The Chrome Enterprise policy list is moving! Please update your bookmarks to https://cloud.google.com/docs/chrome-enterprise/policies/.
Both Chromium and Google Chrome have some groups of policies that depend on each other to provide control over a feature. These sets are represented by the following policy groups. Given that policies can have multiple sources, only values coming from the highest priority source will be applied. Values coming from a lower priority source in the same group will be ignored. The order of priority is defined in https://support.google.com/chrome/a/?p=policy_order.
| Policy Name | Description |
| ActiveDirectoryManagement | Microsoft® Active Directory® management settings |
| DeviceMachinePasswordChangeRate | Machine password change rate |
| DeviceUserPolicyLoopbackProcessingMode | User policy loopback processing mode |
| DeviceKerberosEncryptionTypes | Allowed Kerberos encryption types |
| DeviceGpoCacheLifetime | GPO cache lifetime |
| DeviceAuthDataCacheLifetime | Authentication data cache lifetime |
| ChromadToCloudMigrationEnabled | Enable the migration of Chromad devices into cloud management |
| Attestation | Attestation |
| AttestationEnabledForDevice | Enable remote attestation for the device |
| AttestationEnabledForUser | Enable remote attestation for the user |
| AttestationExtensionAllowlist | Extensions allowed to to use the remote attestation API |
| AttestationForContentProtectionEnabled | Enable the use of remote attestation for content protection for the device |
| BrowserEventReporting | Browser Event Reporting |
| ReportingEndpoints | Reporting Endpoints |
| BrowserIdle | Idle Browser Actions |
| IdleTimeout | Delay before running idle actions |
| IdleTimeoutActions | Actions to run when the computer is idle |
| BrowserSwitcher | Legacy Browser Support |
| AlternativeBrowserPath | Alternative browser to launch for configured websites. |
| AlternativeBrowserParameters | Command-line parameters for the alternative browser. |
| BrowserSwitcherChromePath | Path to Chrome for switching from the alternative browser. |
| BrowserSwitcherChromeParameters | Command-line parameters for switching from the alternative browser. |
| BrowserSwitcherDelay | Delay before launching alternative browser (milliseconds) |
| BrowserSwitcherEnabled | Enable the Legacy Browser Support feature. |
| BrowserSwitcherExternalSitelistUrl | URL of an XML file that contains URLs to load in an alternative browser. |
| BrowserSwitcherExternalGreylistUrl | URL of an XML file that contains URLs that should never trigger a browser switch. |
| BrowserSwitcherKeepLastChromeTab | Keep last tab open in Chrome. |
| BrowserSwitcherUrlList | Websites to open in alternative browser |
| BrowserSwitcherUrlGreylist | Websites that should never trigger a browser switch. |
| BrowserSwitcherUseIeSitelist | Use Internet Explorer's SiteList policy for Legacy Browser Support. |
| CloudReporting | Cloud Reporting |
| ReportVersionData | Report OS and Google Chrome Version Information |
| ReportPolicyData | Report Google Chrome Policy Information |
| ReportMachineIDData | Report Machine Identification information |
| ReportUserIDData | Report User Identification information |
| ReportExtensionsAndPluginsData | Report Extensions and Plugins information |
| CloudExtensionRequestEnabled | Enables Google Chrome extension installation requests |
| CloudReportingEnabled | Enables Google Chrome cloud reporting |
| CloudProfileReportingEnabled | Enable Google Chrome cloud reporting for managed profile |
| CloudReportingUploadFrequency | Frequency of cloud reporting in hours |
| CookiesSettings | Cookies settings |
| DefaultCookiesSetting | Default cookies setting |
| CookiesAllowedForUrls | Allow cookies on these sites |
| CookiesBlockedForUrls | Block cookies on these sites |
| CookiesSessionOnlyForUrls | Limit cookies from matching URLs to the current session |
| DateAndTime | Date and time |
| CalendarIntegrationEnabled | Enable Google Calendar Integration |
| SystemTimezone | Timezone |
