can enable or disable spoken feedback anytime and its status on the login screen is persisted between users.

• Chromium OS (Chromium OS) since version 29

Set the default state of the high contrast mode accessibility feature on the login screen.

If this policy is set to true, high contrast mode will be enabled when the login screen is shown.

If this policy is set to false, high contrast mode will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling high contrast mode. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, high contrast mode is disabled when the login screen is first shown. Users can enable or disable high contrast mode anytime and its status on the login screen is persisted between users.

• Chromium OS (Chromium OS) since version 34

Set the default state of the on-screen keyboard accessibility feature on the login screen.

If this policy is set to true, the on-screen keyboard will be enabled when the login screen is shown.

If this policy is set to false, the on-screen keyboard will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling the on-screen keyboard. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the on-screen keyboard is disabled when the login screen is first shown. Users can enable or disable the on-screen keyboard anytime and its status on the login screen is persisted between users.

• Chromium OS (Chromium OS) since version 29

Set the default type of screen magnifier that is enabled on the login screen.

If this policy is set, it controls the type of screen magnifier that is enabled when the login screen is shown. Setting the policy to "None" disables the screen magnifier.

If you set this policy, users can temporarily override it by enabling or disabling the screen magnifier. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the screen magnifier is disabled when the login screen is first shown. Users can enable or disable the screen magnifier anytime and its status on the login screen is persisted between users.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled

• Chromium (Linux, Mac, Windows) since version 70

This policy controls whether to report version information, such as OS version, OS platform, OS architecture, Chromium version and Chromium channel.

When this policy is left unset or set to True, version information is gathered. When this policy is set to False, version information is not gathered.

This policy is only effective when the Chrome Reporting Extension is enabled, and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.

• Chromium (Linux, Mac, Windows) since version 70

This policy controls whether to report policy data and time of policy fetch.

When this policy is left unset or set to True, policy data and time of policy fetch are gathered. When this policy is set to False, policy data and time of policy fetch are not gathered.

This policy is only effective when the Chrome Reporting Extension is enabled, and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.

• Chromium (Linux, Mac, Windows) since version 70

This policy controls whether to report information that can be used to identify machines, such as machine name and network addresses.

When this policy is left unset or set to True, information that can be used to identify machines is gathered. When this policy is set to False, information that can be used to identify machines is not gathered.

This policy is only effective when the Chrome Reporting Extension is enabled, and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.

• Chromium (Linux, Mac, Windows) since version 70

This policy controls whether to report information that can be used to identify users, such as OS login, Chromium Profile login, Chromium Profile name, Chromium Profile path and Chromium executable path.

When this policy is left unset or set to True, information that can be used to identify users is gathered. When this policy is set to False, information that can be used to identify users is not gathered.

This policy is only effective when the Chrome Reporting Extension is enabled, and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.

• Chromium OS (Chromium OS) since version 19

Disables Google Drive syncing in the Chromium OS Files app when set to True. In that case, no data is uploaded to Google Drive.

If not set or set to False, then users will be able to transfer files to Google Drive.

This policy does not prevent the user from using the Android Google Drive app. If you want to prevent access to Google Drive, you should disallow installation of the Android Google Drive app as well.

• Chromium OS (Chromium OS) since version 19

Disables Google Drive syncing in the Chromium OS Files app when using a cellular connection when set to True. In that case, data is only synced to Google Drive when connected via WiFi or Ethernet.

If not set or set to False, then users will be able to transfer files to Google Drive via cellular connections.

This policy has no effect on the Android Google Drive app. If you want to prevent use of Google Drive over cellular connections, you should disallow installation of the Android Google Drive app.

• Chromium (Linux, Mac, Windows) since version 22
• Chromium OS (Chromium OS) since version 41

This policy is deprecated. Please use RemoteAccessHostClientDomainList instead.

• Chromium (Linux, Mac, Windows) since version 60
• Chromium OS (Chromium OS) since version 60

Configures the required client domain names that will be imposed on remote access clients and prevents users from changing it.

If this setting is enabled, then only clients from one of the specified domains can connect to the host.

If this setting is disabled or not set, then the default policy for the connection type is applied. For remote assistance, this allows clients from any domain to connect to the host; for anytime remote access, only the host owner can connect.

This setting will override RemoteAccessHostClientDomain, if present.

See also RemoteAccessHostDomainList.

Windows (Windows clients):

Software\Policies\Chromium\RemoteAccessHostClientDomainList\1 = "my-awesome-domain.com" Software\Policies\Chromium\RemoteAccessHostClientDomainList\2 = "my-auxiliary-domain.com"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\RemoteAccessHostClientDomainList\1 = "my-awesome-domain.com" Software\Policies\ChromiumOS\RemoteAccessHostClientDomainList\2 = "my-auxiliary-domain.com"

Android/Linux:

["my-awesome-domain.com", "my-auxiliary-domain.com"]

Mac:

<array> <string>my-awesome-domain.com</string> <string>my-auxiliary-domain.com</string> </array>

• Chromium (Linux, Mac, Windows) since version 14
• Chromium OS (Chromium OS) since version 41

Enables usage of STUN servers when remote clients are trying to establish a connection to this machine.

If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall.

If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network.

If this policy is left not set the setting will be enabled.

• Chromium (Linux, Mac, Windows) since version 22
• Chromium OS (Chromium OS) since version 41

This policy is deprecated. Please use RemoteAccessHostDomainList instead.

• Chromium (Linux, Mac, Windows) since version 60
• Chromium OS (Chromium OS) since version 60

Configures the required host domain names that will be imposed on remote access hosts and prevents users from changing it.

If this setting is enabled, then hosts can be shared only using accounts registered on one of the specified domain names.

If this setting is disabled or not set, then hosts can be shared using any account.

This setting will override RemoteAccessHostDomain, if present.

See also RemoteAccessHostClientDomainList.

Windows (Windows clients):

Software\Policies\Chromium\RemoteAccessHostDomainList\1 = "my-awesome-domain.com" Software\Policies\Chromium\RemoteAccessHostDomainList\2 = "my-auxiliary-domain.com"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\RemoteAccessHostDomainList\1 = "my-awesome-domain.com" Software\Policies\ChromiumOS\RemoteAccessHostDomainList\2 = "my-auxiliary-domain.com"

Android/Linux:

["my-awesome-domain.com", "my-auxiliary-domain.com"]

Mac:

<array> <string>my-awesome-domain.com</string> <string>my-auxiliary-domain.com</string> </array>

• Chromium (Linux, Mac, Windows) since version 22
• Chromium OS (Chromium OS) since version 41

Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.

If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.

If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.

If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.

Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.

• Chromium (Linux, Mac, Windows) since version 23
• Chromium OS (Chromium OS) since version 41

Enables curtaining of remote access hosts while a connection is in progress.

If this setting is enabled, then hosts' physical input and output devices are disabled while a remote connection is in progress.

If this setting is disabled or not set, then both local and remote users can interact with the host when it is being shared.

• Chromium (Linux, Mac, Windows) since version 30
• Chromium OS (Chromium OS) since version 41

If this setting is enabled or not configured, then users can opt to pair clients and hosts at connection time, eliminating the need to enter a PIN every time.

If this setting is disabled, then this feature will not be available.

• Chromium (Linux, Mac, Windows) since version 35
• Chromium OS (Chromium OS) since version 41

If this setting is enabled, then gnubby authentication requests will be proxied across a remote host connection.

If this setting is disabled or not configured, gnubby authentication requests will not be proxied.

• Chromium (Linux, Mac, Windows) since version 36
• Chromium OS (Chromium OS) since version 41

Enables usage of relay servers when remote clients are trying to establish a connection to this machine.

If this setting is enabled, then remote clients can use relay servers to connect to this machine when a direct connection is not available (e.g. due to firewall restrictions).

Note that if the policy RemoteAccessHostFirewallTraversal is disabled, this policy will be ignored.

If this policy is left not set the setting will be enabled.

• Chromium (Linux, Mac, Windows) since version 36
• Chromium OS (Chromium OS) since version 41

Restricts the UDP port range used by the remote access host in this machine.

If this policy is left not set, or if it is set to an empty string, the remote access host will be allowed to use any available port, unless the policy RemoteAccessHostFirewallTraversal is disabled, in which case the remote access host will use UDP ports in the 12400-12409 range.

• Chromium (Linux) since version 25
• Chromium (Mac) since version 25
• Chromium OS (Chromium OS) since version 42

If this setting is enabled, then the remote access host compares the name of the local user (that the host is associated with) and the name of the Google account registered as the host owner (i.e. "johndoe" if the host is owned by "johndoe@example.com" Google account). The remote access host will not start if the name of the host owner is different from the name of the local user that the host is associated with. RemoteAccessHostMatchUsername policy should be used together with RemoteAccessHostDomain to also enforce that the Google account of the host owner is associated with a specific domain (i.e. "example.com").

If this setting is disabled or not set, then the remote access host can be associated with any local user.

• Chromium (Linux, Mac, Windows) since version 28
• Chromium OS (Chromium OS) since version 42

If this policy is set, the remote access host will require authenticating clients to obtain an authentication token from this URL in order to connect. Must be used in conjunction with RemoteAccessHostTokenValidationUrl.

This feature is currently disabled server-side.

• Chromium (Linux, Mac, Windows) since version 28
• Chromium OS (Chromium OS) since version 42

If this policy is set, the remote access host will use this URL to validate authentication tokens from remote access clients, in order to accept connections. Must be used in conjunction with RemoteAccessHostTokenUrl.

This feature is currently disabled server-side.

• Chromium (Linux, Mac, Windows) since version 28
• Chromium OS (Chromium OS) since version 42

If this policy is set, the host will use a client certificate with the given issuer CN to authenticate to RemoteAccessHostTokenValidationUrl. Set it to "*" to use any available client certificate.

This feature is currently disabled server-side.

• Chromium (Windows) since version 55

If this setting is enabled, the remote assistance host will be run in a process with uiAccess permissions. This will allow remote users to interact with elevated windows on the local user's desktop.

If this setting is disabled or not configured, the remote assistance host will run in the user's context and remote users cannot interact with elevated windows on the desktop.

• Chromium (Linux, Mac, Windows) since version 10
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Allows you to set whether websites are allowed to set local data. Setting local data can be either allowed for all websites or denied for all websites.

If this policy is set to 'Keep cookies for the duration of the session' then cookies will be cleared when the session closes. Note that if Chromium is running in 'background mode', the session may not close when the last window is closed. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.

If this policy is left not set, 'AllowCookies' will be used and the user will be able to change it.

• 1 = Allow all sites to set local data
• 2 = Do not allow any site to set local data
• 4 = Keep cookies for the duration of the session

• Chromium (Linux, Mac, Windows) since version 10
• Chromium OS (Chromium OS) since version 11

Allows you to set whether websites are allowed to display images. Displaying images can be either allowed for all websites or denied for all websites.

If this policy is left not set, 'AllowImages' will be used and the user will be able to change it.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

• 1 = Allow all sites to show all images
• 2 = Do not allow any site to show images

• Chromium (Linux, Mac, Windows) since version 10
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Allows you to set whether websites are allowed to run JavaScript. Running JavaScript can be either allowed for all websites or denied for all websites.

If this policy is left not set, 'AllowJavaScript' will be used and the user will be able to change it.

