• Google ChromeOS (Google ChromeOS) since version 81

Enable accessibility features shortcuts.

If this policy is set to true, accessibility features shortcuts will always be enabled.

If this policy is set to false, accessibility features shortcuts will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, accessibility features shortcuts will be enabled by default.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the autoclick accessibility feature.

This feature is responsible to click without physically pressing your mouse or touchpad, hover over the object you'd like to click.

If this policy is set to enabled, the autoclick will always be enabled.

If this policy is set to disabled, the autoclick will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the autoclick is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the caret highlight accessibility feature.

This feature is responsible for highlighting the area that surrounds the caret while editing.

If this policy is set to enabled, the caret highlight will always be enabled.

If this policy is set to disabled, the caret highlight will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the caret highlight is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 117

Enable the color correction accessibility feature.

This feature enables users to adjust the color correction settings on their managed Google ChromeOS devices, which may make it easier for users with color vision deficiency to perceive colors on their screen.

If this policy is set to enabled, color correction will always be enabled; users will need to go into Settings to pick their specific color correction options (e.g. Deuteranomaly/Protanomaly/Tritanamaly/Greyscale filter and intensity). Color correction settings are displayed to the user on first use.

If this policy is set to disabled, color correction will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the color correction feature is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the cursor highlight accessibility feature.

This feature is responsible for highlighting the area that surrounds the mouse cursor while moving it.

If this policy is set to enabled, the cursor highlight will always be enabled.

If this policy is set to disabled, the cursor highlight will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the cursor highlight is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 81

Enable accessibility features shortcuts on the login screen.

If this policy is set to true, accessibility features shortcuts will always be enabled on the login screen.

If this policy is set to false, accessibility features shortcuts will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, accessibility features shortcuts will be enabled by default on the login screen.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the autoclick accessibility feature on the login screen.

This feature allows to automatically click when the mouse cursor stops, without requiring the user to physically press the mouse or touchpad buttons.

If this policy is set to true, the autoclick will always be enabled on the login screen.

If this policy is set to false, the autoclick will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the autoclick is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the caret highlight accessibility feature on the login screen.

If this policy is set to true, the caret highlight will always be enabled on the login screen.

If this policy is set to false, the caret highlight will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the caret highlight is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the cursor highlight accessibility feature on the login screen.

If this policy is set to true, the cursor highlight will always be enabled on the login screen.

If this policy is set to false, the cursor highlight will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the cursor highlight is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True turns High-contrast mode on at the sign-in screen. Setting the policy to False turns High-contrast mode off at the screen.

If you set the policy, users can temporarily change High-contrast mode, turning it on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, High-contrast mode is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenHighContrastEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True turns the large cursor on at the sign-in screen. Setting the policy to False turns the large cursor off at the sign-in screen.

If you set the policy, users can temporarily turn the large cursor on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the large cursor is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenLargeCursorEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to None turns screen magnification off at the sign-in screen.

If you set the policy, users can temporarily turn the screen magnifier on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the screen magnifier is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Valid values: • 0 = Off • 1 = On • 2 = Docked magnifier on

Note: DeviceLoginScreenScreenMagnifierType overrides this policy if the former is specified.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled
• 2 = Docked magnifier enabled

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True turns spoken feedback on at the sign-in screen. Setting the policy to False turns spoken feedback off at the screen.

If you set the policy, users can temporarily turn spoken feedback on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, spoken feedback is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenSpokenFeedbackEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 34

This policy is deprecated, please use the DeviceLoginScreenVirtualKeyboardEnabled policy instead.

Setting the policy to True turns the on-screen keyboard on at sign-in. Setting the policy to False turns the on-screen keyboard off at sign-in.

If you set the policy, users can temporarily turn the on-screen keyboard on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the on-screen keyboard is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenVirtualKeyboardEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the dictation accessibility feature on the login screen.

If this policy is set to true, the dictation will always be enabled on the login screen.

If this policy is set to false, the dictation will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the high contrast accessibility feature on the login screen.

If this policy is set to true, the high contrast will always be enabled on the login screen.

If this policy is set to false, the high contrast will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the high contrast is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the keyboard focus highlighting accessibility feature on the login screen.

This feature is responsible for highlighting the object that is focused by the keyboard.

