• Google Chrome (Linux, Mac, Windows) since version 22
• Google Chrome OS (Google Chrome OS) since version 22

Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.

If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.

• 2 = Do not allow any site to access the camera and microphone
• 3 = Ask every time a site wants to access the camera and/or microphone

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the screen is dimmed when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS dims the screen.

When this policy is set to zero, Google Chrome OS does not dim the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the screen is turned off when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS turns off the screen.

When this policy is set to zero, Google Chrome OS does not turn off the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the screen is locked when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.

When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

• Google Chrome OS (Google Chrome OS) since version 27

Specifies the length of time without user input after which a warning dialog is shown when running on AC power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS shows a warning dialog telling the user that the idle action is about to be taken.

When this policy is unset, no warning dialog is shown.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

The warning message is only shown if the idle action is to logout or shut down.

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the idle action is taken when running on AC power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS takes the idle action, which can be configured separately.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds.

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the screen is dimmed when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS dims the screen.

When this policy is set to zero, Google Chrome OS does not dim the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the screen is turned off when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS turns off the screen.

When this policy is set to zero, Google Chrome OS does not turn off the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the screen is locked when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.

When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

• Google Chrome OS (Google Chrome OS) since version 27

Specifies the length of time without user input after which a warning dialog is shown when running on battery power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS shows a warning dialog telling the user that the idle action is about to be taken.

When this policy is unset, no warning dialog is shown.

The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.

The warning message is only shown if the idle action is to logout or shut down.

• Google Chrome OS (Google Chrome OS) since version 26

Specifies the length of time without user input after which the idle action is taken when running on battery power.

When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS takes the idle action, which can be configured separately.

When this policy is unset, a default length of time is used.

The policy value should be specified in milliseconds.

• Google Chrome OS (Google Chrome OS) since version 26

Note that this policy is deprecated and will be removed in the future.

This policy provides a fallback value for the more-specific IdleActionAC and IdleActionBattery policies. If this policy is set, its value gets used if the respective more-specific policy is not set.

When this policy is unset, behavior of the more-specific policies remains unaffected.

• 0 = Suspend
• 1 = Log the user out
• 2 = Shut down
• 3 = Do nothing

• Google Chrome OS (Google Chrome OS) since version 30

When this policy is set, it specifies the action that Google Chrome OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Google Chrome OS can separately be configured to either lock or not lock the screen before suspending.

• 0 = Suspend
• 1 = Log the user out
• 2 = Shut down
• 3 = Do nothing

• Google Chrome OS (Google Chrome OS) since version 30

When this policy is set, it specifies the action that Google Chrome OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Google Chrome OS can separately be configured to either lock or not lock the screen before suspending.

• 0 = Suspend
• 1 = Log the user out
• 2 = Shut down
• 3 = Do nothing

• Google Chrome (Linux, Mac, Windows) since version 8
• Google Chrome OS (Google Chrome OS) since version 11
• Google Chrome (Android) since version 30

This policy is deprecated, use ProxyMode instead.

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.

This policy only takes effect if the ProxySettings policy has not been specified.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.

If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

If you enable this setting, Google Chrome ignores all proxy-related options specified from the command line.

Leaving this policy not set will allow the users to choose the proxy settings on their own.

• 0 = Never use a proxy
• 1 = Auto detect proxy settings
• 2 = Manually specify proxy settings
• 3 = Use system proxy settings

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

• Google Chrome (Linux, Mac, Windows) since version 22
• Google Chrome OS (Google Chrome OS) since version 41

This policy is deprecated. Please use RemoteAccessHostClientDomainList instead.

• Google Chrome (Linux, Mac, Windows) since version 22
• Google Chrome OS (Google Chrome OS) since version 41

This policy is deprecated. Please use RemoteAccessHostDomainList instead.

• Google Chrome (Linux, Mac, Windows) since version 44
• Google Chrome OS (Google Chrome OS) since version 44

This setting is deprecated, use SafeBrowsingExtendedReportingEnabled instead. Enabling or disabling SafeBrowsingExtendedReportingEnabled is equivalent to setting SafeBrowsingExtendedReportingOptInAllowed to False.

Setting this policy to false stops users from choosing to send some system information and page content to Google servers. If this setting is true or not configured, then users will be allowed to send some system information and page content to Safe Browsing to help detect dangerous apps and sites.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

• Google Chrome (Linux, Mac, Windows) since version 8
• Google Chrome OS (Google Chrome OS) since version 11
• Google Chrome (Android) since version 30

This policy is deprecated in M70, please use AutofillAddressEnabled and AutofillCreditCardEnabled instead.

Enables Google Chrome's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.

If you disable this setting, AutoFill will be inaccessible to users.

If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.

• Google Chrome (Linux, Mac, Windows) since version 9
• Google Chrome OS (Google Chrome OS) since version 11

This policy is deprecated in M68, please use DeveloperToolsAvailability instead.

Disables the Developer Tools and the JavaScript console.

