Skip to main content
A set of browser configurations manageable via the Google Workspace Admin Console or Group Policy.
“Shortcodes” referenced below are the actual policy Preference Names used in the Admin Console.

Browser Reporting

Enable this for any managed Google Workspace tenancy — it routes browser events to the audit and investigation log tool. Three hours is the minimum supported upload frequency.
PolicySettingShortcodeURL
Managed browser reportingEnabled managed browser cloud reportingCloudReportingEnabledLink
Managed browser reporting upload frequency3 hoursCloudReportingUploadFrequencyLink
Event ReportingEnable event reportingOnSecurityEventEnterpriseConnectorLink

Chrome Enterprise Connectors

  • Hashes are generated for uploaded and downloaded files.
  • Large text pastes are analysed for potential PII exfiltration.
  • Visits to malicious URLs are logged and graded by severity; advisory bypasses are also logged.
PolicySettingShortcodeURL
Upload content analysisTODOOnFileAttachedEnterpriseConnectorLink
Download content analysisTODOOnFileDownloadedEnterpriseConnectorLink
Bulk text content analysisTODOOnBulkDataEntryEnterpriseConnectorLink
Print content analysisTODOOnPrintEnterpriseConnectorLink
Real time URL checkChrome Enterprise PremiumEnterpriseRealTimeUrlCheckModeLink

Chrome Updates

Goals:
  • Update browsers within 48 hours of a release.
  • Poll for updates every 300 minutes.
  • Use cacheable update URLs where possible.
  • Use the extended stable channel — the latest channel can receive multiple releases per day, which increases operational noise.
PolicySettingShortcodeURL
Relaunch notification: ConfigurationShow notification recommending relaunch???Link
Relaunch notification: Time Period (hours)48RelaunchHeadsUpPeriodLink
Relaunch notification: Initial quiet period (hours)4RelaunchNotificationLink
Relaunch notification: Relaunch window start time00:00RelaunchNotificationPeriodLink
Relaunch notification: Relaunch window duration (minutes)1440RelaunchWindowLink
Auto-update check period (minutes)300???Link
Cacheable URLsAttempt to provide cache-friendly download URLs???Link
Google updater policy precedenceCloud Google Updater policy override platform policy???Link
Suppress auto-update check: Start Time08:30???Link
Suppress auto-update check: Duration (minutes)120???Link
Chrome browser updates: ConfigurationAllow updates???Link
Chrome browser updates: ChannelExtended stable channel???Link

Content

Improves the user experience for common browser interactions.
PolicySettingShortcodeURL
Show “Always Open” checkbox in external protocol dialogUser may select “Always allow” to skip all future confirmation promptsExternalProtocolDialogShowAlwaysOpenCheckboxLink

Enrollment Controls

Captures asset metadata during device enrollment.
PolicySettingShortcodeURL
Asset identifier during enrollmentUsers in this organization can provide asset ID and location during enrollment???Link

Import Settings

Disables password import — redundant once the built-in password manager is disabled (see Security below), but worth setting explicitly.
PolicySettingShortcodeURL
Import saved passwordsDisable import of saved passwordsImportSavedPasswordsLink

Remote Access

Locks down Chrome’s built-in remote access features. Establish a standard remote support tool for your org so this restriction doesn’t create operational gaps.
PolicySettingShortcodeURL
Firewall TraversalDisable firewall traversalRemoteAccessHostFirewallTraversalLink
Remote support connectionsPrevent remote support connectionsRemoteAccessHostAllowRemoteSupportConnectionsLink
Enterprise remote support connectionsPrevent remote support connections from enterprise adminsRemoteAccessHostAllowEnterpriseRemoteSupportConnectionsLink

Security

Disables the built-in password manager in favour of a centralised password solution (Bitwarden, 1Password, etc.), preventing credentials from being scattered across browser profiles.
PolicySettingShortcodeURL
Password ManagerNever allow the use of password managerPasswordManagerEnabledLink

Sign-in settings

Prevents users from syncing history, bookmarks, or passwords to a personal Google account via the managed browser.
PolicySettingShortcodeURL
Browser sign-in settingsEnable browser sign-inBrowserSigninLink
Separate profile for managed Google IdentityForce separate profile and forbid secondary managed accountsManagedAccountsSigninRestrictionLink
Enterprise profile separationEnforce profile separationProfileSeparationSettingsLink
Profile separation data migrationSuggest to users to bring their existing data in the managed profile and give them a choice not toProfileSeparationDataMigrationSettingsLink

Other settings

  • Metrics reporting — anonymised crash and usage data sent to Google; useful for Chromium issue resolution.
  • Policy fetch delay — set to 300 seconds so a bad config can be rolled back before it propagates to clients.
  • Chrome data backup — disabled; browser data should not be included in local system backups.
PolicySettingShortcodeURL
Metrics ReportingSend anonymous reports of usage and crash-related data to GoogleMetricsReportingEnabledLink
Policy fetch delay300 secondsMaxInvalidationFetchDelayLink
Backup of Google Chrome dataPrevent Google Chrome data from being included in backupsAllowChromeDataInBackupsLink

URL Blocking

Configurable here or via shortcode URLBlocklist.
This section is unique — it’s a list of URLs rather than a single configurable option.
URLReason
https://remotedesktop.google.comChrome’s Remote Desktop service (needed to get chromeRemoteDesktopAppBlocked to equal true in the device trust connector at chrome://connectors-internals/)
https://remotedesktop.corp.google.comGoogle Internal Chrome Remote Desktop service (also needed to get chromeRemoteDesktopAppBlocked to equal true in the device trust connector at chrome://connectors-internals/)