Chrome Insider: Managing Chrome browser in a controlled environment
Fletcher Oliver
Chrome Enterprise Customer Engineer
Learn more about Chrome Enterprise Core
Powerful and flexible management capabilities both in the cloud and on premises, at no additional cost.
Learn moreIT teams often require a range of controls to support different groups and users. In some cases, users need more permissions and access based on their role. Other situations might call for more restrictive measures, with limited access or heightened security measures. These tighter controls can be driven by security requirements or even compliance needs. As an IT admin, you can use the wide range of configuration options provided by Chrome to manage users’ browsing experience, no matter how lax or strict. Particularly under current conditions, IT teams might need to support workers that require tighter controls while they are working remotely.
To help admins, I’d like to share a few examples of policies that can be used to limit access, restrict settings, or reduce auditing headaches. This list isn’t exhaustive, and every enterprise should weigh how much control to enforce over their users’ browsers. But as IT teams are supporting increasingly complex working conditions, it might be a good time to explore which of these policies make sense to implement for your user base.
Access controls
- Block access to a list of URLs / Allow Access to a list of URLs - Grants or blocks user access to specific sites. You can use an * on the block list and add allowed sites on the allow list (remember to test this first to ensure that subpages can still function).
- Managed bookmarks - Adds a list of bookmarks of the sites that your users can access. This policy is set via JSON in GPO. Consider a JSON validator/formatter to verify and format to a single line (compact). There is a sample JSON in the policy link.
Extension controls
- Hide web store from new tab page (Currently GPO only) - Prevents the web store icon from appearing on new tabs to deter users from installing Chrome extensions.
- Configure extension installation blacklist - Specifies which Chrome Extensions you will block from installation. Extensions on this list that are already installed will be disabled and future installations will be blocked. Wildcards of * are allowed to block all extensions except those that are included on your “allow” list.
- Configure extension installation whitelist (located in the Extension subfolder in GPO) - These are the extensions that you will allow to be installed on users’ machines. This whitelist overrides the block list. You can force install the extensions via this policy.
- Force Google SafeSearch - Turns on Google SafeSearch to prevent explicit content from showing up in search results. Read more about SafeSearch here.
Privacy controls
- Incognito mode availability / Enable guest mode / Enable “add person” in user manager (Guest mode available in GPO only) - Disabling each of these prevents users from browsing in incognito mode or guest mode, or from adding user accounts to Chrome (such as their personal Google accounts).
- Enable deleting browser and download history - Set this to “false” prevents the deletion of browser history. This may be useful for security investigation or auditing purposes.
User controls
- Allow download restrictions - Enables the blocking of dangerous or potentially dangerous downloads; it can also block all downloads from Chrome.
- Control where developer tools can be used - Disables developer tools. Developer tools could be used by tech-savvy users to augment or circumvent installed extensions or other tools.
- Disable taking screenshots - Blocks screenshots from being taken using keyboard shortcuts or extension APIs. This can be useful for protecting sensitive company content from being shared.
- Disable proceeding from the safe browser warning page - The Safe Browsing service shows a warning page when users navigate to sites that are potentially malicious, and is on by default. Enabling this setting prevents users from bypassing the warning and visiting malicious sites.
You can review the various settings in the template or in the full policy list to see what level of management is needed for your users. Keep in mind that turning off one thing might affect another, so employ these policies carefully, and test well before rolling them out in production. If you’re using Group Policy Objects (GPO), download the Google ADM(X) template here; most policies are present under Administrative templates>Google>Google Chrome (these policies are available in both GPO and Chrome Browser Cloud Management, unless otherwise noted).