If you enable this setting, the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.

Setting this option to disabled or leaving it not set allows the user to use the Developer Tools and the JavaScript console.

If the policy DeveloperToolsAvailability is set, the value of the policy DeveloperToolsDisabled is ignored.

This policy also controls access to Android Developer Options. If you set this policy to true, users cannot access Developer Options. If you set this policy to false or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.

• Google Chrome (Linux, Mac, Windows) since version 8
• Google Chrome OS (Google Chrome OS) since version 11

This policy is deprecated. Please use the DefaultPluginsSetting to control the avalability of the Flash plugin and AlwaysOpenPdfExternally to control whether the integrated PDF viewer should be used for opening PDF files.

Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting.

The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.

If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in 'about:plugins' and users cannot enable them.

Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions.

If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.

Windows (Windows clients):

Software\Policies\Google\Chrome\DisabledPlugins\1 = "Java" Software\Policies\Google\Chrome\DisabledPlugins\2 = "Shockwave Flash" Software\Policies\Google\Chrome\DisabledPlugins\3 = "Chrome PDF Viewer"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\DisabledPlugins\1 = "Java" Software\Policies\Google\ChromeOS\DisabledPlugins\2 = "Shockwave Flash" Software\Policies\Google\ChromeOS\DisabledPlugins\3 = "Chrome PDF Viewer"

Android/Linux:

[ "Java", "Shockwave Flash", "Chrome PDF Viewer" ]

Mac:

<array> <string>Java</string> <string>Shockwave Flash</string> <string>Chrome PDF Viewer</string> </array>

• Google Chrome (Linux, Mac, Windows) since version 11
• Google Chrome OS (Google Chrome OS) since version 11

This policy is deprecated. Please use the DefaultPluginsSetting to control the avalability of the Flash plugin and AlwaysOpenPdfExternally to control whether the integrated PDF viewer should be used for opening PDF files.

Specifies a list of plugins that user can enable or disable in Google Chrome.

The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.

If you enable this setting, the specified list of plugins can be used in Google Chrome. Users can enable or disable them in 'about:plugins', even if the plugin also matches a pattern in DisabledPlugins. Users can also enable and disable plugins that don't match any patterns in DisabledPlugins, DisabledPluginsExceptions and EnabledPlugins.

This policy is meant to allow for strict plugin blacklisting where the 'DisabledPlugins' list contains wildcarded entries like disable all plugins '*' or disable all Java plugins '*Java*' but the administrator wishes to enable some particular version like 'IcedTea Java 2.3'. This particular versions can be specified in this policy.

Note that both the plugin name and the plugin's group name have to be exempted. Each plugin group is shown in a separate section in about:plugins; each section may have one or more plugins. For example, the "Shockwave Flash" plugin belongs to the "Adobe Flash Player" group, and both names have to have a match in the exceptions list if that plugin is to be exempted from the blacklist.

If this policy is left not set any plugin that matches the patterns in the 'DisabledPlugins' will be locked disabled and the user won't be able to enable them.

Windows (Windows clients):

Software\Policies\Google\Chrome\DisabledPluginsExceptions\1 = "Java" Software\Policies\Google\Chrome\DisabledPluginsExceptions\2 = "Shockwave Flash" Software\Policies\Google\Chrome\DisabledPluginsExceptions\3 = "Chrome PDF Viewer"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\DisabledPluginsExceptions\1 = "Java" Software\Policies\Google\ChromeOS\DisabledPluginsExceptions\2 = "Shockwave Flash" Software\Policies\Google\ChromeOS\DisabledPluginsExceptions\3 = "Chrome PDF Viewer"

Android/Linux:

[ "Java", "Shockwave Flash", "Chrome PDF Viewer" ]

Mac:

<array> <string>Java</string> <string>Shockwave Flash</string> <string>Chrome PDF Viewer</string> </array>

• Google Chrome (Linux, Mac, Windows) since version 12
• Google Chrome OS (Google Chrome OS) since version 12

This policy is deprecated, please use URLBlacklist instead.

Disables the listed protocol schemes in Google Chrome.

URLs using a scheme from this list will not load and can not be navigated to.

If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.

Windows (Windows clients):

Software\Policies\Google\Chrome\DisabledSchemes\1 = "file" Software\Policies\Google\Chrome\DisabledSchemes\2 = "https"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\DisabledSchemes\1 = "file" Software\Policies\Google\ChromeOS\DisabledSchemes\2 = "https"

Android/Linux:

[ "file", "https" ]

Mac:

<array> <string>file</string> <string>https</string> </array>

• Google Chrome (Linux, Mac, Windows) since version 11
• Google Chrome OS (Google Chrome OS) since version 11

This policy is deprecated. Please use the DefaultPluginsSetting to control the avalability of the Flash plugin and AlwaysOpenPdfExternally to control whether the integrated PDF viewer should be used for opening PDF files.

Specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting.

The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.