| SystemTimezoneAutomaticDetection | Configure the automatic timezone detection method |
| DefaultSearchProvider | Default search provider |
| DefaultSearchProviderEnabled | Enable the default search provider |
| DefaultSearchProviderName | Default search provider name |
| DefaultSearchProviderKeyword | Default search provider keyword |
| DefaultSearchProviderSearchURL | Default search provider search URL |
| DefaultSearchProviderSuggestURL | Default search provider suggest URL |
| DefaultSearchProviderInstantURL | Default search provider instant URL |
| DefaultSearchProviderIconURL | Default search provider icon |
| DefaultSearchProviderEncodings | Default search provider encodings |
| DefaultSearchProviderAlternateURLs | List of alternate URLs for the default search provider |
| DefaultSearchProviderSearchTermsReplacementKey | Parameter controlling search term placement for the default search provider |
| DefaultSearchProviderImageURL | Parameter providing search-by-image feature for the default search provider |
| DefaultSearchProviderNewTabURL | Default search provider new tab page URL |
| DefaultSearchProviderSearchURLPostParams | Parameters for search URL which uses POST |
| DefaultSearchProviderSuggestURLPostParams | Parameters for suggest URL which uses POST |
| DefaultSearchProviderInstantURLPostParams | Parameters for instant URL which uses POST |
| DefaultSearchProviderImageURLPostParams | Parameters for image URL which uses POST |
| DirectSocketsSettings | Direct Sockets settings |
| DefaultDirectSocketsSetting | Control use of the Direct Sockets API |
| DirectSocketsAllowedForUrls | Allow Direct Sockets API on these sites |
| DirectSocketsBlockedForUrls | Block Direct Sockets API on these sites |
| DefaultDirectSocketsPrivateNetworkAccessSetting | Control access to private network in the Direct Sockets API |
| DirectSocketsPrivateNetworkAccessAllowedForUrls | Allow private network access in the Direct Sockets API on these sites |
| DirectSocketsPrivateNetworkAccessBlockedForUrls | Block private network access in the Direct Sockets API on these sites |
| Display | Display |
| DeviceDisplayResolution | Set display resolution and scale factor |
| DisplayRotationDefault | Set default display rotation, reapplied on every reboot |
| Drive | Drive |
| DriveDisabled | Disable Drive in the Google ChromeOS Files app |
| DriveDisabledOverCellular | Disable Google Drive over cellular connections in the Google ChromeOS Files app |
| DriveFileSyncAvailable | Google ChromeOS file sync |
| Extensions | Extensions |
| ExtensionInstallAllowlist | Configure extension installation allow list |
| ExtensionInstallBlocklist | Configure extension installation blocklist |
| ExtensionInstallForcelist | Configure the list of force-installed apps and extensions |
| ExtensionInstallSources | Configure extension, app, and user script install sources |
| ExtensionAllowedTypes | Configure allowed app/extension types |
| ExtensionAllowInsecureUpdates | Allow insecure algorithms in integrity checks on extension updates and installs |
| ExtensionSettings | Extension management settings |
| ExtensionManifestV2Availability | Control Manifest v2 extension availability |
| ExtensionUnpublishedAvailability | Control availability of extensions unpublished on the Chrome Web Store. |
| ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls | Configure a list of origins that grant extended background lifetime to the connecting extensions. |
| FloatingSso | Floating SSO Service settings |
| FloatingSsoEnabled | Enable Floating SSO Service |
| FloatingSsoDomainBlocklist | Floating SSO Service blocked domain list |
| FloatingSsoDomainBlocklistExceptions | Floating SSO Service domain blocklist exception list |
| GoogleCast | Google Cast |
| CastReceiverEnabled | Enable casting content to the device |
| CastReceiverName | Name of the Google Cast destination |
| Homepage | Homepage |
| HomepageLocation | Configure the home page URL |
| HomepageIsNewTabPage | Use New Tab Page as homepage |
