blob: 89fd395a9c1865bd786a2b405a3a0d278dc84047 [file] [log] [blame]
{
# policy_templates.json - Metafile for policy templates
#
# The content of this file is evaluated as a Python expression.
#
# This file is used as input to generate the following policy templates:
# ADM, ADMX+ADML, MCX/plist and html documentation.
#
# Policy templates are user interface definitions or documents about the
# policies that can be used to configure Chrome. Each policy is a name-value
# pair where the value has a given type. Chrome looks up the values using the
# names of the policies. In the user interface where the values can be set,
# related policies might appear together in policy groups. The grouping is not
# visible to Chrome.
#
# This file contains a list of policies and groups. Each group contains a list
# of policies under the key 'policies'. All the policies and groups must have
# unique names. Group names are not exposed to Chrome at all.
#
# Each policy has a type. The currently implemented types:
# 'group': - not a real policy, contains a list of policies
# NOTE: Currently nesting groups inside other groups is not supported.
# 'string' - a string value
# 'int' - an integer value
# 'int-enum' - the user can select an integer value from a collection of
# items
# 'string-enum' - the user can select a string value from a collection of
# items
# 'string-enum-list' - the user can select a set of string values from a
# collection of items
# 'main' - a boolean value
# 'list' - a list of string values. Using this for a list of JSON strings
# is now discouraged, because the 'dict' is better for JSON.
# 'dict' - perhaps should be named JSON. An arbitrarily complex object or
# array, nested objects/arrays, etc. The user defines the value with JSON.
# 'external' - a policy that references external data.
# NOTE: This type is currently supported on Chrome OS only.
#
# NOTE to 'dict' vs 'list' - in the past, 'list' has been used for a policy
# that is an array of objects. The user supplied a list of strings, and each
# of those strings was parsed as JSON, resulting in an array of objects.
# However, there are a couple of reasons why 'dict' is better for these sorts
# of policies. Some interfaces (eg the GPO editor) only allow each list item
# to be a single-line string, which is not great for inputting a complex JSON
# object. It also means any example values shown in the documentation will
# have a hybrid syntax, with both commas and new-lines being used to delimit
# array elements - and these examples will be harder to copy and paste.
# To conclude, prefer 'dict' to 'list' if JSON is involved.
#
# Each policy is tagged with risk tags that indicate potential privacy or
# security risks. They are defined at the beginning of this file (tag
# 'risk_tag_definitions').
# Each risk tag contains the following information:
# - name: The name of the risk tag. May not contain spaces.
# - description: Description for developers so they know which tags apply to
# newly added policies.
# - user-description: A text that helps users understand what a policy with
# this tag means for their privacy and/or security.
# TODO(fhorschig|tnagel): Revisit policy tags after reviews.
#
# Policy group descriptions, policy captions and similar texts are localized
# strings taken from the <message> nodes of the .grd file. Their name attributes
# are generated from the JSON keys.
# Each item (policy or group) may have the following messages:
# - description:
# Describes the item it applies to.
# - caption
# A short, one-line summary of the item it applies to. This can appear
# both in policy or group listings or on title bars of policy-setting
# windows. (The caption should not end with a punctuation mark.)
# - label (Optional, defaults to caption if not specified.)
# A short, one-line summary of the item it applies to. The difference
# from caption is that label always appears next to the entry field
# where the value of the policy can be entered. 'main' policies on
# Windows ignore this. Policies on Mac are using this instead of caption.
#
# As a reference for translators, non-translatable strings must be tagged using
# <ph name="..."></ph> as described in [1]. As these tags are pruned before
# generating the comments for .proto files, paragraphs containing such tags
# should not be line-wrapped (use one long line per paragraph instead) to allow
# for correct re-flowing of the text.
# [1] https://www.chromium.org/developers/tools-we-use-in-chromium/grit/grit-users-guide.
#
# See documentation in docs/enterprise/components/policy/resources/description_guidelines.md
# for how product names should appear in <ph> tags to ensure consistency.