• 1 = Allow all sites to run JavaScript
• 2 = Do not allow any site to run JavaScript

• Chromium (Linux, Mac, Windows) since version 10
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 33

Allows you to set whether websites are allowed to show pop-ups. Showing popups can be either allowed for all websites or denied for all websites.

If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.

• 1 = Allow all sites to show pop-ups
• 2 = Do not allow any site to show popups

• Chromium (Linux, Mac, Windows) since version 10
• Chromium OS (Chromium OS) since version 11

Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications.

If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.

• 1 = Allow sites to show desktop notifications
• 2 = Do not allow any site to show desktop notifications
• 3 = Ask every time a site wants to show desktop notifications

• Chromium (Linux, Mac, Windows) since version 10
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.

If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.

• 1 = Allow sites to track the users' physical location
• 2 = Do not allow any site to track the users' physical location
• 3 = Ask whenever a site wants to track the users' physical location

If this policy is set to BlockGeolocation, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.

• Chromium (Linux, Mac, Windows) since version 22
• Chromium OS (Chromium OS) since version 22

Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.

If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.

• 2 = Do not allow any site to access the camera and microphone
• 3 = Ask every time a site wants to access the camera and/or microphone

• Chromium OS (Chromium OS) since version 50
• Chromium (Android) since version 50
• Chromium (Linux, Mac, Windows) since version 50

Allows you to set whether websites are allowed to get access to nearby Bluetooth devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to nearby Bluetooth devices.

If this policy is left not set, '3' will be used, and the user will be able to change it.

• 2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
• 3 = Allow sites to ask the user to grant access to a nearby Bluetooth device

• Chromium OS (Chromium OS) since version 67
• Chromium (Android) since version 67
• Chromium (Linux, Mac, Windows) since version 67

Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices.

This policy can be overridden for specific URL patterns using the 'WebUsbAskForUrls' and 'WebUsbBlockedForUrls' policies.

If this policy is left not set, '3' will be used, and the user will be able to change it.

• 2 = Do not allow any site to request access to USB devices via the WebUSB API
• 3 = Allow sites to ask the user to grant access to a connected USB device

• Chromium (Linux, Mac, Windows) since version 15
• Chromium OS (Chromium OS) since version 15

Allows you to specify a list of url patterns that specify sites for which Chromium should automatically select a client certificate, if the site requests a certificate.

The value must be an array of stringified JSON dictionaries. Each dictionary must have the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts from which client certificates the browser will automatically select. Independent of the filter, only certificates will be selected that match the server's certificate request. If $FILTER has the form { "ISSUER": { "CN": "$ISSUER_CN" } }, additionally only client certificates are selected that are issued by a certificate with the CommonName $ISSUER_CN. If $FILTER is the empty dictionary {}, the selection of client certificates is not additionally restricted.

If this policy is left not set, no auto-selection will be done for any site.

Windows (Windows clients):

Software\Policies\Chromium\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}"

Android/Linux:

["{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}"]

Mac:

<array> <string>{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Allows you to set a list of url patterns that specify sites which are allowed to set cookies.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.

See also policies 'CookiesBlockedForUrls' and 'CookiesSessionOnlyForUrls'. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.

Windows (Windows clients):

Software\Policies\Chromium\CookiesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\CookiesAllowedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\CookiesAllowedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\CookiesAllowedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Allows you to set a list of url patterns that specify sites which are not allowed to set cookies.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.

See also policies 'CookiesAllowedForUrls' and 'CookiesSessionOnlyForUrls'. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.

Windows (Windows clients):

Software\Policies\Chromium\CookiesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\CookiesBlockedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\CookiesBlockedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\CookiesBlockedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Cookies set by pages matching these URL patterns will be limited to the current session, i.e. they will be deleted when the browser exits.

For URLs not covered by the patterns specified here, or for all URLs if this policy is not set, the global default value will be used either from the 'DefaultCookiesSetting' policy, if it is set, or the user's personal configuration otherwise.

Note that if Chromium is running in 'background mode', the session may not be closed when the last browser window is closed, but will instead stay active until the browser exits. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.

See also policies 'CookiesAllowedForUrls' and 'CookiesBlockedForUrls'. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.

If the "RestoreOnStartup" policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.

Windows (Windows clients):

Software\Policies\Chromium\CookiesSessionOnlyForUrls\1 = "https://www.example.com" Software\Policies\Chromium\CookiesSessionOnlyForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\CookiesSessionOnlyForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\CookiesSessionOnlyForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11

Allows you to set a list of url patterns that specify sites which are allowed to display images.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultImagesSetting' policy if it is set, or the user's personal configuration otherwise.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

Windows (Windows clients):

Software\Policies\Chromium\ImagesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\ImagesAllowedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ImagesAllowedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\ImagesAllowedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11

Allows you to set a list of url patterns that specify sites which are not allowed to display images.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultImagesSetting' policy if it is set, or the user's personal configuration otherwise.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

Windows (Windows clients):

Software\Policies\Chromium\ImagesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\ImagesBlockedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ImagesBlockedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\ImagesBlockedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Allows you to set a list of url patterns that specify sites which are allowed to run JavaScript.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\JavaScriptAllowedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\JavaScriptAllowedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\JavaScriptAllowedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\JavaScriptAllowedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Allows you to set a list of url patterns that specify sites which are not allowed to run JavaScript.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\JavaScriptBlockedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\JavaScriptBlockedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\JavaScriptBlockedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\JavaScriptBlockedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11

Allows you to set a list of url patterns that specify sites which are allowed to run the Flash plugin.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\PluginsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\PluginsAllowedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\PluginsAllowedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\PluginsAllowedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11

Allows you to set a list of url patterns that specify sites which are not allowed to run the Flash plugin.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\PluginsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\PluginsBlockedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\PluginsBlockedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\PluginsBlockedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 34

Allows you to set a list of url patterns that specify sites which are allowed to open popups.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPopupsSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\PopupsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\PopupsAllowedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\PopupsAllowedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\PopupsAllowedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 37
• Chromium OS (Chromium OS) since version 37

Allows you to register a list of protocol handlers. This can only be a recommended policy. The property |protocol| should be set to the scheme such as 'mailto' and the property |url| should be set to the URL pattern of the application that handles the scheme. The pattern can include a '%s', which if present will be replaced by the handled URL.

The protocol handlers registered by policy are merged with the ones registered by the user and both are available for use. The user can override the protocol handlers installed by policy by installing a new default handler, but cannot remove a protocol handler registered by policy.

The protocol handlers set via this policy are not used when handling Android intents.

Windows (Windows clients):

Software\Policies\Chromium\Recommended\RegisteredProtocolHandlers = [{"url": "https://mail.google.com/mail/?extsrc=mailto&url=%s", "default": true, "protocol": "mailto"}]

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\Recommended\RegisteredProtocolHandlers = [{"url": "https://mail.google.com/mail/?extsrc=mailto&url=%s", "default": true, "protocol": "mailto"}]

Android/Linux:

RegisteredProtocolHandlers: [{"url": "https://mail.google.com/mail/?extsrc=mailto&url=%s", "default": true, "protocol": "mailto"}]

Mac:

<key>RegisteredProtocolHandlers</key> <array> <dict> <key>default</key> <true/> <key>protocol</key> <string>mailto</string> <key>url</key> <string>https://mail.google.com/mail/?extsrc=mailto&amp;url=%s</string> </dict> </array>

• Chromium (Linux, Mac, Windows) since version 11
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 34

Allows you to set a list of url patterns that specify sites which are not allowed to open popups.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPopupsSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\PopupsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\PopupsBlockedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\PopupsBlockedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\PopupsBlockedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 16
• Chromium OS (Chromium OS) since version 16

Allows you to set a list of url patterns that specify sites which are allowed to display notifications.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultNotificationsSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\NotificationsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\NotificationsAllowedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\NotificationsAllowedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\NotificationsAllowedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 16
• Chromium OS (Chromium OS) since version 16

Allows you to set a list of url patterns that specify sites which are not allowed to display notifications.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultNotificationsSetting' policy if it is set, or the user's personal configuration otherwise.

Windows (Windows clients):

Software\Policies\Chromium\NotificationsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\NotificationsBlockedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\NotificationsBlockedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\NotificationsBlockedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium OS (Chromium OS) since version 68
• Chromium (Android) since version 68
• Chromium (Linux, Mac, Windows) since version 68

Allows you to set a list of url patterns that specify sites which are allowed to ask the user to grant them access to a USB device.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the user's personal configuration otherwise.

URL patterns in this policy should not clash with ones configured via WebUsbBlockedForUrls. It is unspecified which of the two policies takes precedence if a URL matches with both.

Windows (Windows clients):

Software\Policies\Chromium\WebUsbAskForUrls\1 = "https://www.example.com" Software\Policies\Chromium\WebUsbAskForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\WebUsbAskForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\WebUsbAskForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium OS (Chromium OS) since version 68
• Chromium (Android) since version 68
• Chromium (Linux, Mac, Windows) since version 68

Allows you to set a list of url patterns that specify sites which are prevented from asking the user to grant them access to a USB device.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the user's personal configuration otherwise.

URL patterns in this policy should not clash with ones configured via WebUsbAskForUrls. It is unspecified which of the two policies takes precedence if a URL matches with both.

Windows (Windows clients):

Software\Policies\Chromium\WebUsbBlockedForUrls\1 = "https://www.example.com" Software\Policies\Chromium\WebUsbBlockedForUrls\2 = "[*.]example.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\WebUsbBlockedForUrls\1 = "https://www.example.com" Software\Policies\ChromiumOS\WebUsbBlockedForUrls\2 = "[*.]example.edu"

Android/Linux:

["https://www.example.com", "[*.]example.edu"]

Mac:

<array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Enables the use of a default search provider.

If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL.

You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider.

If you disable this setting, no search is performed when the user enters non-URL text in the omnibox.

If you enable or disable this setting, users cannot change or override this setting in Chromium.

If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Specifies the name of the default search provider. If left empty or not set, the host name specified by the search URL will be used.

This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Specifies the keyword, which is the shortcut used in the omnibox to trigger the search for this provider.

This policy is optional. If not set, no keyword will activate the search provider.

This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for.

Google's search URL can be specified as: '{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'.

This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Specifies the URL of the search engine used to provide search suggestions. The URL should contain the string '{searchTerms}', which will be replaced at query time by the text the user has entered so far.

This policy is optional. If not set, no suggest URL will be used.

Google's suggest URL can be specified as: '{google:baseURL}complete/search?output=chrome&q={searchTerms}'.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Specifies the favorite icon URL of the default search provider.

This policy is optional. If not set, no icon will be present for the search provider.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Specifies the character encodings supported by the search provider. Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided.