The specified list of plugins is always used in Google Chrome if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them.

Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions.

If this policy is left not set the user can disable any plugin installed on the system.

Windows (Windows clients):

Software\Policies\Google\Chrome\EnabledPlugins\1 = "Java" Software\Policies\Google\Chrome\EnabledPlugins\2 = "Shockwave Flash" Software\Policies\Google\Chrome\EnabledPlugins\3 = "Chrome PDF Viewer"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\EnabledPlugins\1 = "Java" Software\Policies\Google\ChromeOS\EnabledPlugins\2 = "Shockwave Flash" Software\Policies\Google\ChromeOS\EnabledPlugins\3 = "Chrome PDF Viewer"

Android/Linux:

[ "Java", "Shockwave Flash", "Chrome PDF Viewer" ]

Mac:

<array> <string>Java</string> <string>Shockwave Flash</string> <string>Chrome PDF Viewer</string> </array>

• Google Chrome (Windows) since version 64
• Google Chrome (Mac) since version 66
• Google Chrome (Android) since version 65

This policy is deprecated, consider using BrowserSignin instead.

If this policy is set to true, user has to sign in to Google Chrome with their profile before using the browser. And the default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article.

If this policy is set to false or not configured, user can use the browser without sign in to Google Chrome.

• Google Chrome (Linux, Mac, Windows) since version 25
• Google Chrome OS (Google Chrome OS) since version 25
• Google Chrome (Android) since version 30

This policy is deprecated, please use ForceGoogleSafeSearch and ForceYouTubeRestrict instead. This policy is ignored if either the ForceGoogleSafeSearch, the ForceYouTubeRestrict or the (deprecated) ForceYouTubeSafetyMode policies are set.

Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Moderate Restricted Mode on YouTube.

If you enable this setting, SafeSearch in Google Search and Moderate Restricted Mode YouTube is always active.

If you disable this setting or do not set a value, SafeSearch in Google Search and Restricted Mode in YouTube is not enforced.

• Google Chrome (Linux, Mac, Windows) since version 41
• Google Chrome OS (Google Chrome OS) since version 41
• Google Chrome (Android) since version 41

This policy is deprecated. Consider using ForceYouTubeRestrict, which overrides this policy and allows more fine-grained tuning.

Forces YouTube Moderate Restricted Mode and prevents users from changing this setting.

If this setting is enabled, Restricted Mode on YouTube is always enforced to be at least Moderate.

If this setting is disabled or no value is set, Restricted Mode on YouTube is not enforced by Google Chrome. External policies such as YouTube policies might still enforce Restricted Mode, though.

This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.

• Google Chrome (Linux, Mac, Windows) since version 11
• Google Chrome OS (Google Chrome OS) since version 11
• Google Chrome (Android) since version 30

This policy is deprecated. Please, use IncognitoModeAvailability instead. Enables Incognito mode in Google Chrome.

If this setting is enabled or not configured, users can open web pages in incognito mode.

If this setting is disabled, users cannot open web pages in incognito mode.

If this policy is left not set, this will be enabled and the user will be able to use incognito mode.

• Google Chrome (Linux, Mac, Windows) since version 8
• Google Chrome OS (Google Chrome OS) since version 11
• Google Chrome (Android) since version 30

This policy is deprecated, please use DefaultJavaScriptSetting instead.

Can be used to disabled JavaScript in Google Chrome.

If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.

If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.

• Google Chrome (Linux, Mac, Windows) since version 66

This policy is deprecated in M72. Please use CloudManagementEnrollmentToken instead.

• Google Chrome (Linux, Mac, Windows) since version 27
• Google Chrome (Android) since version 38

This policy is deprecated, consider using BrowserSignin instead.

Allows the user to sign in to Google Chrome.

If you set this policy, you can configure whether a user is allowed to sign in to Google Chrome. Setting this policy to 'False' will prevent apps and extensions that use the chrome.identity API from functioning, so you may want to use SyncDisabled instead.

• Google Chrome (Linux, Mac, Windows) since version 65

Deprecated in M69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.

The policy specifies a list of origins (URLs) or hostname patterns (such as "*.example.com") for which security restrictions on insecure origins will not apply.

The intent is to allow organizations to whitelist origins for legacy applications that cannot deploy TLS, or to set up a staging server for internal web development so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy will also prevent the origin from being labeled "Not Secure" in the omnibox.

Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.

This policy is deprecated in M69 in favor of OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are present, OverrideSecurityRestrictionsOnInsecureOrigin will override this policy.

For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/

Windows (Windows clients):

Software\Policies\Google\Chrome\UnsafelyTreatInsecureOriginAsSecure\1 = "http://testserver.example.com/" Software\Policies\Google\Chrome\UnsafelyTreatInsecureOriginAsSecure\2 = "*.example.org"

Android/Linux:

[ "http://testserver.example.com/", "*.example.org" ]

Mac:

<array> <string>http://testserver.example.com/</string> <string>*.example.org</string> </array>