If this policy is set to enabled, the keyboard focus highlighting will always be enabled.

If this policy is set to disabled, the keyboard focus highlighting will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the large cursor accessibility feature on the login screen.

If this policy is set to true, the large cursor will always be enabled on the login screen.

If this policy is set to false, the large cursor will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the large cursor is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the mono audio accessibility feature on the login screen.

This feature allows to switch the device mode from the default stereo audio to the mono audio.

If this policy is set to true, the mono audio will always be enabled on the login screen.

If this policy is set to false, the mono audio will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the mono audio is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

If this policy is set, it controls the type of screen magnifier that is enabled.

If this policy is set to "Full-screen", the screen magnifier will always be enabled in full-screen magnifier mode on the login screen.

If this policy is set to "Docked", the screen magnifier will always be enabled in docked magnifier mode on the login screen.

If this policy is set to "None", the screen magnifier will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the screen magnifier is disabled on the login screen initially but can be enabled by the user anytime.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled
• 2 = Docked magnifier enabled

• Google ChromeOS (Google ChromeOS) since version 79

Enable the select to speak accessibility feature on the login screen.

If this policy is set to true, the select to speak will always be enabled on the login screen.

If this policy is set to false, the select to speak will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the select to speak is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 80

Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the spoken feedback accessibility feature on the login screen.

If this policy is set to true, the spoken feedback will always be enabled on the login screen.

If this policy is set to false, the spoken feedback will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the spoken feedback is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the sticky keys accessibility feature on the login screen.

If this policy is set to true, the sticky keys will always be enabled on the login screen.

If this policy is set to false, the sticky keys will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the sticky keys is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the virtual keyboard accessibility feature on the login screen.

If this policy is set to true, the accessibility virtual keyboard will always be enabled on the login screen.

If this policy is set to false, the accessibility virtual keyboard will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the accessibility virtual keyboard is disabled on the login screen initially but can be enabled by the user anytime via accessibility settings.

This policy does not affect whether the touch virtual keyboard is enabled. For example, the touch virtual keyboard will still show up on a tablet device even if this policy is set to false.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the dictation accessibility feature.

If this policy is set to enabled, the dictation will always be enabled.

If this policy is set to disabled, the dictation will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 94

Allow the enhanced network text-to-speech voices in Select-to-speak accessibility feature. These voices send text to Google's servers to synthesize natural-sounding speech.

If this policy is set to false, the enhanced network text-to-speech voices feature in Select-to-speak will always be disabled.

If this policy is set to true or unset, the enhanced network text-to-speech voices feature in Select-to-speak can be enabled or disabled by the user.

• Google ChromeOS (Google ChromeOS) since version 84

In kiosk mode, controls whether the floating accessibility menu is being shown.

If this policy is set to enabled, the floating accessibility menu will be always shown.

If this policy is set to disabled or left unset, the floating accessibility menu will never be shown.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True keeps High-contrast mode on. Setting the policy to False keeps High-contrast mode off.

If you set the policy, users can't change it. If not set, High-contrast mode is off, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 35

Setting the policy to True makes the top row of keys on the keyboard act as function key commands. Pressing the Search key changes their behavior back to media keys.

If set to False or not set, the keyboard defaults to producing media key commands. Pressing the Search key changes them to function keys.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the keyboard focus highlighting accessibility feature.

This feature is responsible for highlighting the object that has the focus by the keyboard.

If this policy is set to enabled, the keyboard focus highlighting will always be enabled.

If this policy is set to disabled, the keyboard focus highlighting will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True keeps the large cursor on. Setting the policy to False keeps the large cursor off.

If you set the policy, users can't change the feature. If not set, the large cursor is off at first, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the mono audio accessibility feature.

This feature is responsible for outputing stereo audio which includes different left and right channels, so different ears get different sounds.

If this policy is set to enabled, the mono audio will always be enabled.

If this policy is set to disabled, the mono audio will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the mono audio is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to None turns the screen magnifier off.

If you set the policy, users can't change it. If not set, the screen magnifier is off at first, but users can turn it on any time.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled
• 2 = Docked magnifier enabled

• Google ChromeOS (Google ChromeOS) since version 77

Enable the select to speak accessibility feature.

If this policy is set to true, the select to speak will always be enabled.