This policy is optional. If not set, the default will be used which is UTF-8.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Windows (Windows clients):

Software\Policies\Chromium\DefaultSearchProviderEncodings\1 = "UTF-8" Software\Policies\Chromium\DefaultSearchProviderEncodings\2 = "UTF-16" Software\Policies\Chromium\DefaultSearchProviderEncodings\3 = "GB2312" Software\Policies\Chromium\DefaultSearchProviderEncodings\4 = "ISO-8859-1"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\DefaultSearchProviderEncodings\1 = "UTF-8" Software\Policies\ChromiumOS\DefaultSearchProviderEncodings\2 = "UTF-16" Software\Policies\ChromiumOS\DefaultSearchProviderEncodings\3 = "GB2312" Software\Policies\ChromiumOS\DefaultSearchProviderEncodings\4 = "ISO-8859-1"

Android/Linux:

["UTF-8", "UTF-16", "GB2312", "ISO-8859-1"]

Mac:

<array> <string>UTF-8</string> <string>UTF-16</string> <string>GB2312</string> <string>ISO-8859-1</string> </array>

• Chromium (Linux, Mac, Windows) since version 24
• Chromium OS (Chromium OS) since version 24
• Chromium (Android) since version 30

Specifies a list of alternate URLs that can be used to extract search terms from the search engine. The URLs should contain the string '{searchTerms}', which will be used to extract the search terms.

This policy is optional. If not set, no alternate urls will be used to extract search terms.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Windows (Windows clients):

Software\Policies\Chromium\DefaultSearchProviderAlternateURLs\1 = "https://search.my.company/suggest#q={searchTerms}" Software\Policies\Chromium\DefaultSearchProviderAlternateURLs\2 = "https://search.my.company/suggest/search#q={searchTerms}"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\DefaultSearchProviderAlternateURLs\1 = "https://search.my.company/suggest#q={searchTerms}" Software\Policies\ChromiumOS\DefaultSearchProviderAlternateURLs\2 = "https://search.my.company/suggest/search#q={searchTerms}"

Android/Linux:

["https://search.my.company/suggest#q={searchTerms}", "https://search.my.company/suggest/search#q={searchTerms}"]

Mac:

<array> <string>https://search.my.company/suggest#q={searchTerms}</string> <string>https://search.my.company/suggest/search#q={searchTerms}</string> </array>

• Chromium (Linux, Mac, Windows) since version 29
• Chromium OS (Chromium OS) since version 29
• Chromium (Android) since version 30

Specifies the URL of the search engine used to provide image search. Search requests will be sent using the GET method. If the DefaultSearchProviderImageURLPostParams policy is set then image search requests will use the POST method instead.

This policy is optional. If not set, no image search will be used.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 30
• Chromium OS (Chromium OS) since version 30
• Chromium (Android) since version 30

Specifies the URL that a search engine uses to provide a new tab page.

This policy is optional. If not set, no new tab page will be provided.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 29
• Chromium OS (Chromium OS) since version 29
• Chromium (Android) since version 30

Specifies the parameters used when searching a URL with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.

This policy is optional. If not set, search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 29
• Chromium OS (Chromium OS) since version 29
• Chromium (Android) since version 30

Specifies the parameters used when doing suggestion search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.

This policy is optional. If not set, suggest search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 29
• Chromium OS (Chromium OS) since version 29
• Chromium (Android) since version 30

Specifies the parameters used when doing image search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {imageThumbnail} in above example, it will be replaced with real image thumbnail data.

This policy is optional. If not set, image search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11

Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blacklisted, without a way for the user to enable them. Once an extension disabled due to the blacklist is removed from it, it will automatically get re-enabled.

A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist.

If this policy is left not set the user can install any extension in Chromium.

Windows (Windows clients):

Software\Policies\Chromium\ExtensionInstallBlacklist\1 = "extension_id1" Software\Policies\Chromium\ExtensionInstallBlacklist\2 = "extension_id2"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ExtensionInstallBlacklist\1 = "extension_id1" Software\Policies\ChromiumOS\ExtensionInstallBlacklist\2 = "extension_id2"

Android/Linux:

["extension_id1", "extension_id2"]

Mac:

<array> <string>extension_id1</string> <string>extension_id2</string> </array>

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11

Allows you to specify which extensions are not subject to the blacklist.

A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the whitelist.

By default, all extensions are whitelisted, but if all extensions have been blacklisted by policy, the whitelist can be used to override that policy.

Windows (Windows clients):

Software\Policies\Chromium\ExtensionInstallWhitelist\1 = "extension_id1" Software\Policies\Chromium\ExtensionInstallWhitelist\2 = "extension_id2"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ExtensionInstallWhitelist\1 = "extension_id1" Software\Policies\ChromiumOS\ExtensionInstallWhitelist\2 = "extension_id2"

Android/Linux:

["extension_id1", "extension_id2"]

Mac:

<array> <string>extension_id1</string> <string>extension_id2</string> </array>

• Chromium (Linux, Mac, Windows) since version 9
• Chromium OS (Chromium OS) since version 11

Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user. All permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension. Furthermore, permissions are granted for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These two APIs are not available to apps/extensions that are not force-installed.)

This policy takes precedence over a potentially conflicting ExtensionInstallBlacklist policy. If an app or extension that previously had been force-installed is removed from this list, it is automatically uninstalled by Chromium.

For Windows instances that are not joined to a Microsoft® Active Directory® domain, forced installation is limited to apps and extensions listed in the Chrome Web Store.

Note that the source code of any extension may be altered by users via Developer Tools (potentially rendering the extension dysfunctional). If this is a concern, the DeveloperToolsDisabled policy should be set.

Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in developer mode. The "update" URL, if specified, should point to an Update Manifest XML document as described at https://developer.chrome.com/extensions/autoupdate. By default, the Chrome Web Store's update URL is used (which currently is "https://clients2.google.com/service/update2/crx"). Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest. Note also that specifying the "update" URL explicitly was mandatory in Chromium versions up to and including 67.

For example, gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx installs the Chrome Remote Desktop app from the standard Chrome Web Store "update" URL. For more information about hosting extensions, see: https://developer.chrome.com/extensions/hosting.

If this policy is left not set, no apps or extensions are installed automatically and the user can uninstall any app or extension in Chromium.

Android apps can be force-installed from the Google Admin console using Google Play. They do not use this policy.

Windows (Windows clients):

Software\Policies\Chromium\ExtensionInstallForcelist\1 = "gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx" Software\Policies\Chromium\ExtensionInstallForcelist\2 = "abcdefghijklmnopabcdefghijklmnop"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ExtensionInstallForcelist\1 = "gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx" Software\Policies\ChromiumOS\ExtensionInstallForcelist\2 = "abcdefghijklmnopabcdefghijklmnop"

Android/Linux:

["gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx", "abcdefghijklmnopabcdefghijklmnop"]

Mac:

<array> <string>gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx</string> <string>abcdefghijklmnopabcdefghijklmnop</string> </array>

• Chromium (Linux, Mac, Windows) since version 21
• Chromium OS (Chromium OS) since version 21

Allows you to specify which URLs are allowed to install extensions, apps, and themes.

Starting in Chromium 21, it is more difficult to install extensions, apps, and user scripts from outside the Chrome Web Store. Previously, users could click on a link to a *.crx file, and Chromium would offer to install the file after a few warnings. After Chromium 21, such files must be downloaded and dragged onto the Chromium settings page. This setting allows specific URLs to have the old, easier installation flow.

Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e. the referrer) must be allowed by these patterns.

ExtensionInstallBlacklist takes precedence over this policy. That is, an extension on the blacklist won't be installed, even if it happens from a site on this list.

Windows (Windows clients):

Software\Policies\Chromium\ExtensionInstallSources\1 = "https://corp.mycompany.com/*"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ExtensionInstallSources\1 = "https://corp.mycompany.com/*"

Android/Linux:

["https://corp.mycompany.com/*"]

Mac:

<array> <string>https://corp.mycompany.com/*</string> </array>

• Chromium (Linux, Mac, Windows) since version 25
• Chromium OS (Chromium OS) since version 25

Controls which app/extension types are allowed to be installed and limits runtime access.

This setting white-lists the allowed types of extension/apps that can be installed in Chromium and which hosts they can interact with. The value is a list of strings, each of which should be one of the following: "extension", "theme", "user_script", "hosted_app", "legacy_packaged_app", "platform_app". See the Chromium extensions documentation for more information on these types.

Note that this policy also affects extensions and apps to be force-installed via ExtensionInstallForcelist.

If this setting is configured, extensions/apps which have a type that is not on the list will not be installed.

If this settings is left not-configured, no restrictions on the acceptable extension/app types are enforced.

Windows (Windows clients):

Software\Policies\Chromium\ExtensionAllowedTypes\1 = "hosted_app"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ExtensionAllowedTypes\1 = "hosted_app"

Android/Linux:

["hosted_app"]

Mac:

<array> <string>hosted_app</string> </array>

• Chromium (Linux, Mac, Windows) since version 62
• Chromium OS (Chromium OS) since version 62

Configures extension management settings for Chromium.

This policy controls multiple settings, including settings controlled by any existing extension-related policies. This policy will override any legacy policies if both are set.

This policy maps an extension ID or an update URL to its configuration. With an extension ID, configuration will be applied to the specified extension only. A default configuration can be set for the special ID "*", which will apply to all extensions that don't have a custom configuration set in this policy. With an update URL, configuration will be applied to all extensions with the exact update URL stated in manifest of this extension, as described at https://developer.chrome.com/extensions/autoupdate.

For a full description of possible settings and structure of this policy please visit https://www.chromium.org/administrators/policy-list-3/extension-settings-full

Windows (Windows clients):

Software\Policies\Chromium\ExtensionSettings = {"abcdefghijklmnopabcdefghijklmnop": {"blocked_permissions": ["history"], "installation_mode": "allowed", "minimum_version_required": "1.0.1"}, "bcdefghijklmnopabcdefghijklmnopa": {"runtime_blocked_hosts": ["*://*.example.com"], "allowed_permissions": ["downloads"], "update_url": "https://example.com/update_url", "runtime_allowed_hosts": ["*://good.example.com"], "installation_mode": "force_installed"}, "*": {"blocked_permissions": ["downloads", "bookmarks"], "installation_mode": "blocked", "runtime_blocked_hosts": ["*://*.example.com"], "blocked_install_message": "Custom error message.", "allowed_types": ["hosted_app"], "runtime_allowed_hosts": ["*://good.example.com"], "install_sources": ["https://company-intranet/chromeapps"]}, "update_url:https://www.example.com/update.xml": {"blocked_permissions": ["wallpaper"], "allowed_permissions": ["downloads"], "installation_mode": "allowed"}, "cdefghijklmnopabcdefghijklmnopab": {"blocked_install_message": "Custom error message.", "installation_mode": "blocked"}}

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ExtensionSettings = {"abcdefghijklmnopabcdefghijklmnop": {"blocked_permissions": ["history"], "installation_mode": "allowed", "minimum_version_required": "1.0.1"}, "bcdefghijklmnopabcdefghijklmnopa": {"runtime_blocked_hosts": ["*://*.example.com"], "allowed_permissions": ["downloads"], "update_url": "https://example.com/update_url", "runtime_allowed_hosts": ["*://good.example.com"], "installation_mode": "force_installed"}, "*": {"blocked_permissions": ["downloads", "bookmarks"], "installation_mode": "blocked", "runtime_blocked_hosts": ["*://*.example.com"], "blocked_install_message": "Custom error message.", "allowed_types": ["hosted_app"], "runtime_allowed_hosts": ["*://good.example.com"], "install_sources": ["https://company-intranet/chromeapps"]}, "update_url:https://www.example.com/update.xml": {"blocked_permissions": ["wallpaper"], "allowed_permissions": ["downloads"], "installation_mode": "allowed"}, "cdefghijklmnopabcdefghijklmnopab": {"blocked_install_message": "Custom error message.", "installation_mode": "blocked"}}