| NewTabPageLocation | Configure the New Tab page URL |
| ShowHomeButton | Show Home button on toolbar |
| ImageSettings | Image settings |
| DefaultImagesSetting | Default images setting |
| ImagesAllowedForUrls | Allow images on these sites |
| ImagesBlockedForUrls | Block images on these sites |
| JavascriptSettings | Javascript settings |
| DefaultJavaScriptSetting | Default JavaScript setting |
| JavaScriptAllowedForUrls | Allow JavaScript on these sites |
| JavaScriptBlockedForUrls | Block JavaScript on these sites |
| KerberosPrefilledConfig | Kerberos prefilled configuration |
| KerberosCustomPrefilledConfig | Prefilled configuration for Kerberos tickets |
| KerberosUseCustomPrefilledConfig | Change the prefilled configuration for Kerberos tickets |
| KeygenSettings | Keygen settings |
| DefaultKeygenSetting | Default key generation setting |
| KeygenAllowedForUrls | Allow key generation on these sites |
| KeygenBlockedForUrls | Block key generation on these sites |
| Kiosk | Kiosk settings |
| DeviceLocalAccounts | Device-local accounts |
| DeviceLocalAccountAutoLoginId | Device-local account for auto-login |
| DeviceLocalAccountAutoLoginDelay | Device-local account auto-login timer |
| DeviceLocalAccountAutoLoginBailoutEnabled | Enable bailout keyboard shortcut for auto-login |
| DeviceLocalAccountPromptForNetworkWhenOffline | Enable network configuration prompt when offline |
| KioskTroubleshootingToolsEnabled | Enable Kiosk troubleshooting tools |
| LegacySameSiteCookieBehaviorSettings | Legacy SameSite cookie behavior settings |
| LegacySameSiteCookieBehaviorEnabled | Default legacy SameSite cookie behavior setting |
| LegacySameSiteCookieBehaviorEnabledForDomainList | Revert to legacy SameSite behavior for cookies on these sites |
| LocalFontsSettings | Local Fonts settings |
| DefaultLocalFontsSetting | Default Local Fonts permission setting |
| LocalFontsAllowedForUrls | Allow Local Fonts permission on these sites |
| LocalFontsBlockedForUrls | Block Local Fonts permission on these sites |
| LoginScreenOrigins | Login and screen origins |
| DeviceLoginScreenIsolateOrigins | Enable Site Isolation for specified origins |
| DeviceLoginScreenSitePerProcess | Enable Site Isolation for every site |
| NativeMessaging | Native messaging |
| NativeMessagingBlocklist | Configure native messaging blocklist |
| NativeMessagingAllowlist | Configure native messaging allowlist |
| NativeMessagingUserLevelHosts | Allow user-level Native Messaging hosts (installed without admin permissions) |
| NetworkFileShares | Network File Shares settings |
| NetworkFileSharesAllowed | Controls Network File Shares for ChromeOS availability |
| NetBiosShareDiscoveryEnabled | Controls Network File Share discovery via NetBIOS |
| NTLMShareAuthenticationEnabled | Controls enabling NTLM as an authentication protocol for SMB mounts |
| NetworkFileSharesPreconfiguredShares | List of preconfigured network file shares. |
| NotificationsSettings | Notification settings |
| DefaultNotificationsSetting | Default notification setting |
| NotificationsAllowedForUrls | Allow notifications on these sites |
| NotificationsBlockedForUrls | Block notifications on these sites |
| PasswordManager | Password manager |
| DeletingUndecryptablePasswordsEnabled | Enable deleting undecryptable passwords |
| PasswordManagerEnabled | Enable saving passwords to the password manager |
| PasswordManagerAllowShowPasswords | Allow users to show passwords in Password Manager (deprecated) |
| PasswordSharingEnabled | Enable sharing user credentials with other users |
| ThirdPartyPasswordManagersAllowed | Allow using Third-Party Password Managers in Google Chrome on Android |
| PasswordProtection | Password protection |
| PasswordProtectionWarningTrigger | Password protection warning trigger |
| PasswordProtectionLoginURLs | Configure the list of enterprise login URLs where password protection service should capture salted hashes of passwords. |
| PasswordProtectionChangePasswordURL | Configure the change password URL. |