If this policy is set to false, the select to speak will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the select to speak is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 27

Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True keeps spoken feedback on. Setting the policy to False keeps spoken feedback off.

If you set the policy, users can't change it. If not set, spoken feedback is off at first, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 76

Setting the policy to True keeps sticky keys on. Setting the policy to False keeps sticky keys off.

If you set the policy, users can't change it. If not set, sticky keys is off at first, but users can turn it on any time.

• Google Chrome (Windows) since version 125

Enables the UI Automation accessibility framework provider in Google Chrome for use by accessibility tools.

This policy is supported in Google Chrome for a one-year transition period to allow enterprise administrators to control the deployment of the browser's UI Automation accessibility framework provider. Accessibility and other tools that use the UI Automation accessibility framework to interoperate with the browser may require updates to function properly with the browser's UI Automation provider. Administrators can use this policy to temporarily disable the browser's UI Automation provider (thereby reverting to the old behavior) while they work with vendors to provide updates to impacted tools.

When set to false, Google Chrome only enables its Microsoft Active Accessibility provider. Accessibility and other tools that use the newer UI Automation accessibility framework to interoperate with the browser will communicate with it by way of a compatibility shim in Microsoft® Windows®.

When set to true, Google Chrome enables its UI Automation provider in addition to its Microsoft Active Accessibility provider. Accessibility and other tools that use the newer UI Automation accessibility framework to interoperate with the browser will communicate directly with it.

When left unset, the variations framework in Google Chrome is used to enable or disable the provider.

Support for this policy setting will end in Google Chrome 136.

Windows (Intune):

<disabled/>

• Google ChromeOS (Google ChromeOS) since version 34

Enable the virtual keyboard accessibility feature.

If this policy is set to true, the accessibility virtual keyboard will always be enabled.

If this policy is set to false, the accessibility virtual keyboard will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the accessibility virtual keyboard is disabled initially but can be enabled by the user at any time by using the accessibility settings.

This policy does not affect whether the touch virtual keyboard is enabled. For example, the touch virtual keyboard will still show up on a tablet device even if this policy is set to false. Use the TouchVirtualKeyboardEnabled policy to control the behavior of the touch virtual keyboard.

• Google ChromeOS (Google ChromeOS) since version 94

Enable or disable various features on the on-screen keyboard. This policy takes effect only when "VirtualKeyboardEnabled" policy is enabled.

If one feature in this policy is set to True, it will be enabled on the on-screen keyboard.

If one feature in this policy is set to False or left unset, it will be disabled on the on-screen keyboard.

NOTE: this policy is only supported in PWA Kiosk mode.

• Google ChromeOS (Google ChromeOS) since version 130

The getAllScreensMedia API allows isolated web applications (identified by their origin) to capture multiple surfaces at once without additional user permission. If the policy is not set, getAllScreensMedia is not available for any web application. In order to improve privacy, this policy will not support mid-session updates of the policy value and therefore changes will only apply after the user logged out and logged in again. The user can be sure that no additional apps will be able to capture the screens after login if it were not allowed at session start already.

• Google ChromeOS (Google ChromeOS) since version 67

Setting the policy to True sends reports of key, policy-triggered Android app installation events to Google.

Setting the policy to False or leaving it unset means no events are captured.

• Google ChromeOS (Google ChromeOS) since version 94

Setting the policy to True enables sharing text/files from Android apps to supported Web Apps, using the built-in Android sharing system. When enabled, this will send metadata for installed Web Apps to Google to generate and install a shim Android app. Setting the policy to False disables this functionality.

• Google ChromeOS (Google ChromeOS) since version 68

Setting the policy to BackupAndRestoreEnabled means Android backup and restore is initially on. Setting the policy to BackupAndRestoreDisabled or leaving it unset keeps backup and restore off during setup.

Setting the policy to BackupAndRestoreUnderUserControl means users see prompts to use backup and restore. If they turn on backup and restore, Android app data is uploaded to Android backup servers and restored during reinstallations of compatible apps.

After initial setup, users can turn backup and restore on or off.

• 0 = Backup and restore disabled
• 1 = User decides whether to enable backup and restore
• 2 = Backup and restore enabled

• Google ChromeOS (Google ChromeOS) since version 52

Setting the policy to CopyCaCerts makes all ONC-installed CA certificates with Web TrustBit available for ARC-apps.