Android/Linux:

ExtensionSettings: {"abcdefghijklmnopabcdefghijklmnop": {"blocked_permissions": ["history"], "installation_mode": "allowed", "minimum_version_required": "1.0.1"}, "bcdefghijklmnopabcdefghijklmnopa": {"runtime_blocked_hosts": ["*://*.example.com"], "allowed_permissions": ["downloads"], "update_url": "https://example.com/update_url", "runtime_allowed_hosts": ["*://good.example.com"], "installation_mode": "force_installed"}, "*": {"blocked_permissions": ["downloads", "bookmarks"], "installation_mode": "blocked", "runtime_blocked_hosts": ["*://*.example.com"], "blocked_install_message": "Custom error message.", "allowed_types": ["hosted_app"], "runtime_allowed_hosts": ["*://good.example.com"], "install_sources": ["https://company-intranet/chromeapps"]}, "update_url:https://www.example.com/update.xml": {"blocked_permissions": ["wallpaper"], "allowed_permissions": ["downloads"], "installation_mode": "allowed"}, "cdefghijklmnopabcdefghijklmnopab": {"blocked_install_message": "Custom error message.", "installation_mode": "blocked"}}

Mac:

<key>ExtensionSettings</key> <dict> <key>*</key> <dict> <key>allowed_types</key> <array> <string>hosted_app</string> </array> <key>blocked_install_message</key> <string>Custom error message.</string> <key>blocked_permissions</key> <array> <string>downloads</string> <string>bookmarks</string> </array> <key>install_sources</key> <array> <string>https://company-intranet/chromeapps</string> </array> <key>installation_mode</key> <string>blocked</string> <key>runtime_allowed_hosts</key> <array> <string>*://good.example.com</string> </array> <key>runtime_blocked_hosts</key> <array> <string>*://*.example.com</string> </array> </dict> <key>abcdefghijklmnopabcdefghijklmnop</key> <dict> <key>blocked_permissions</key> <array> <string>history</string> </array> <key>installation_mode</key> <string>allowed</string> <key>minimum_version_required</key> <string>1.0.1</string> </dict> <key>bcdefghijklmnopabcdefghijklmnopa</key> <dict> <key>allowed_permissions</key> <array> <string>downloads</string> </array> <key>installation_mode</key> <string>force_installed</string> <key>runtime_allowed_hosts</key> <array> <string>*://good.example.com</string> </array> <key>runtime_blocked_hosts</key> <array> <string>*://*.example.com</string> </array> <key>update_url</key> <string>https://example.com/update_url</string> </dict> <key>cdefghijklmnopabcdefghijklmnopab</key> <dict> <key>blocked_install_message</key> <string>Custom error message.</string> <key>installation_mode</key> <string>blocked</string> </dict> <key>update_url:https://www.example.com/update.xml</key> <dict> <key>allowed_permissions</key> <array> <string>downloads</string> </array> <key>blocked_permissions</key> <array> <string>wallpaper</string> </array> <key>installation_mode</key> <string>allowed</string> </dict> </dict>

• Chromium (Linux, Mac, Windows) since version 52
• Chromium OS (Chromium OS) since version 52
• Chromium (Android) since version 52

If this policy is set to true or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.

If this policy set to false, Google Cast will be disabled.

• Chromium (Linux, Mac, Windows) since version 58
• Chromium OS (Chromium OS) since version 58

If this policy is set to true, the Cast toolbar icon will always be shown on the toolbar or the overflow menu, and users will not be able to remove it.

If this policy is set to false or is not set, users will be able to pin or remove the icon via its contextual menu.

If the policy "EnableMediaRouter" is set to false, then this policy's value would have no effect, and the toolbar icon would not be shown.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11

Configures the default home page URL in Chromium and prevents users from changing it.

The home page is the page opened by the Home button. The pages that open on startup are controlled by the RestoreOnStartup policies.

The home page type can either be set to a URL you specify here or set to the New Tab Page. If you select the New Tab Page, then this policy does not take effect.

If you enable this setting, users cannot change their home page URL in Chromium, but they can still choose the New Tab Page as their home page.

Leaving this policy not set will allow the user to choose their home page on their own if HomepageIsNewTabPage is not set too.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11

Configures the type of the default home page in Chromium and prevents users from changing home page preferences. The home page can either be set to a URL you specify or set to the New Tab Page.

If you enable this setting, the New Tab Page is always used for the home page, and the home page URL location is ignored.

If you disable this setting, the user's homepage will never be the New Tab Page, unless its URL is set to 'chrome://newtab'.

If you enable or disable this setting, users cannot change their homepage type in Chromium.

Leaving this policy not set will allow the user to choose whether the new tab page is their home page on their own.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium OS (Chromium OS) since version 29

If set to true, supervised users can be created and used.

If set to false or not configured, supervised-user creation and login will be disabled. All existing supervised users will be hidden.

NOTE: The default behavior for consumer and enterprise devices differs: on consumer devices supervised users are enabled by default, but on enterprise devices they are disabled by default.

• Chromium (Linux, Mac, Windows) since version 29

If set to false, supervised-user creation by this user will be disabled. Any existing supervised users will still be available.

If set to true or not configured, supervised users can be created and managed by this user.

• Chromium (Android) since version 49

If true and the user is a supervised user then other Android apps can query the user's web restrictions through a content provider.

If false or unset then the content provider returns no information.

• Chromium (Linux, Mac, Windows) since version 34

Allows you to specify which native messaging hosts that should not be loaded.

A blacklist value of '*' means all native messaging hosts are blacklisted unless they are explicitly listed in the whitelist.

If this policy is left not set Chromium will load all installed native messaging hosts.

Windows (Windows clients):

Software\Policies\Chromium\NativeMessagingBlacklist\1 = "com.native.messaging.host.name1" Software\Policies\Chromium\NativeMessagingBlacklist\2 = "com.native.messaging.host.name2"

Android/Linux:

["com.native.messaging.host.name1", "com.native.messaging.host.name2"]

Mac:

<array> <string>com.native.messaging.host.name1</string> <string>com.native.messaging.host.name2</string> </array>

• Chromium (Linux, Mac, Windows) since version 34

Allows you to specify which native messaging hosts are not subject to the blacklist.

A blacklist value of * means all native messaging hosts are blacklisted and only native messaging hosts listed in the whitelist will be loaded.

By default, all native messaging hosts are whitelisted, but if all native messaging hosts have been blacklisted by policy, the whitelist can be used to override that policy.

Windows (Windows clients):

Software\Policies\Chromium\NativeMessagingWhitelist\1 = "com.native.messaging.host.name1" Software\Policies\Chromium\NativeMessagingWhitelist\2 = "com.native.messaging.host.name2"

Android/Linux:

["com.native.messaging.host.name1", "com.native.messaging.host.name2"]

Mac:

<array> <string>com.native.messaging.host.name1</string> <string>com.native.messaging.host.name2</string> </array>

• Chromium (Linux, Mac, Windows) since version 34

Enables user-level installation of Native Messaging hosts.

If this setting is enabled then Chromium allows usage of Native Messaging hosts installed on user level.

If this setting is disabled then Chromium will only use Native Messaging hosts installed on system level.

If this setting is left not set Chromium will allow usage of user-level Native Messaging hosts.

• Chromium OS (Chromium OS) since version 70

This policy controls whether the Network File Shares feature for Chromium OS is allowed for a user.

When this policy is not configured or set to True, users will be able to use Network File Shares.

When this policy is set to False, users will be unable to use Network File Shares.

• Chromium OS (Chromium OS) since version 70

This policy controls whether the Network File Shares feature for Chromium OS should use the NetBIOS Name Query Request protocol to discover shares on the network. When this policy is set to True, share discovery will use the NetBIOS Name Query Request protocol protocol to discover shares on the network. When this policy is set to False, share discovery will not use the NetBIOS Name Query Request protocol protocol to discover shares. If the policy is left not set, the default is disabled for enterprise-managed users and enabled for non-managed users.

• Chromium (Linux, Mac, Windows) since version 58
• Chromium OS (Chromium OS) since version 58

Configures the default New Tab page URL and prevents users from changing it.

The New Tab page is the page opened when new tabs are created (including the one opened in new windows).

This policy does not decide which pages are to be opened on start up. Those are controlled by the RestoreOnStartup policies. Yet this policy does affect the Home Page if that is set to open the New Tab page, as well as the startup page if that is set to open the New Tab page.

If the policy is not set or left empty the default new tab page is used.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

If this setting is enabled, users can have Chromium memorize passwords and provide them automatically the next time they log in to a site.

If this settings is disabled, users cannot save new passwords but they may still use passwords that have been saved previously.

If this policy is enabled or disabled, users cannot change or override it in Chromium. If this policy is unset, password saving is allowed (but can be turned off by the user).

This policy has no effect on Android apps.

• Chromium (Linux, Mac, Windows) since version 9
• Chromium (Android) since version 46
• Chromium OS (Chromium OS) since version 62

Specifies which HTTP authentication schemes are supported by Chromium.

Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas.

If this policy is left not set, all four schemes will be used.

• Chromium (Linux, Mac, Windows) since version 9
• Chromium (Android) since version 46
• Chromium OS (Chromium OS) since version 62

Specifies whether the generated Kerberos SPN is based on the canonical DNS name or the original name entered.

If you enable this setting, CNAME lookup will be skipped and the server name will be used as entered.

If you disable this setting or leave it not set, the canonical name of the server will be determined via CNAME lookup.

• Chromium (Linux, Mac, Windows) since version 9
• Chromium OS (Chromium OS) since version 62

Specifies whether the generated Kerberos SPN should include a non-standard port.

If you enable this setting, and a non-standard port (i.e., a port other than 80 or 443) is entered, it will be included in the generated Kerberos SPN.

If you disable this setting or leave it not set, the generated Kerberos SPN will not include a port in any case.

• Chromium (Linux, Mac, Windows) since version 9
• Chromium (Android) since version 46
• Chromium WebView (Android) since version 49
• Chromium OS (Chromium OS) since version 62

Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Chromium receives an authentication challenge from a proxy or from a server which is in this permitted list.

Separate multiple server names with commas. Wildcards (*) are allowed.

If you leave this policy not set Chromium will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chromium.

• Chromium (Linux, Mac, Windows) since version 9
• Chromium (Android) since version 46
• Chromium OS (Chromium OS) since version 62

Servers that Chromium may delegate to.

Separate multiple server names with commas. Wildcards (*) are allowed.

If you leave this policy not set Chromium will not delegate user credentials even if a server is detected as Intranet.

• Chromium (Linux) since version 9

Specifies which GSSAPI library to use for HTTP authentication. You can set either just a library name, or a full path.

If no setting is provided, Chromium will fall back to using a default library name.

• Chromium (Android) since version 46
• Chromium WebView (Android) since version 49

Specifies the account type of the accounts provided by the Android authentication app that supports HTTP Negotiate authentication (e.g. Kerberos authentication). This information should be available from the supplier of the authentication app. For more details see https://goo.gl/hajyfN.

If no setting is provided, HTTP Negotiate authentication is disabled on Android.

• Chromium (Linux, Mac, Windows) since version 13
• Chromium OS (Chromium OS) since version 62

Controls whether third-party sub-content on a page is allowed to pop-up an HTTP Basic Auth dialog box.