| PinUnlock | Pin unlock |
| PinUnlockMinimumLength | Set the minimum length of the lock screen PIN |
| PinUnlockMaximumLength | Set the maximum length of the lock screen PIN |
| PinUnlockWeakPinsAllowed | Enable users to set weak PINs for the lock screen PIN |
| PinUnlockAutosubmitEnabled | Enable PIN auto-submit feature on the lock and login screen. |
| PluginVm | PluginVm |
| PluginVmAllowed | Allow devices to use a PluginVm on Google ChromeOS |
| PluginVmDataCollectionAllowed | Allow PluginVm Product Analytics |
| PluginVmImage | PluginVm image |
| PluginVmLicenseKey | PluginVm license key |
| PluginVmRequiredFreeDiskSpace | Required free disk space for PluginVm |
| PluginVmUserId | PluginVm user id |
| UserPluginVmAllowed | Allow users to use a PluginVm on Google ChromeOS |
| PluginsSettings | Plugins settings |
| DefaultPluginsSetting | Default Flash setting |
| PluginsAllowedForUrls | Allow the Flash plugin on these sites |
| PluginsBlockedForUrls | Block the Flash plugin on these sites |
| PopupsSettings | Pop-ups settings |
| DefaultPopupsSetting | Default pop-ups setting |
| PopupsAllowedForUrls | Allow pop-ups on these sites |
| PopupsBlockedForUrls | Block pop-ups on these sites |
| PrivacySandbox | Privacy sandbox settings controls |
| PrivacySandboxPromptEnabled | Choose whether the Privacy Sandbox prompt can be shown to your users |
| PrivacySandboxAdTopicsEnabled | Choose whether the Privacy Sandbox Ad topics setting can be disabled |
| PrivacySandboxSiteEnabledAdsEnabled | Choose whether the Privacy Sandbox Site-suggested ads setting can be disabled |
| PrivacySandboxAdMeasurementEnabled | Choose whether the Privacy Sandbox ad measurement setting can be disabled |
| PrivateNetworkRequestSettings | Private network request settings |
| InsecurePrivateNetworkRequestsAllowed | Specifies whether to allow websites to make requests to more-private network endpoints in an insecure manner |
| InsecurePrivateNetworkRequestsAllowedForUrls | Allow the listed sites to make requests to more-private network endpoints in an insecure manner. |
| ProfileSeparation | Profile Separation |
| ProfileSeparationSettings | Enterprise profile separation settings |
| ProfileSeparationDataMigrationSettings | Profile separation data migration settings |
| ProfileSeparationDomainExceptionList | Enterprise profile separation secondary domain allowlist |
| Proxy | Proxy |
| ProxyMode | Choose how to specify proxy server settings |
| ProxyServerMode | Choose how to specify proxy server settings |
| ProxyServer | Address or URL of proxy server |
| ProxyPacUrl | URL to a proxy .pac file |
| ProxyBypassList | Proxy bypass rules |
| ProxySettings | Proxy settings |
| QuickUnlock | Quick unlock |
| QuickUnlockModeAllowlist | Configure allowed quick unlock modes |
| QuickUnlockTimeout | Set how often user has to enter password to use quick unlock |
| RemoteAccess | Remote access |
| RemoteAccessClientFirewallTraversal | Enable firewall traversal from remote access client |
| RemoteAccessHostClientDomain | Configure the required domain name for remote access clients |
| RemoteAccessHostClientDomainList | Configure the required domain names for remote access clients |
| RemoteAccessHostFirewallTraversal | Enable firewall traversal from remote access host |
| RemoteAccessHostDomain | Configure the required domain name for remote access hosts |
| RemoteAccessHostDomainList | Configure the required domain names for remote access hosts |
| RemoteAccessHostRequireTwoFactor | Enable two-factor authentication for remote access hosts |
| RemoteAccessHostTalkGadgetPrefix | Configure the TalkGadget prefix for remote access hosts |
| RemoteAccessHostRequireCurtain | Enable curtaining of remote access hosts |
| RemoteAccessHostAllowClientPairing | Enable or disable PIN-less authentication for remote access hosts |
| RemoteAccessHostAllowGnubbyAuth | Allow gnubby authentication for remote access hosts |
| RemoteAccessHostAllowRelayedConnection | Enable the use of relay servers by the remote access host |