Setting to None or leaving it unset makes Google ChromeOS certificates unavailable for ARC-apps.

• 0 = Disable usage of Google ChromeOS certificates to ARC-apps
• 1 = Enable Google ChromeOS CA certificates to ARC-apps

• Google ChromeOS (Google ChromeOS) since version 50

Unless Ephemeral mode or multiple sign-in is on during the user's session, setting ArcEnabled to True turns ARC on for the user. Setting the policy to False or leaving it unset means enterprise users can't use ARC.

• Google ChromeOS (Google ChromeOS) since version 68

Warning! This policy is deprecated, please use GoogleLocationServicesEnabled instead. Google ChromeOS now has a system location toggle, which governs the entire system including Android. The Android toggle is now read-only and reflects the Google ChromeOS location state.

Unless the DefaultGeolocationSetting policy is set to BlockGeolocation, then setting GoogleLocationServicesEnabled turns Google location services on during initial setup. Setting the policy to GoogleLocationServicesDisabled or leaving it unset keeps location services off during setup.

Setting policy to GoogleLocationServicesUnderUserControl prompts users about whether or not to use Google location services. If they turn it on, Android apps, Google ChromeOS apps, websites, and system services use the services to search the device location and send anonymous location data to Google.

After initial setup, users can turn Google location services on or off.

• 0 = Google location services disabled
• 1 = User decides whether to enable Google location services
• 2 = Google location services enabled

• Google ChromeOS (Google ChromeOS) since version 50

Setting the policy specifies a set of policies to hand over to the ARC runtime. Admins can use it to select the Android apps that autoinstall. Enter value in valid JSON format.

To pin apps to the launcher, see PinnedLauncherApps.

• Google ChromeOS (Google ChromeOS) since version 64

Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets users use ARC. Setting the policy to False means unaffiliated users may not use ARC.

Changes to the policy only apply while ARC isn't running, for example, while starting ChromeOS.

• Google ChromeOS (Google ChromeOS) since version 120

Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets managed users use ARC on unaffiliated devices. Setting the policy to False means managed users may not use ARC on unaffiliated devices.

Note that other restrictions, like those imposed by ArcEnabled and UnaffiliatedArcAllowed policies, continue to be respected, and ARC gets disabled if any of them specifies so.

• Google ChromeOS (Google ChromeOS) since version 91

Controls the availability of Borealis for this user.

If the policy is unset, or is set to false, Borealis will be unavailable. When the policy is set to true Borealis will be available if and only if no other policy or setting disables it.

• Google ChromeOS (Google ChromeOS) since version 78

Setting the policy to All (0) or leaving it unset lets users edit trust settings for all CA certificates, remove user-imported certificates, and import certificates using Certificate Manager. Setting the policy to UserOnly (1) lets users manage only user-imported certificates, but not change trust settings of built-in certificates. Setting it to None (2) lets users view (not manage) CA certificates.

• 0 = Allow users to manage all certificates
• 1 = Allow users to manage user certificates
• 2 = Disallow users from managing certificates

• Google Chrome (Linux) since version 131
• Google Chrome (Mac) since version 131
• Google Chrome (Windows) since version 131
• Google Chrome (Android) since version 131

If enabled(or not set), user-added TLS certificates from platform trust stores will be used in path-building for TLS server authentication.

If disabled, user-added TLS certificates from platform trust stores will not be used in path-building for TLS server authentication.

Windows (Intune):

<disabled/>

• Google ChromeOS (Google ChromeOS) since version 84

Specifies device-wide client certificates that should be enrolled using the device management protocol.

• Google ChromeOS (Google ChromeOS) since version 83

Specifies client certificates that should be enrolled using the device management protocol.

• Google ChromeOS (Google ChromeOS) since version 122

This policy allows the admins to configure the Cloud Upload flow for Google Drive and Google Workspace on Google ChromeOS.

Setting the policy to 'allowed' lets the user set up the Cloud Upload flow for Google Drive and Google Workspace if they wish to. After completing the setup process, files with matching file formats will by default be moved to Google Drive and handled by one of the Google Workspace apps when the user attempts to open them.

Setting the policy to 'disallowed' prohibits the user from setting up the Cloud Upload flow for Google Drive as described above and removes Google Workspace apps from the list of potential file handlers.