Typically this is disabled as a phishing defense. If this policy is not set, this is disabled and third-party sub-content will not be allowed to pop up a HTTP Basic Auth dialog box.

• Chromium (Linux) since version 63
• Chromium (Mac) since version 63
• Chromium OS (Chromium OS) since version 63
• Chromium (Android) since version 63
• Chromium WebView (Android) since version 63

Controls whether NTLMv2 is enabled.

All recent versions of Samba and Windows servers support NTLMv2. This should only be disabled for backwards compatibility and reduces the security of authentication.

If this policy is not set, the default is true and NTLMv2 is enabled.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the screen is dimmed when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS dims the screen.

When this policy is set to zero, Chromium OS does not dim the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the screen is turned off when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS turns off the screen.

When this policy is set to zero, Chromium OS does not turn off the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the screen is locked when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS locks the screen.

When this policy is set to zero, Chromium OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Chromium OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

• Chromium OS (Chromium OS) since version 27

Specifies the length of time without user input after which a warning dialog is shown when running on AC power.

When this policy is set, it specifies the length of time that the user must remain idle before Chromium OS shows a warning dialog telling the user that the idle action is about to be taken.

When this policy is unset, no warning dialog is shown.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the idle action is taken when running on AC power.

When this policy is set, it specifies the length of time that the user must remain idle before Chromium OS takes the idle action, which can be configured separately.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the screen is dimmed when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS dims the screen.

When this policy is set to zero, Chromium OS does not dim the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the screen is turned off when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS turns off the screen.

When this policy is set to zero, Chromium OS does not turn off the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the screen is locked when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Chromium OS locks the screen.

When this policy is set to zero, Chromium OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Chromium OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

• Chromium OS (Chromium OS) since version 27

Specifies the length of time without user input after which a warning dialog is shown when running on battery power.

When this policy is set, it specifies the length of time that the user must remain idle before Chromium OS shows a warning dialog telling the user that the idle action is about to be taken.

When this policy is unset, no warning dialog is shown.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

• Chromium OS (Chromium OS) since version 26

Specifies the length of time without user input after which the idle action is taken when running on battery power.

When this policy is set, it specifies the length of time that the user must remain idle before Chromium OS takes the idle action, which can be configured separately.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds.

• Chromium OS (Chromium OS) since version 26

Note that this policy is deprecated and will be removed in the future.

This policy provides a fallback value for the more-specific IdleActionAC and IdleActionBattery policies. If this policy is set, its value gets used if the respective more-specific policy is not set.

When this policy is unset, behavior of the more-specific policies remains unaffected.

• 0 = Suspend
• 1 = Log the user out
• 2 = Shut down
• 3 = Do nothing

• Chromium OS (Chromium OS) since version 30

When this policy is set, it specifies the action that Chromium OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Chromium OS can separately be configured to either lock or not lock the screen before suspending.

• 0 = Suspend
• 1 = Log the user out
• 2 = Shut down
• 3 = Do nothing

• Chromium OS (Chromium OS) since version 30

When this policy is set, it specifies the action that Chromium OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Chromium OS can separately be configured to either lock or not lock the screen before suspending.

• 0 = Suspend
• 1 = Log the user out
• 2 = Shut down
• 3 = Do nothing

• Chromium OS (Chromium OS) since version 26

When this policy is set, it specifies the action that Chromium OS takes when the user closes the device's lid.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Chromium OS can separately be configured to either lock or not lock the screen before suspending.

• 0 = Suspend
• 1 = Log the user out
• 2 = Shut down
• 3 = Do nothing

• Chromium OS (Chromium OS) since version 26

If this policy is set to True or is unset, the user is not considered to be idle while audio is playing. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off and screen lock will be performed after the configured timeouts, irrespective of audio activity.

If this policy is set to False, audio activity does not prevent the user from being considered idle.

• Chromium OS (Chromium OS) since version 26

If this policy is set to True or is unset, the user is not considered to be idle while video is playing. This prevents the idle delay, screen dim delay, screen off delay and screen lock delay from being reached and the corresponding actions from being taken.

If this policy is set to False, video activity does not prevent the user from being considered idle.

Video playing in Android apps is not taken into consideration, even if this policy is set to True.

• Chromium OS (Chromium OS) since version 29

Specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode.

If this policy is set, it specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode. When the screen dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.

If this policy is unset, a default scale factor is used.

The scale factor must be 100% or more. Values that would make the screen dim delay in presentation mode shorter than the regular screen dim delay are not allowed.

• Chromium OS (Chromium OS) since version 28

Specifies whether screen wake locks are allowed. Screen wake locks can be requested by extensions via the power management extension API.

If this policy is set to true or left not set, screen wake locks will be honored for power management.

If this policy is set to false, screen wake lock requests will get ignored.

• Chromium OS (Chromium OS) since version 29

Specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off.

If this policy is set, it specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off. When the dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.

If this policy is unset, a default scale factor is used.

The scale factor must be 100% or more.

• Chromium OS (Chromium OS) since version 32

Specifies whether power management delays and the session length limit should only start running after the first user activity has been observed in a session.

If this policy is set to True, power management delays and the session length limit do not start running until after the first user activity has been observed in a session.

If this policy is set to False or left unset, power management delays and the session length limit start running immediately on session start.

• Chromium OS (Chromium OS) since version 35

This policy controls multiple settings for the power management strategy when the user becomes idle.

There are four types of action: * The screen will be dimmed if the user remains idle for the time specified by |ScreenDim|. * The screen will be turned off if the user remains idle for the time specified by |ScreenOff|. * A warning dialog will be shown if the user remains idle for the time specified by |IdleWarning|, telling the user that the idle action is about to be taken. * The action specified by |IdleAction| will be taken if the user remains idle for the time specified by |Idle|.

For each of above actions, the delay should be specified in milliseconds, and needs to be set to a value greater than zero to trigger the corresponding action. In case the delay is set to zero, Chromium OS will not take the corresponding action.

For each of the above delays, when the length of time is unset, a default value will be used.

Note that |ScreenDim| values will be clamped to be less than or equal to |ScreenOff|, |ScreenOff| and |IdleWarning| will be clamped to be less than or equal to |Idle|.

|IdleAction| can be one of four possible actions: * |Suspend| * |Logout| * |Shutdown| * |DoNothing|

When the |IdleAction| is unset, the default action is taken, which is suspend.

There are also separate settings for AC power and battery.

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\PowerManagementIdleSettings = {"Battery": {"IdleAction": "DoNothing", "Delays": {"IdleWarning": 5000, "ScreenOff": 20000, "Idle": 30000, "ScreenDim": 10000}}, "AC": {"IdleAction": "DoNothing"}}

• Chromium OS (Chromium OS) since version 35

Specifies the length of time without user input after which the screen is locked when running on AC power or battery.

When the length of time is set to a value greater than zero, it represents the length of time that the user must remain idle before Chromium OS locks the screen.

When the length of time is set to zero, Chromium OS does not lock the screen when the user becomes idle.

When the length of time is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Chromium OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\ScreenLockDelays = {"Battery": 300000, "AC": 600000}

• Chromium OS (Chromium OS) since version 70

Specifies whether a smart dim model is allowed to extend the time until the screen is dimmed.

When the screen is about to be dimmed, the smart dim model evaluates if dimming the screen should be deferred. If the smart dim model defers dimming the screen, it effectively extends the time until the screen is dimmed. In this case, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured. If this policy is set to True or left not set, the smart dim model will be enabled and allowed to extend the time until the screen is dimmed. If this policy is set to False, the smart dim model will not influence screen dimming.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

This policy is deprecated, use ProxyMode instead.

Allows you to specify the proxy server used by Chromium and prevents users from changing proxy settings.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.

If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

If you enable this setting, Chromium ignores all proxy-related options specified from the command line.

Leaving this policy not set will allow the users to choose the proxy settings on their own.

• 0 = Never use a proxy
• 1 = Auto detect proxy settings
• 2 = Manually specify proxy settings
• 3 = Use system proxy settings

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

You can specify the URL of the proxy server here.

This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings'.

You should leave this policy not set if you have selected any other mode for setting proxy policies.

For more options and detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

You can specify a URL to a proxy .pac file here.

This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings'.

You should leave this policy not set if you have selected any other mode for setting proxy policies.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Chromium will bypass any proxy for the list of hosts given here.

This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings'.

You should leave this policy not set if you have selected any other mode for setting proxy policies.

For more detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

• Chromium OS (Chromium OS) since version 56

A whitelist controlling which quick unlock modes the user can configure and use to unlock the lock screen.

This value is a list of strings; valid list entries are: "all", "PIN". Adding "all" to the list means that every quick unlock mode is available to the user, including ones implemented in the future. Otherwise, only the quick unlock modes present in the list will be available.

For example, to allow every quick unlock mode, use ["all"]. To allow only PIN unlock, use ["PIN"]. To disable all quick unlock modes, use [].

By default, no quick unlock modes are available for managed devices.

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\QuickUnlockModeWhitelist\1 = "PIN"

• Chromium OS (Chromium OS) since version 57

This setting controls how often the lock screen will request the password to be entered in order to continue using quick unlock. Each time the lock screen is entered, if the last password entry was more than this setting, the quick unlock will not be available on entering the lock screen. Should the user stay on the lock screen past this period of time, a password will be requested next time the user enters the wrong code, or re-enters the lock screen, whichever comes first.

If this setting is configured, users using quick unlock will be requested to enter their passwords on the lock screen depending on this setting.

If this setting is not configured, users using quick unlock will be requested to enter their password on the lock screen every day.

• 0 = Password entry is required every six hours
• 1 = Password entry is required every twelve hours
• 2 = Password entry is required every day (24 hours)
• 3 = Password entry is required every week (168 hours)

• Chromium OS (Chromium OS) since version 57

If the policy is set, the configured minimal PIN length is enforced. (The absolute minimum PIN length is 1; values less than 1 are treated as 1.)

If the policy is not set, a minimal PIN length of 6 digits is enforced. This is the recommended minimum.

• Chromium OS (Chromium OS) since version 57

If the policy is set, the configured maximal PIN length is enforced. A value of 0 or less means no maximum length; in that case the user may set a PIN as long as they want. If this setting is less than PinUnlockMinimumLength but greater than 0, the maximum length is the same as the minimum length.

If the policy is not set, no maximum length is enforced.

• Chromium OS (Chromium OS) since version 57

If false, users will be unable to set PINs which are weak and easy to guess.

Some example weak PINs: PINs containing only one digit (1111), PINs whose digits are increasing by 1 (1234), PINs whose digits are decreasing by 1 (4321), and PINs which are commonly used.

By default, users will get a warning, not error, if the PIN is considered weak.

• Chromium OS (Chromium OS) since version 28

If true, remote attestation is allowed for the device and a certificate will automatically be generated and uploaded to the Device Management Server.

If it is set to false, or if it is not set, no certificate will be generated and calls to the enterprise.platformKeys extension API will fail.

• Chromium OS (Chromium OS) since version 28

If true, the user can use the hardware on Chrome devices to remote attest its identity to the privacy CA via the Enterprise Platform Keys API using chrome.enterprise.platformKeys.challengeUserKey().

If it is set to false, or if it is not set, calls to the API will fail with an error code.