| RemoteAccessHostUdpPortRange | Restrict the UDP port range used by the remote access host |
| RemoteAccessHostMatchUsername | Require that the name of the local user and the remote access host owner match |
| RemoteAccessHostTokenUrl | URL where remote access clients should obtain their authentication token |
| RemoteAccessHostTokenValidationUrl | URL for validating remote access client authentication token |
| RemoteAccessHostTokenValidationCertificateIssuer | Client certificate for connecting to RemoteAccessHostTokenValidationUrl |
| RemoteAccessHostDebugOverridePolicies | Policy overrides for Debug builds of the remote access host |
| RemoteAccessHostAllowUiAccessForRemoteAssistance | Allow remote users to interact with elevated windows in remote assistance sessions |
| RemoteAccessHostAllowFileTransfer | Allow remote access users to transfer files to/from the host |
| RemoteAccessHostEnableUserInterface | Enable connection-related UI on the host desktop when a connection is active |
| RemoteAccessHostAllowRemoteAccessConnections | Allow remote access connections to this machine |
| RemoteAccessHostMaximumSessionDurationMinutes | Maximum session duration allowed for remote access connections |
| RemoteAccessHostClipboardSizeBytes | The maximum size, in bytes, that can be transferred between client and host via clipboard synchronization |
| RemoteAccessHostAllowRemoteSupportConnections | Allow remote support connections to this machine |
| RemoteAccessHostAllowEnterpriseRemoteSupportConnections | Allow enterprise remote support connections to this machine |
| RemoteAccessHostAllowEnterpriseFileTransfer | Enable file transfer capability in enterprise remote support sessions |
| RemoteAccessHostAllowUrlForwarding | Allow remote access users to open host-side URLs in their local client browser |
| RemoteAccessHostAllowPinAuthentication | Allow PIN and pairing authentication methods for remote access hosts |
| RestoreOnStartup | Action on startup |
| RestoreOnStartup | Action on startup |
| RestoreOnStartupURLs | URLs to open on startup |
| SAML | SAML |
| DeviceTransferSAMLCookies | Transfer SAML IdP cookies during login |
| SafeBrowsing | Safe Browsing settings |
| SafeBrowsingEnabled | Enable Safe Browsing |
| SafeBrowsingExtendedReportingEnabled | Enable Safe Browsing Extended Reporting |
| SafeBrowsingProtectionLevel | Safe Browsing Protection Level |
| SafeBrowsingAllowlistDomains | Configure the list of domains on which Safe Browsing will not trigger warnings. |
| SafeBrowsingProxiedRealTimeChecksAllowed | Allow Safe Browsing Proxied Real Time Checks |
| SafeBrowsingSurveysEnabled | Allow Safe Browsing Surveys |
| SafeBrowsingDeepScanningEnabled | Allow download deep scanning for Safe Browsing-enabled users |
| DisableSafeBrowsingProceedAnyway | Disable proceeding from the Safe Browsing warning page |
| ScreenCaptureSettings | Screen Capture settings |
| ScreenCaptureAllowed | Allow or deny screen capture |
| ScreenCaptureAllowedByOrigins | Allow Desktop, Window, and Tab capture by these origins |
| WindowCaptureAllowedByOrigins | Allow Window and Tab capture by these origins |
| TabCaptureAllowedByOrigins | Allow Tab capture by these origins |
| SameOriginTabCaptureAllowedByOrigins | Allow Same Origin Tab capture by these origins |
| SensorsSettings | Sensors settings |
| DefaultSensorsSetting | Default sensors setting |
| SensorsAllowedForUrls | Allow access to sensors on these sites |
| SensorsBlockedForUrls | Block access to sensors on these sites |
| SkyVaultSettings | SkyVault (all data in cloud) settings |
| LocalUserFilesAllowed | Enable local user files |
| LocalUserFilesMigrationDestination | Local user files migration destination |
| SupervisedUsers | Supervised users |
| SupervisedUsersEnabled | Enable supervised users |
| SupervisedUserCreationEnabled | Enable creation of supervised users |
| SupervisedUserContentProviderEnabled | Enable the supervised user content provider |
