Managing Chrome Policies for Users and Browsers: A Comprehensive Guide for Admins

As an administrator, effectively managing Chrome policies is crucial for maintaining a secure and productive environment. This article provides a detailed overview of how to set Chrome policies for users and browsers, ensuring consistent settings and security across your organization.

Understanding Chrome Policy Enforcement

The enforcement of Chrome policies depends on whether you configure settings for user accounts or enrolled browsers.

Policies Set for Users

• Availability: Google Workspace, Chrome Browser Enterprise Support, Chrome Enterprise Upgrade, ChromeOS devices bundled with Chrome Enterprise Upgrade, and Cloud Identity.
• Application: These policies apply when users sign in with their managed Google Account on any device, including:
  • Chrome browser on Windows, Mac, Linux, Android, or iOS devices
  • Chromebooks or other ChromeOS devices
  • Android apps running on supported ChromeOS devices (requires enabling Android apps)
• Limitations: These policies do not apply when users:
  • Sign in to a personal Gmail account or other Google Account outside your organization
  • Sign in to a Chromebook as a guest
• Best Use: Ideal for work settings and preferences that should synchronize across devices, such as work apps, home tabs, and themes.
• Getting Started: Learn how to set up Chrome browser user-level management.

Policies Set for Enrolled Browsers

• Application: These policies apply when users open Chrome browser on an enrolled computer (Windows, Mac, or Linux), regardless of whether they are signed in.
• Best Use: Suitable for policies that you want to enforce at the device level, such as security settings and blocked apps.
• Getting Started: Set up Chrome Enterprise Core.

Configuring Settings in the Google Admin Console

Follow these steps to configure Chrome settings in your Admin console:

1. Sign in: Access the Google Admin console using an administrator account.
2. Navigate:
   • For Google Workspace users, go to Devices > Chrome > Settings.
   • For Chrome Enterprise Core users, go to Chrome browser > Settings.
3. (Optional) Organizational Units: To apply settings to specific users or enrolled browsers, select an organizational unit or configuration group.
4. Select a Setting: Click the setting you want to configure. Use the search box to quickly find a specific setting.
5. Configure: Adjust the setting as needed. Many settings allow you to enforce a policy or set a default that users can change.
6. Save: Click "Save" to apply the changes. For organizational units, you might need to click "Override."

Key Chrome Policy Settings

Here's a breakdown of some key Chrome policy settings available in the Admin console:

General Settings

• Maximum User Session Length: (ChromeOS) Control how long user sessions last before automatic sign-out.
• Custom Terms of Service: (ChromeOS) Upload a custom Terms of Service agreement that users must accept before signing in.
• Custom Avatar/Wallpaper: (ChromeOS) Replace the default avatar and wallpaper with custom images.
• Custom Theme Color: (Windows, Mac, Linux) Specify a custom theme color for Chrome browser.
• QR Code Generator: Enable or disable the QR Code Generator in Chrome.

Sign-In Settings

• Browser Sign-In Settings: Specify whether users can sign in to Chrome and sync browser information. Options include disabling sign-in, enabling sign-in, or forcing users to sign in.
• Restrict Sign-In to Pattern: Restrict which Google Accounts can be used as browser primary accounts using a regular expression.
• Separate Profile for Managed Google Identity: Require users to create a separate profile when signing in with their managed Google Account.
• Managed Account as Secondary Account: (ChromeOS, Not Education Domains) Control whether users can add a managed account as a secondary account.

Mobile Settings

• Chrome on Android/iOS: Specifies whether supported policies are applied to Chrome browser on Android/iOS devices. Need to turn on Chrome browser management using the Chrome management for signed-in users setting.

Enrollment Controls

• Device Enrollment: (ChromeOS) Control where ChromeOS devices are placed in the organizational unit upon enrollment.
• Asset Identifier During Enrollment: (ChromeOS) Allow users to add an asset ID and location during device enrollment.
• Enrollment Permissions: (ChromeOS) Control which users can enroll new or re-enroll deprovisioned devices.

Apps and Extensions

• Allow and Block Apps: Manage which apps and extensions users can install.
• Force-Install Apps: Automatically install specific apps and extensions for users.
• Pin Apps to the Taskbar: Pin frequently-used apps to the taskbar for easy access.
• Task Manager: (ChromeOS, Windows, Mac, Linux) Allow or block users from ending processes with the Chrome task manager.
• Manifest V2 Extension Availability: (ChromeOS, Windows, Mac, Linux) Specifies if users can access Manifest v2 extensions on their Chrome browser.

Security Settings

• Password Manager: Allow or disallow the use of the password manager.
• Account Recovery: (ChromeOS) Specify how local data recovery is managed on ChromeOS devices.
• Incognito Mode Availability: Control whether incognito mode is available to users.
• Saving Browser History Disabled: Prevent users from saving their browsing history.
• Default Geolocation Setting: Set the default geolocation setting for websites.

By understanding these settings and how to configure them, administrators can create a secure, manageable, and productive Chrome environment for their users.