• Chromium OS (Chromium OS) since version 28

This policy specifies the allowed extensions to use the Enterprise Platform Keys API function chrome.enterprise.platformKeys.challengeUserKey() for remote attestation. Extensions must be added to this list to use the API.

If an extension is not in the list, or the list is not set, the call to the API will fail with an error code.

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\AttestationExtensionWhitelist\1 = "ghdilpkmfbfdnomkmaiogjhjnggaggoi"

• Chromium OS (Chromium OS) since version 31

Chrome OS devices can use remote attestation (Verified Access) to get a certificate issued by the Chrome OS CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the Chrome OS CA which uniquely identifies the device.

If this setting is false, the device will not use remote attestation for content protection and the device may be unable to play protected content.

If this setting is true, or if it is not set, remote attestation may be used for content protection.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Enables Chromium's Safe Browsing feature and prevents users from changing this setting.

If you enable this setting, Safe Browsing is always active.

If you disable this setting, Safe Browsing is never active.

If you enable or disable this setting, users cannot change or override the "Enable phishing and malware protection" setting in Chromium.

If this policy is left not set, this will be enabled but the user will be able to change it.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium (Linux, Mac, Windows) since version 66
• Chromium OS (Chromium OS) since version 66

Enables Chromium's Safe Browsing Extended Reporting and prevents users from changing this setting.

Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites.

If the setting is set to true, then reports will be created and sent whenever necessary (such as when a security interstitial is shown).

If the setting is set to false, reports will never be sent.

If this policy is set to true or false, the user will not be able to modify the setting.

If this policy is left unset, the user will be able to change the setting and decide whether to send reports or not.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

• Chromium (Linux, Mac, Windows) since version 44
• Chromium OS (Chromium OS) since version 44

This setting is deprecated, use SafeBrowsingExtendedReportingEnabled instead. Enabling or disabling SafeBrowsingExtendedReportingEnabled is equivalent to setting SafeBrowsingExtendedReportingOptInAllowed to False.

Setting this policy to false stops users from choosing to send some system information and page content to Google servers. If this setting is true or not configured, then users will be allowed to send some system information and page content to Safe Browsing to help detect dangerous apps and sites.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

• Chromium (Linux, Mac, Windows) since version 68
• Chromium OS (Chromium OS) since version 68

Configure the list of domains which Safe Browsing will trust. This means: Safe Browsing will not check for dangerous resources (e.g. phishing, malware, or unwanted software) if their URLs match these domains. Safe Browsing's download protection service will not check downloads hosted on these domains. Safe Browsing's password protection service will not check for password reuse if the page URL matches these domains.

If this setting is enabled, then Safe Browsing will trust these domains. If this setting is disabled or not set, then default Safe Browsing protection is applied to all resources. This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

Windows (Windows clients):

Software\Policies\Chromium\SafeBrowsingWhitelistDomains\1 = "mydomain.com" Software\Policies\Chromium\SafeBrowsingWhitelistDomains\2 = "myuniversity.edu"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\SafeBrowsingWhitelistDomains\1 = "mydomain.com" Software\Policies\ChromiumOS\SafeBrowsingWhitelistDomains\2 = "myuniversity.edu"

Android/Linux:

["mydomain.com", "myuniversity.edu"]

Mac:

<array> <string>mydomain.com</string> <string>myuniversity.edu</string> </array>

• Chromium (Linux, Mac, Windows) since version 69
• Chromium OS (Chromium OS) since version 69

Allows you to control the triggering of passwore protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.

You can use 'PasswordProtectionLoginURLs' and 'PasswordProtectionChangePasswordURL' policies to configure which password to protect.

If this policy is set to 'PasswordProtectionWarningOff', no password protection warning will be shown. If this policy is set to 'PasswordProtectionWarningOnPasswordReuse', password protection warning will be shown when the user reuses their protected password on a non-whitelisted site. If this policy is set to 'PasswordProtectionWarningOnPhishingReuse', password protection warning will be shown when the user reuses their protected password on a phishing site. If this policy is left unset, password protection service will only protect Google passwords but the user will be able to change this setting.

• 0 = Password protection warning is off
• 1 = Password protection warning is triggered by password reuse
• 2 = Password protection warning is triggered by password reuse on phishing page

• Chromium (Linux, Mac, Windows) since version 69
• Chromium OS (Chromium OS) since version 69

Configure the list of enterprise login URLs (HTTP and HTTPS schemes only). Fingerprint of password will be captured on these URLs and used for password reuse detection. In order for Chromium to correctly capture password fingerprints, please make sure your login pages follow the guidelines on https://www.chromium.org/developers/design-documents/create-amazing-password-forms.

If this setting is enabled, then password protection service will capture fingerprint of password on these URLs for password reuse detection purpose. If this setting is disabled or not set, then password protection service will only capture password fingerprint on https://accounts.google.com. This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

Windows (Windows clients):

Software\Policies\Chromium\PasswordProtectionLoginURLs\1 = "https://mydomain.com/login.html" Software\Policies\Chromium\PasswordProtectionLoginURLs\2 = "https://login.mydomain.com"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\PasswordProtectionLoginURLs\1 = "https://mydomain.com/login.html" Software\Policies\ChromiumOS\PasswordProtectionLoginURLs\2 = "https://login.mydomain.com"

Android/Linux:

["https://mydomain.com/login.html", "https://login.mydomain.com"]

Mac:

<array> <string>https://mydomain.com/login.html</string> <string>https://login.mydomain.com</string> </array>

• Chromium (Linux, Mac, Windows) since version 69
• Chromium OS (Chromium OS) since version 69

Configure the change password URL (HTTP and HTTPS schemes only). Password protection service will send users to this URL to change their password after seeing a warning in the browser. In order for Chromium to correctly capture the new password fingerprint on this change password page, please make sure your change password page follows the guidelines on https://www.chromium.org/developers/design-documents/create-amazing-password-forms.

If this setting is enabled, then password protection service will send users to this URL to change their password after seeing a warning in the browser. If this setting is disabled or not set, then password protection service will send users to https://myaccounts.google.com to change their password. This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11

Allows you to specify the behavior on startup.

If you choose 'Open New Tab Page' the New Tab Page will always be opened when you start Chromium.

If you choose 'Restore the last session', the URLs that were open last time Chromium was closed will be reopened and the browsing session will be restored as it was left. Choosing this option disables some settings that rely on sessions or that perform actions on exit (such as Clear browsing data on exit or session-only cookies).

If you choose 'Open a list of URLs', the list of 'URLs to open on startup' will be opened when a user starts Chromium.

If you enable this setting, users cannot change or override it in Chromium.

Disabling this setting is equivalent to leaving it not configured. The user will still be able to change it in Chromium.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• 5 = Open New Tab Page
• 1 = Restore the last session
• 4 = Open a list of URLs

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11

If 'Open a list of URLs' is selected as the startup action, this allows you to specify the list of URLs that are opened. If left not set no URL will be opened on start up.

This policy only works if the 'RestoreOnStartup' policy is set to 'RestoreOnStartupIsURLs'.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

Windows (Windows clients):

Software\Policies\Chromium\RestoreOnStartupURLs\1 = "https://example.com" Software\Policies\Chromium\RestoreOnStartupURLs\2 = "https://www.chromium.org"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\RestoreOnStartupURLs\1 = "https://example.com" Software\Policies\ChromiumOS\RestoreOnStartupURLs\2 = "https://www.chromium.org"

Android/Linux:

["https://example.com", "https://www.chromium.org"]

Mac:

<array> <string>https://example.com</string> <string>https://www.chromium.org</string> </array>

• Chromium (Linux, Mac, Windows) since version 65
• Chromium OS (Chromium OS) since version 65

Allows you to set whether sites with abusive experiences should be prevented from opening new windows or tabs.

If this policy is set to True, sites with abusive experiences will be prevented from opening new windows or tabs. However this behavior will not trigger if SafeBrowsingEnabled policy is set to False. If this policy is set to False, sites with abusive experiences will be allowed to open new windows or tabs. If this policy is left not set, True will be used.

• Chromium (Linux, Mac, Windows) since version 65
• Chromium OS (Chromium OS) since version 65

Allows you to set whether ads should be blocked on sites with intrusive ads.

If this policy is set to 2, ads will be blocked on sites with intrusive ads. However this behavior will not trigger if SafeBrowsingEnabled policy is set to False. If this policy is set to 1, ads will not be blocked on sites with intrusive ads. If this policy is left not set, 2 will be used.

• 1 = Allow ads on all sites
• 2 = Do not allow ads on sites with intrusive ads

• Chromium (Linux, Mac, Windows) since version 57
• Chromium OS (Chromium OS) since version 57

Enables deleting browser history and download history in Chromium and prevents users from changing this setting.

Note that even with this policy disabled, the browsing and download history are not guaranteed to be retained: users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.

If this setting is enabled or not set, browsing and download history can be deleted.

If this setting is disabled, browsing and download history cannot be deleted.

• Chromium OS (Chromium OS) since version 48
• Chromium (Linux, Mac, Windows) since version 48

Allow users to play dinosaur easter egg game when device is offline.

If this policy is set to False, users will not be able to play the dinosaur easter egg game when device is offline. If this setting is set to True, users are allowed to play the dinosaur game. If this policy is not set, users are not allowed to play the dinosaur easter egg game on enrolled Chrome OS, but are allowed to play it under other circumstances.

• Chromium (Linux, Mac, Windows) since version 12

Allows access to local files on the machine by allowing Chromium to display file selection dialogs.

If you enable this setting, users can open file selection dialogs as normal.

If you disable this setting, whenever the user performs an action which would provoke a file selection dialog (like importing bookmarks, uploading files, saving links, etc.) a message is displayed instead and the user is assumed to have clicked Cancel on the file selection dialog.

If this setting is not set, users can open file selection dialogs as normal.

• Chromium OS (Chromium OS) since version 51

Whether to allow the auto launched with zero delay kiosk app to control Chromium OS version.

This policy controls whether to allow the auto launched with zero delay kiosk app to control Chromium OS version by declaring a required_platform_version in its manifest and use it as the auto update target version prefix.

If the policy is set to true, the value of required_platform_version manifest key of the auto launched with zero delay kiosk app is used as auto update target version prefix.

If the policy is not configured or set to false, the required_platform_version manifest key is ignored and auto update proceeds as normal.

Warning: It is not recommended to delegate control of the Chromium OS version to a kiosk app as it may prevent the device from receiving software updates and critical security fixes. Delegating control of the Chromium OS version might leave users at risk.

If the kiosk app is an Android app, it will have no control over the Chromium OS version, even if this policy is set to True.

• Chromium (Linux, Mac, Windows) since version 12
• Chromium OS (Chromium OS) since version 12

If you enable this setting, outdated plugins are used as normal plugins.

If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them.

If this setting is not set, users will be asked for permission to run outdated plugins.

• Chromium OS (Chromium OS) since version 52

If this policy is set to false, users will not be able to lock the screen (only signing out from the user session will be possible). If this setting is set to true or not set, users who authenticated with a password can lock the screen.

• Chromium (Linux, Mac, Windows) since version 51
• Chromium OS (Chromium OS) since version 51
• Chromium (Android) since version 51

Enables Chromium's restricted log in feature in G Suite and prevents users from changing this setting.

If you define this setting, the user will only be able to access Google Apps using accounts from the specified domains (note that this does not work for gmail.com/googlemail.com).