| ThirdPartyStoragePartitioningSettings | Third-party storage partitioning settings |
| DefaultThirdPartyStoragePartitioningSetting | Default third-party storage partitioning setting |
| ThirdPartyStoragePartitioningBlockedForOrigins | Disable third-party storage partitioning for specific top-level origins |
| UserAndDeviceReporting | User and device reporting |
| EnableDeviceGranularReporting | Enable granular reporting controls |
| ReportDeviceVersionInfo | Report OS and firmware version |
| ReportDeviceBootMode | Report device boot mode |
| ReportDeviceUsers | Report device users |
| ReportDeviceActivityTimes | Report device activity times |
| ReportDeviceAudioStatus | Report device audio status |
| ReportDeviceLocation | Report device location |
| ReportDeviceNetworkConfiguration | Report network configuration |
| ReportDeviceNetworkInterfaces | Report device network interfaces |
| ReportDeviceNetworkStatus | Report network status |
| ReportDeviceHardwareStatus | Report hardware status |
| ReportDeviceSessionStatus | Report information about active kiosk sessions |
| ReportDeviceGraphicsStatus | Report display and graphics statuses |
| ReportDeviceCrashReportInfo | Report information about crash reports. |
| ReportDeviceOsUpdateStatus | Report OS update status |
| ReportDeviceBoardStatus | Report board status |
| ReportDeviceCpuInfo | Report CPU info |
| ReportDeviceTimezoneInfo | Report Timezone info |
| ReportDeviceMemoryInfo | Report memory info |
| ReportDeviceBacklightInfo | Report backlight info |
| ReportDevicePeripherals | Report peripheral details |
| ReportDevicePowerStatus | Report power status |
| ReportDeviceSecurityStatus | Report device security status |
| ReportDeviceStorageStatus | Report storage status |
| ReportDeviceAppInfo | Report applications information |
| ReportDeviceBluetoothInfo | Report Bluetooth info |
| ReportDeviceFanInfo | Report fan info |
| ReportDeviceVpdInfo | Report VPD info |
| ReportDeviceSystemInfo | Report system info |
| ReportDevicePrintJobs | Report print jobs |
| ReportDeviceLoginLogout | Report login/logout |
| DeviceReportRuntimeCounters | Report device runtime counters |
| ReportUploadFrequency | Frequency of device status report uploads |
| ReportArcStatusEnabled | Report information about status of Android |
| HeartbeatEnabled | Send network packets to the management server to monitor online status |
| HeartbeatFrequency | Frequency of monitoring network packets |
| LogUploadEnabled | Send system logs to the management server |
| DeviceMetricsReportingEnabled | Enable metrics reporting |
| DeviceReportXDREvents | Report extended detection and response (XDR) events |
| DeviceExtensionsSystemLogEnabled | Enable extensions system logging |
| WebPrintingSettings | Web Printing settings |
| DefaultWebPrintingSetting | Control use of the WebPrinting API |
| WebPrintingAllowedForUrls | Allow WebPrinting API on these sites |
| WebPrintingBlockedForUrls | Block WebPrinting API on these sites |
| WebUsbSettings | Web USB settings |
| DefaultWebUsbGuardSetting | Control use of the WebUSB API |
| DeviceLoginScreenWebUsbAllowDevicesForUrls | Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen. |
| WebUsbAllowDevicesForUrls | Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs. |
| WebUsbAskForUrls | Allow WebUSB on these sites |
| WebUsbBlockedForUrls | Block WebUSB on these sites |
| WiFi | WiFi |
| DeviceWiFiFastTransitionEnabled | Enable 802.11r Fast Transition |
| DeviceWiFiAllowed | Enable WiFi |
| WindowManagementSettings | Window Management settings |
| DefaultWindowManagementSetting | Default Window Management permission setting |
| WindowManagementAllowedForUrls | Allow Window Management permission on these sites |
| WindowManagementBlockedForUrls | Block Window Management permission on these sites |
| DefaultWindowPlacementSetting | Default Window Placement permission setting |
| WindowPlacementAllowedForUrls | Allow Window Placement permission on these sites |
| WindowPlacementBlockedForUrls | Block Window Placement permission on these sites |