Setting the policy to 'automated' sets up the Cloud Upload flow for Google Drive and Google Workspace automatically, so that files with matching file formats will by default be moved to Google Drive and handled by one of the Google Workspace apps when the user attempts to open them.

Leaving the policy unset is functionally equivalent to setting it to 'allowed' for regular users; for enterprise users unset policy defaults to 'disallowed'.

• "allowed" = Allow the Cloud Upload flow for Google Drive and Google Workspace
• "disallowed" = Disallow the Cloud Upload flow for Google Drive and Google Workspace
• "automated" = Automate the Cloud Upload flow for Google Drive and Google Workspace

• Google ChromeOS (Google ChromeOS) since version 122

This policy allows the admins to configure the Cloud Upload flow for Microsoft OneDrive and Microsoft 365 on Google ChromeOS.

Setting the policy to 'allowed' lets the user set up the Cloud Upload flow for Microsoft OneDrive and Microsoft 365 if they wish to. After completing the setup process, files with matching file formats will by default be moved to Microsoft OneDrive and handled by the Microsoft 365 app when the user attempts to open them.

Setting the policy to 'disallowed' prohibits the user from setting up the Cloud Upload flow for Microsoft OneDrive and Microsoft 365 as described above and removes Microsoft 365 from the list of potential file handlers.

Setting the policy to 'automated' sets up the Cloud Upload flow for Microsoft OneDrive and Microsoft 365 automatically, so that files with matching file formats will by default be moved to Microsoft OneDrive and handled by the Microsoft 365 app when the user attempts to open them.

Leaving the policy unset is functionally equivalent to setting it to 'allowed' for regular users; for enterprise users unset policy defaults to 'disallowed'.

• "allowed" = Allow the Cloud Upload flow for Microsoft OneDrive and Microsoft 365
• "disallowed" = Disallow the Cloud Upload flow for Microsoft OneDrive and Microsoft 365
• "automated" = Automate the Cloud Upload flow for Microsoft OneDrive and Microsoft 365

• Google Chrome (Linux) since version 15
• Google Chrome (Mac) since version 15
• Google Chrome (Windows) since version 15
• Google ChromeOS (Google ChromeOS) since version 15

Setting the policy lets you make a list of URL patterns that specify sites for which Chrome can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.

Examples for the usage of the $FILTER section:

* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.

* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.

* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.

* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.

* When $FILTER is set to {}, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.

Leaving the policy unset means there's no autoselection for any site.

Windows (Windows clients):

Software\Policies\Google\Chrome\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"

Android/Linux:

[ "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" ]

Mac:

<array> <string>{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}</string> </array>

Windows (Intune):

<enabled/>

<data id="AutoSelectCertificateForUrlsDesc" value="1&#xF000;{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"/>

• Google Chrome (Linux) since version 120
• Google Chrome (Mac) since version 120
• Google Chrome (Windows) since version 120
• Google ChromeOS (Google ChromeOS) since version 120
• Google Chrome (Android) since version 120

This policy enables Data URL support for SVGUseElement, which will be disabled by default starting in M119. If this policy is set to Enabled, Data URLs will continue to work in SVGUseElement. If this policy is set to Disabled or not set, Data URLs won't work in SVGUseElement.

Windows (Intune):

<disabled/>

• Google Chrome (Linux) since version 103
• Google Chrome (Mac) since version 103
• Google Chrome (Windows) since version 103
• Google ChromeOS (Google ChromeOS) since version 103

Setting the policy to 2 blocks sites from using the clipboard site permission. Setting the policy to 3 or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use one.

This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.

This policy only affects clipboard operations controlled by the clipboard site permission, and does not affect sanitized clipboard writes or trusted copy and paste operations.

• 2 = Do not allow any site to use the clipboard site permission
• 3 = Allow sites to ask the user to grant the clipboard site permission

Windows (Intune):

<enabled/>

<data id="DefaultClipboardSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 86
• Google Chrome (Linux) since version 86
• Google Chrome (Mac) since version 86
• Google Chrome (Windows) since version 86

Setting the policy to 3 lets websites ask for read access to files and directories in the host operating system's file system via the File System API. Setting the policy to 2 denies access.

Leaving it unset lets websites ask for access, but users can change this setting.