This setting will NOT prevent the user from loging in on a managed device that requires Google authentication. The user will still be allowed to sign in to accounts from other domains, but they will receive an error when trying to use G Suite with those accounts.

If you leave this setting empty/not-configured, the user will be able to access G Suite with any account.

This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://support.google.com/a/answer/1668854.

Users cannot change or override this setting.

• Chromium OS (Chromium OS) since version 69

Configures which keyboard layouts are allowed for Chromium OS user sessions.

If this policy is set, the user can only select one of the input methods specified by this policy. If this policy is not set or set to an empty list, the user can select all supported input methods. If the current input method is not allowed by this policy, the input method will be switched to the hardware keyboard layout (if allowed) or the first valid entry in this list. All invalid or unsupported input methods in this list will be ignored.

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\AllowedInputMethods\1 = "xkb:us::eng"

• Chromium OS (Chromium OS) since version 68

Configures the locales Chromium OS may be displayed in.

If this policy is set, the user can only configure Chromium OS to be displayed in one of the locales specified by this policy. If this policy is not set or set to an empty list, Chromium OS can be displayed in all supported UI locales. If this policy is set to a list with invalid values, all invalid values will be ignored. If a user previously configured Chromium OS to be displayed in a locale that is not allowed by this policy, the display locale will be switched to an allowed UI locale the next time the user signs in. If the user had configured preferred locales and one of the preferred locales is allowed by this policy, Chromium OS will switch to this locale. Otherwise, Chromium OS will switch to the first valid value specified by this policy, or to a fallback locale (currently en-US), if this policy only contains invalid entries.

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\AllowedUILocales\1 = "en-US"

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

Enables the use of alternate error pages that are built into Chromium (such as 'page not found') and prevents users from changing this setting.

If you enable this setting, alternate error pages are used.

If you disable this setting, alternate error pages are never used.

If you enable or disable this setting, users cannot change or override this setting in Chromium.

If this policy is left not set, this will be enabled but the user will be able to change it.

• Chromium (Linux, Mac, Windows) since version 55

Disables the internal PDF viewer in Chromium. Instead it treats it as download and allows the user to open PDF files with the default application.

If this policy is left not set or disabled the PDF plugin will be used to open PDF files unless the user disables it.

• Chromium (Windows) since version 8

Configures the application locale in Chromium and prevents users from changing the locale.

If you enable this setting, Chromium uses the specified locale. If the configured locale is not supported, 'en-US' is used instead.

If this setting is disabled or not set, Chromium uses either the user-specified preferred locale (if configured), the system locale or the fallback locale 'en-US'.

• Chromium OS (Chromium OS) since version 67

Enables reporting of key events during Android app installation to Google. Events are captured only for apps whose installation was triggered via policy.

If the policy is set to true, events will be logged. If the policy is set to false or unset, events will not be logged.

• Chromium OS (Chromium OS) since version 68

This policy controls the availability of Android backup and restore.

When this policy is not configured or set to BackupAndRestoreDisabled, Android backup and restore is disabled and cannot be enabled by the user.

When this policy is set to BackupAndRestoreUnderUserControl, the user is asked to choose whether to use Android backup and restore. If the user enables backup and restore, Android app data is uploaded to Android backup servers and restored from them upon app re-installations for compatible apps.

• 0 = Backup and restore disabled
• 1 = User decides whether to enable backup and restore

• Chromium OS (Chromium OS) since version 52

If set to SyncDisabled or not configured, Chromium OS certificates are not available for ARC-apps.

If set to CopyCaCerts, all ONC-installed CA certificates with Web TrustBit are available for ARC-apps.

• 0 = Disable usage of Chromium OS certificates to ARC-apps
• 1 = Enable Chromium OS CA certificates to ARC-apps

• Chromium OS (Chromium OS) since version 50

When this policy is set to true, ARC will be enabled for the user (subject to additional policy settings checks - ARC will still be unavailable if either ephemeral mode or multiple sign-in is enabled in the current user session).

If this setting is disabled or not configured then enterprise users are unable to use ARC.

• Chromium OS (Chromium OS) since version 68

This policy controls the availability of Google location services.

When this policy is not configured or set to GoogleLocationServicesDisabled, Google location services are disabled and cannot be enabled by the user.

When this policy is set to GoogleLocationServicesUnderUserControl, the user is asked to choose whether to use Google location services. This will allow Android apps to use the services to query the device location, and also will enable submitting of anonymous location data to Google.

Note that this policy is ignored and Google location services are always disabled when the DefaultGeolocationSetting policy is set to BlockGeolocation.

• 0 = Google location services disabled
• 1 = User decides whether to enable Google location services

• Chromium OS (Chromium OS) since version 50

Specifies a set of policies that will be handed over to the ARC runtime. The value must be valid JSON.

This policy can be used to configure which Android apps are automatically installed on the device:

{ "type": "object", "properties": { "applications": { "type": "array", "items": { "type": "object", "properties": { "packageName": { "description": "Android app identifier, e.g. "com.google.android.gm" for Gmail", "type": "string" }, "installType": { "description": "Specifies how an app is installed. OPTIONAL: The app is not installed automatically, but the user can install it. This is the default if this policy is not specified. PRELOAD: The app is installed automatically, but the user can uninstall it. FORCE_INSTALLED: The app is installed automatically and the user cannot uninstall it. BLOCKED: The app is blocked and cannot be installed. If the app was installed under a previous policy it will be uninstalled.", "type": "string", "enum": [ "OPTIONAL", "PRELOAD", "FORCE_INSTALLED", "BLOCKED" ] }, "defaultPermissionPolicy": { "description": "Policy for granting permission requests to apps. PERMISSION_POLICY_UNSPECIFIED: Policy not specified. If no policy is specified for a permission at any level, then the `PROMPT` behavior is used by default. PROMPT: Prompt the user to grant a permission. GRANT: Automatically grant a permission. DENY: Automatically deny a permission.", "type": "string", "enum": [ "PERMISSION_POLICY_UNSPECIFIED", "PROMPT", "GRANT", "DENY" ] }, "managedConfiguration": { "description": "App-specific JSON configuration object with a set of key-value pairs, e.g. '"managedConfiguration": { "key1": value1, "key2": value2 }'. The keys are defined in the app manifest.", "type": "object" } } } } } }

To pin apps to the launcher, see PinnedLauncherApps.

• Chromium (Linux, Mac, Windows) since version 25
• Chromium OS (Chromium OS) since version 23

If enabled or not configured (default), the user will be prompted for audio capture access except for URLs configured in the AudioCaptureAllowedUrls list which will be granted access without prompting.

When this policy is disabled, the user will never be prompted and audio capture only be available to URLs configured in AudioCaptureAllowedUrls.

This policy affects all types of audio inputs and not only the built-in microphone.

For Android apps, this policy affects the microphone only. When this policy is set to true, the microphone is muted for all Android apps, with no exceptions.

• Chromium (Linux, Mac, Windows) since version 29
• Chromium OS (Chromium OS) since version 29

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to audio capture devices will be granted without prompt.

NOTE: Until version 45, this policy was only supported in Kiosk mode.

Windows (Windows clients):

Software\Policies\Chromium\AudioCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Chromium\AudioCaptureAllowedUrls\2 = "https://[*.]example.edu/"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\AudioCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\ChromiumOS\AudioCaptureAllowedUrls\2 = "https://[*.]example.edu/"

Android/Linux:

["https://www.example.com/", "https://[*.]example.edu/"]

Mac:

<array> <string>https://www.example.com/</string> <string>https://[*.]example.edu/</string> </array>

• Chromium OS (Chromium OS) since version 23

When this policy is set to false, audio output will not be available on the device while the user is logged in.

This policy affects all types of audio output and not only the built-in speakers. Audio accessibility features are also inhibited by this policy. Do not enable this policy if a screen reader is required for the user.

If this setting is set to true or not configured then users can use all supported audio outputs on their device.

• Chromium (Linux, Mac, Windows) since version 8
• Chromium OS (Chromium OS) since version 11
• Chromium (Android) since version 30

This policy is deprecated in M70, please use AutofillAddressEnabled and AutofillCreditCardEnabled instead.

Enables Chromium's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.

If you disable this setting, AutoFill will be inaccessible to users.

If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.

• Chromium (Linux, Mac, Windows) since version 69
• Chromium OS (Chromium OS) since version 69
• Chromium (Android) since version 69

Enables Chromium's AutoFill feature and allows users to auto complete address information in web forms using previously stored information.

If this setting is disabled, Autofill will never suggest, or fill address information, nor will it save additional address information that the user might submit while browsing the web.

If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.

• Chromium (Linux, Mac, Windows) since version 63
• Chromium OS (Chromium OS) since version 63
• Chromium (Android) since version 63

Enables Chromium's AutoFill feature and allows users to auto complete credit card information in web forms using previously stored information.

If this setting is disabled, Autofill will never suggest, or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web.

If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.

• Chromium (Windows) since version 66
• Chromium (Linux) since version 66
• Chromium (Mac) since version 66
• Chromium OS (Chromium OS) since version 66

Allows you to control if videos can play automatically (without user consent) with audio content in Chromium.

If the policy is set to True, Chromium is allowed to autoplay media. If the policy is set to False, Chromium is not allowed to autoplay media. The AutoplayWhitelist policy can be used to override this for certain URL patterns. By default, Chromium is not allowed to autoplay media. The AutoplayWhitelist policy can be used to override this for certain URL patterns.

Note that if Chromium is running and this policy changes, it will be applied only to new opened tabs. Therefore some tabs might still observe the previous behavior.

• Chromium (Linux, Mac, Windows) since version 66
• Chromium OS (Chromium OS) since version 66

Controls the whitelist of URL patterns that autoplay will always be enabled on.

If autoplay is enabled then videos can play automatically (without user consent) with audio content in Chromium.

A URL pattern has to be formatted according to https://www.chromium.org/administrators/url-blacklist-filter-format.

If the AutoplayAllowed policy is set to True then this policy will have no effect.

If the AutoplayAllowed policy is set to False then any URL patterns set in this policy will still be allowed to play.

Note that if Chromium is running and this policy changes, it will be applied only to new opened tabs. Therefore some tabs might still observe the previous behavior.

Windows (Windows clients):

Software\Policies\Chromium\AutoplayWhitelist\1 = "https://example.com" Software\Policies\Chromium\AutoplayWhitelist\2 = "https://www.chromium.org"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\AutoplayWhitelist\1 = "https://example.com" Software\Policies\ChromiumOS\AutoplayWhitelist\2 = "https://www.chromium.org"

Android/Linux:

["https://example.com", "https://www.chromium.org"]

Mac:

<array> <string>https://example.com</string> <string>https://www.chromium.org</string> </array>

• Chromium (Windows) since version 19
• Chromium (Linux) since version 19

Determines whether a Chromium process is started on OS login and keeps running when the last browser window is closed, allowing background apps and the current browsing session to remain active, including any session cookies. The background process displays an icon in the system tray and can always be closed from there.

If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings.

If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings.

If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.

• Chromium (Linux, Mac, Windows) since version 10
• Chromium OS (Chromium OS) since version 11

Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar.

Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting.

If this policy is left not set, third party cookies will be enabled but the user will be able to change that.

• Chromium (Linux, Mac, Windows) since version 12
• Chromium OS (Chromium OS) since version 12

If you enable this setting, Chromium will show a bookmark bar.

If you disable this setting, users will never see the bookmark bar.

If you enable or disable this setting, users cannot change or override it in Chromium.

If this setting is left not set the user can decide to use this function or not.

• Chromium (Linux, Mac, Windows) since version 39

If this policy is set to true or not configured, Chromium will allow Add Person from the user manager.

If this policy is set to false, Chromium will not allow creation of new profiles from the user manager.

• Chromium (Linux, Mac, Windows) since version 38

If this policy is set to true or not configured, Chromium will enable guest logins. Guest logins are Chromium profiles where all windows are in incognito mode.

If this policy is set to false, Chromium will not allow guest profiles to be started.

• Chromium (Linux, Mac, Windows) since version 60

Setting this policy to false stops Chromium from occasionally sending queries to a Google server to retrieve an accurate timestamp. These queries will be enabled if this policy is set to True or is not set.

• Chromium (Linux, Mac, Windows) since version 70
• Chromium (Android) since version 70

This policy controls the sign-in behavior of the browser. It allows you to specify if the user can sign in to Chromium with their account and use account related services like Chrome sync.

If the policy is set to "Disable browser sign-in" then the user can not sign in to the browser and use account based services. In this case browser level features like Chrome sync can not be used and will be unavailable. If the user was signed in and the policy is set "Disabled" they will be signed out the next time they run Chrome but their local profile data like bookmarks, passwords etc. will stay preserved. The user will still be able to sign into and use Google web services like Gmail.

If the policy is set to "Enable browser sign-in," then the user is allowed to sign in to the browser and is automatically signed in to the browser when signed in to Google web services like Gmail. Being signed in to the browser means the user's account information will be kept by the browser. However, it does not mean that Chrome sync will be turned on per default; the user must separately opt-in to use this feature. Enabling this policy will prevent the user from turning off the setting that allows browser sign-in. To control the availability of Chrome sync, use the "SyncDisabled" policy.

If the policy is set to "Force browser sign-in" the user is presented with an account selection dialog and has to choose and sign in to an account to use the browser. This ensures that for managed accounts the policies associated with the account are applied and enforced. By default this turns on Chrome sync for the account, except for the case when sync was disabled by the domain admin or via the "SyncDisabled" policy. The default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article: https://support.google.com/chrome/a/answer/7572556.

If this policy is not set then the user can decide if they want to enable the browser sign in option and use it as they see fit.

• 0 = Disable browser sign-in
• 1 = Enable browser sign-in
• 2 = Force users to sign-in to use the browser

• Chromium (Linux, Mac, Windows) since version 25

Controls whether the built-in DNS client is used in Chromium.

If this policy is set to true, the built-in DNS client will be used, if available.

If this policy is set to false, the built-in DNS client will never be used.

If this policy is left not set, the users will be able to change whether the built-in DNS client is used by editing chrome://flags or specifying a command-line flag.

• Chromium OS (Chromium OS) since version 41

This policy allows Chromium OS to bypass any proxy for captive portal authentication.

This policy only takes effect if a proxy is configured (for example through policy, by the user in chrome://settings, or by extensions).

If you enable this setting, any captive portal authentication pages (i.e. all web pages starting from captive portal signin page until Chromium detects successful internet connection) will be displayed in a separate window ignoring all policy settings and restrictions for the current user.

If you disable this setting or leave it unset, any captive portal authentication pages will be shown in a (regular) new browser tab, using the current user's proxy settings.

• Chromium (Linux, Mac, Windows) since version 67
• Chromium OS (Chromium OS) since version 67
• Chromium (Android) since version 67

Disables enforcing Certificate Transparency requirements for a list of subjectPublicKeyInfo hashes.

This policy allows disabling Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used for Enterprise hosts.

In order for Certificate Transparency enforcement to be disabled when this policy is set, one of the following conditions must be met: 1. The hash is of the server certificate's subjectPublicKeyInfo. 2. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, that CA certificate is constrained via the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName contains an organizationName attribute. 3. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate contains the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.

A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".

If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed according to the Certificate Transparency policy.

Windows (Windows clients):

Software\Policies\Chromium\CertificateTransparencyEnforcementDisabledForCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Chromium\CertificateTransparencyEnforcementDisabledForCas\2 = "sha256//////////////////////w=="

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\CertificateTransparencyEnforcementDisabledForCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\ChromiumOS\CertificateTransparencyEnforcementDisabledForCas\2 = "sha256//////////////////////w=="

Android/Linux:

["sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w=="]

Mac:

<array> <string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string> <string>sha256//////////////////////w==</string> </array>

• Chromium (Linux, Mac, Windows) since version 67
• Chromium OS (Chromium OS) since version 67
• Chromium (Android) since version 67

Disables enforcing Certificate Transparency requirements for a list of Legacy Certificate Authorities.

This policy allows disabling Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used for Enterprise hosts.

In order for Certificate Transparency enforcement to be disabled when this policy is set, the hash must be of a subjectPublicKeyInfo appearing in a CA certificate that is recognized as a Legacy Certificate Authority (CA). A Legacy CA is a CA that has been publicly trusted by default one or more operating systems supported by Chromium, but is not trusted by the Android Open Source Project or Chromium OS.

A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".

If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed according to the Certificate Transparency policy.

Windows (Windows clients):

Software\Policies\Chromium\CertificateTransparencyEnforcementDisabledForLegacyCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Chromium\CertificateTransparencyEnforcementDisabledForLegacyCas\2 = "sha256//////////////////////w=="

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\CertificateTransparencyEnforcementDisabledForLegacyCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\ChromiumOS\CertificateTransparencyEnforcementDisabledForLegacyCas\2 = "sha256//////////////////////w=="

Android/Linux:

["sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w=="]

Mac:

<array> <string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string> <string>sha256//////////////////////w==</string> </array>

• Chromium (Linux, Mac, Windows) since version 53
• Chromium OS (Chromium OS) since version 53
• Chromium (Android) since version 53

Disables enforcing Certificate Transparency requirements to the listed URLs.

This policy allows certificates for the hostnames in the specified URLs to not be disclosed via Certificate Transparency. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used, but makes it harder to detect misissued certificates for those hosts.

A URL pattern is formatted according to https://www.chromium.org/administrators/url-blacklist-filter-format. However, because certificates are valid for a given hostname independent of the scheme, port, or path, only the hostname portion of the URL is considered. Wildcard hosts are not supported.

If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed according to the Certificate Transparency policy.

Windows (Windows clients):

Software\Policies\Chromium\CertificateTransparencyEnforcementDisabledForUrls\1 = "example.com" Software\Policies\Chromium\CertificateTransparencyEnforcementDisabledForUrls\2 = ".example.com"

Windows (Chromium OS clients):

Software\Policies\ChromiumOS\CertificateTransparencyEnforcementDisabledForUrls\1 = "example.com" Software\Policies\ChromiumOS\CertificateTransparencyEnforcementDisabledForUrls\2 = ".example.com"

Android/Linux:

["example.com", ".example.com"]

Mac:

<array> <string>example.com</string> <string>.example.com</string> </array>

• Chromium (Windows) since version 68

If disabled, prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled.

If enabled or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is enabled.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium (Windows) since version 68

If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup with Google to assist with future unwanted software detection. These results contain file metadata, automatically installed extensions and registry keys as described by the Chrome Privacy Whitepaper.

If disabled, should Chrome Cleanup detect unwanted software, it will not report metadata about the scan to Google, overriding any policy set by SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will not be reported to Google and the user will not have the option to do so.

If enabled, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will be reported to Google and the user will not have the option to prevent it.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

• Chromium OS (Chromium OS) since version 9

Enable lock when Chromium OS devices become idle or suspended.

If you enable this setting, users will be asked for a password to unlock the device from sleep.

If you disable this setting, users will not be asked for a password to unlock the device from sleep.

If you enable or disable this setting, users cannot change or override it.

If the policy is left not set the user can choose whether they want to be asked for password to unlock the device or not.

• Chromium OS (Chromium OS) since version 31

Control the user behavior in a multiprofile session on Chromium OS devices.

If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.

If you set this setting, users cannot change or override it.

If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.

If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.

• "unrestricted" = Allow enterprise user to be both primary and secondary (Default behavior for non-managed users)
• "primary-only" = Allow enterprise user to be primary multiprofile user only (Default behavior for enterprise-managed users)
• "not-allowed" = Do not allow enterprise user to be part of multiprofile (primary or secondary)

When multiple users are logged in, only the primary user can use Android apps.

• Chromium OS (Chromium OS) since version 11

Specifies the release channel that this device should be locked to.

• "stable-channel" = Stable channel
• "beta-channel" = Beta channel
• "dev-channel" = Dev channel (may be unstable)

• Chromium OS (Chromium OS) since version 19

If this policy is set to True and the ChromeOsReleaseChannel policy is not specified then users of the enrolling domain will be allowed to change the release channel of the device. If this policy is set to false the device will be locked in whatever channel it was last set.

The user selected channel will be overridden by the ChromeOsReleaseChannel policy, but if the policy channel is more stable than the one that was installed on the device, then the channel will only switch after the version of the more stable channel reaches a higher version number than the one installed on the device.

• Chromium (Linux, Mac, Windows) since version 17

Enables Chromium to act as a proxy between Google Cloud Print and legacy printers connected to the machine.

If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account.

If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with Google Cloud Print.

• Chromium (Linux, Mac, Windows) since version 17

Enables Chromium to submit documents to Google Cloud Print for printing. NOTE: This only affects Google Cloud Print support in Chromium. It does not prevent users from submitting print jobs on web sites.

If this setting is enabled or not configured, users can print to Google Cloud Print from the Chromium print dialog.

If this setting is disabled, users cannot print to Google Cloud Print from the Chromium print dialog

• Chromium (Linux, Mac, Windows) since version 54
• Chromium OS (Chromium OS) since version 54

Enables component updates for all components in Chromium when not set or set to True.

If set to False, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code, or does not significantly alter the behavior of the browser, or is critical for its security will not be disabled. Examples of such components include the certificate revocation lists and Safe Browsing data. See https://developers.google.com/safe-browsing for more info on Safe Browsing.

• Chromium (Android) since version 40

Enables the availability of Tap to Search in Chromium's content view.

If you enable this setting, Tap to Search will be available to the user and they can choose to turn the feature on or off.

If you disable this setting, Tap to Search will be disabled completely.

If this policy is left not set, it is equivalent to being enabled, see description above.

• Chromium (Android) since version 69

If this is set to true or unset, Chromium will suggest pages related to the current page. These suggestions are fetched remotely from Google servers.

If this setting is set to false, suggestions will not be fetched or displayed.

• Chromium OS (Chromium OS) since version 70

Enable this user to run Crostini.

If the policy is set to false, Crostini is not enabled for the user. If set to true or left unset, Crostini is enabled for the user as long as other settings also allow it. All three policies, VirtualMachinesAllowed, CrostiniAllowed, and DeviceUnaffiliatedCrostiniAllowed need to be true when they apply for Crostini to be allowed to run. When this policy is changed to false, it applies to starting new Crostini containers but does not shut down containers which are already running.

• Chromium (Android) since version 31

Enable or disable the data compression proxy and prevents users from changing this setting.