• 2 = Do not allow any site to request read access to files and directories via the File System API
• 3 = Allow sites to ask the user to grant read access to files and directories via the File System API

Windows (Intune):

<enabled/>

<data id="DefaultFileSystemReadGuardSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 86
• Google Chrome (Linux) since version 86
• Google Chrome (Mac) since version 86
• Google Chrome (Windows) since version 86

Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.

Leaving it unset lets websites ask for access, but users can change this setting.

• 2 = Do not allow any site to request write access to files and directories
• 3 = Allow sites to ask the user to grant write access to files and directories

Windows (Intune):

<enabled/>

<data id="DefaultFileSystemWriteGuardSetting" value="2"/>

• Google Chrome (Linux) since version 10
• Google Chrome (Mac) since version 10
• Google Chrome (Windows) since version 10
• Google ChromeOS (Google ChromeOS) since version 11
• Google Chrome (Android) since version 30

Setting the policy to 1 lets sites track the users' physical location as the default state. Setting the policy to 2 denies this tracking by default. You can set the policy to ask whenever a site wants to track the users' physical location.

Leaving the policy unset means the AskGeolocation policy applies, but users can change this setting.

• 1 = Allow sites to track the users' physical location
• 2 = Do not allow any site to track the users' physical location
• 3 = Ask whenever a site wants to track the users' physical location

(Warning! Soon this dependency will be dropped, please start using GoogleLocationServicesEnabled instead) If this policy is set to BlockGeolocation, Google ChromeOS system services and Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to allow when an Android app wants to access location information.

Windows (Intune):

<enabled/>

<data id="DefaultGeolocationSetting" value="1"/>

• Google Chrome (Linux) since version 79
• Google Chrome (Mac) since version 79
• Google Chrome (Windows) since version 79
• Google ChromeOS (Google ChromeOS) since version 79

Allows you to set whether users can add exceptions to allow mixed content for specific sites.

This policy can be overridden for specific URL patterns using the 'InsecureContentAllowedForUrls' and 'InsecureContentBlockedForUrls' policies.

If this policy is left not set, users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.

• 2 = Do not allow any site to load mixed content
• 3 = Allow users to add exceptions to allow mixed content

Windows (Intune):

<enabled/>

<data id="DefaultInsecureContentSetting" value="2"/>

• Google Chrome (Linux) since version 93
• Google Chrome (Mac) since version 93
• Google Chrome (Windows) since version 93
• Google ChromeOS (Google ChromeOS) since version 93
• Google Chrome (Android) since version 93

Allows you to set whether Google Chrome will run the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.

Disabling the JavaScript JIT will mean that Google Chrome may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Google Chrome to render web content in a more secure configuration.

This policy can be overridden for specific URL patterns using the JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.

If this policy is left not set, JavaScript JIT is enabled.

• 1 = Allow any site to run JavaScript JIT
• 2 = Do not allow any site to run JavaScript JIT

Windows (Intune):

<enabled/>

<data id="DefaultJavaScriptJitSetting" value="1"/>

• Google Chrome (Linux) since version 22
• Google Chrome (Mac) since version 22
• Google Chrome (Windows) since version 22
• Google ChromeOS (Google ChromeOS) since version 22

Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.

If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.

• 2 = Do not allow any site to access the camera and microphone
• 3 = Ask every time a site wants to access the camera and/or microphone

Windows (Intune):

<enabled/>

<data id="DefaultMediaStreamSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 86
• Google Chrome (Linux) since version 86
• Google Chrome (Mac) since version 86
• Google Chrome (Windows) since version 86

Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.

Leaving it unset lets websites ask for access, but users can change this setting.

• 2 = Do not allow any site to request access to serial ports via the Serial API
• 3 = Allow sites to ask the user to grant access to a serial port

Windows (Intune):

<enabled/>

<data id="DefaultSerialGuardSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 50
• Google Chrome (Android) since version 50
• Google Chrome (Linux) since version 50
• Google Chrome (Mac) since version 50
• Google Chrome (Windows) since version 50

Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.

Leaving the policy unset lets sites ask for access, but users can change this setting.

• 2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
• 3 = Allow sites to ask the user to grant access to a nearby Bluetooth device

Windows (Intune):

<enabled/>

<data id="DefaultWebBluetoothGuardSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 100
• Google Chrome (Linux) since version 100
• Google Chrome (Mac) since version 100
• Google Chrome (Windows) since version 100

Setting the policy to 3 lets websites ask for access to HID devices. Setting the policy to 2 denies access to HID devices.

Leaving it unset lets websites ask for access, but users can change this setting.

This policy can be overridden for specific url patterns using the WebHidAskForUrls and WebHidBlockedForUrls policies.

• 2 = Do not allow any site to request access to HID devices via the WebHID API
• 3 = Allow sites to ask the user to grant access to a HID device

Windows (Intune):

<enabled/>

<data id="DefaultWebHidGuardSetting" value="2"/>

• Google Chrome (Linux) since version 100
• Google Chrome (Mac) since version 100
• Google Chrome (Windows) since version 100
• Google ChromeOS (Google ChromeOS) since version 100

Setting the policy to BlockWindowPlacement (value 2) automatically denies the window placement permission to sites by default. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

Setting the policy to AskWindowPlacement (value 3) will prompt the user when the window placement permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

Leaving the policy unset means the AskWindowPlacement policy applies, but users can change this setting.

• 2 = Denies the Window Placement permission on all sites by default
• 3 = Ask every time a site wants obtain the Window Placement permission

Windows (Intune):

<enabled/>

<data id="DefaultWindowPlacementSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 102
• Google Chrome (Linux) since version 111 until version 123

The getDisplayMediaSet API allows web applications to capture multiple surfaces at once. This policy unlocks the autoSelectAllScreens property for web applications at defined origins. If the autoSelectAllScreens property is defined in a getDisplayMediaSet request, all screen surfaces are automatically captured without requiring explicit user permission. If the policy is not set, autoSelectAllScreens is not available for any web application. In order to improve privacy, starting with Google Chrome version 116, this policy will not support dynamic refresh anymore. Therefore, the user can be sure that no additional pages will be able to capture the screens after login if it were not allowed at session start already.

• Google Chrome (Linux) since version 110
• Google Chrome (Mac) since version 110
• Google Chrome (Windows) since version 110
• Google ChromeOS (Google ChromeOS) since version 110

Setting this policy allows the domains listed to access file:// URLs in the PDF Viewer. Adding to the policy allows the domain to access file:// URLs in the PDF Viewer. Removing from the policy disallows the domain from accessing file:// URLs in the PDF Viewer. Leaving the policy unset disallows all domains from accessing file:// URLs in the PDF Viewer.

Windows (Windows clients):

Software\Policies\Google\Chrome\PdfLocalFileAccessAllowedForDomains\1 = "example.com" Software\Policies\Google\Chrome\PdfLocalFileAccessAllowedForDomains\2 = "google.com"

Android/Linux:

[ "example.com", "google.com" ]

Mac:

<array> <string>example.com</string> <string>google.com</string> </array>

Windows (Intune):

<enabled/>

<data id="PdfLocalFileAccessAllowedForDomainsDesc" value="1&#xF000;example.com&#xF000;2&#xF000;google.com"/>

• Google Chrome (Linux) since version 37
• Google Chrome (Mac) since version 37
• Google Chrome (Windows) since version 37
• Google ChromeOS (Google ChromeOS) since version 37

Setting the policy (as recommended only) lets you register a list of protocol handlers, which merge with the ones that the user registers, putting both sets in use. Set the property "protocol" to the scheme, such as "mailto", and set the property "URL" to the URL pattern of the application that handles the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.

Users can't remove a protocol handler registered by policy. However, by installing a new default handler, they can change the protocol handlers installed by policy.

The protocol handlers set via this policy are not used when handling Android intents.

Windows (Windows clients):

Software\Policies\Google\Chrome\Recommended\RegisteredProtocolHandlers = [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]

Android/Linux:

RegisteredProtocolHandlers: [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]

Mac:

<key>RegisteredProtocolHandlers</key> <array> <dict> <key>default</key> <true/> <key>protocol</key> <string>mailto</string> <key>url</key> <string>https://mail.google.com/mail/?extsrc=mailto&amp;url=%s</string> </dict> </array>

Windows (Intune):

<enabled/>

<data id="RegisteredProtocolHandlers" value="{"default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s"}"/>