#
#
# Generated grd names:
# Each name has two parts: the second part is either CAPTION, DESC or LABEL,
# and the first part identifies the item the text applies to:
# -For policies and groups:
# IDS_POLICY_<NAME OF THE POLICY OR GROUP>
# e.g. the name of the caption of policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_CAPTION
# or other messages of the policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_LABEL
# IDS_POLICY_HOMEPAGELOCATION_DESC
# -For enum items:
# IDS_POLICY_ENUM_<NAME OF THE ITEM>
# e.g. the name of the caption of ProxyServerDisabled:
# IDS_POLICY_ENUM_PROXYSERVERDISABLED_CAPTION
#
# Each policy has the list of platforms where it is supported under the key
# 'supported_on' or 'future_on'. The 'supported_on' lists all released
# platforms while the 'future_on' is used to enumerate platforms where the
# feature is not yet ready for use in production environments. Any unreleased
# platforms is hidden from policy templates and documentation. The policy
# definition in the source code is generated for platforms in both lists.
#
# The format of the 'supported_on' is '<platform>:<since_version>-<until_version>'.
# It means the policy is officially released on the |platform| from
# |since_version| and is removed after |until_version|. |until_version|
# is optional.
#
# The format of the 'future_on' list entries is '<platform>'.
# There is no version range attached to it and the policy is available in the
# Dev and Canary channel only unless it's listed in the
# EnableExperimentalPolicies policy.
#
# Currently supported platforms:
# 'chrome.win', 'chrome.win7', 'chrome.mac', 'chrome.linux', 'chrome.*'
# 'chrome_os', 'android', 'webview_android', 'ios', 'chrome_frame'
# Note that 'chrome_frame' has been deprecated.
#
# Annotations:
# 'example_value' is used in the generated documentation and example policy
# configuration files. Examples must cover the entire schema, i.e. use every
# defined property at least once.
#
# 'default' is used to provide a machine readable way of indicating the
# behavior of the controlled setting/feature when the policy is not set. For
# example, if 'default' is set to True, it documents that when the policy is
# not set, the feature controlled by the policy will behave in the same way
# it would behave if the policy was set to True.
# This field is only used for policies of type 'int', 'main', 'string-enum',
# or 'int-enum'. Other policy types are assumed to have a default equal to
# an empty string or empty list. If the default value can't be expressed with
# the given type and is equivalent to unset, it should be represent with None.
# For example, this would be used for a boolean policy where unset means the
# user can turn the feature on and off, while a set policy will force the
# feature to always be on or off.
# Note that this is different from 'default_for_enterprise_users', as that
# flag sets a policy value for managed users if the policy is not set by some
# other policy source (such as cloud policy). It is also different from
# 'default_for_managed_devices_doc_only', which documents an explicitly
# implemented default policy value for managed devices.
#
# Additional information is specified under the 'features' key:
# 'dynamic_refresh' controls if the generated documentation should state that
# the policy supports dynamic refresh or not. Supporting dynamic refresh means
# that Chrome respects the changes to the policy immediately, without the need
# for restart.
# 'can_be_mandatory' Set to False to suppress the policy in the generated
# mandatory policy templates. The generated documentation for the policy
# will contain a suitable hint for administrators.
# 'can_be_recommended' Set to True to include the policy in the generated
# recommended policy templates. The generated documentation for the policy
# will contain a suitable hint for administrators.
# Policies settings in the mandatory template override user preferences, while
# recommended policies provide a default setting that may be overridden by the
# user. By default, each policy is mandatory and not recommended.
# 'per_profile' controls whether a user policy applies to every user logging
# into the browser or only one profile.
# 'cloud_only' Set to True if the policy is forced or recommended to set from
# Admin console only. This hides the policy from policy templates and Chrome
# documentation in policy_templates.zip. The documentation will NOT be hidden
# from the https://cloud.google.com/docs/chrome-enterprise/policies/.
# 'platform_only' Set to True if the policy can only be set from platform
# policy but do not support Admin console. This is only used as a hint for
# Admin console.
# 'internal_only' Set to True if the policy is used for internal development
# or testing purposes and will never be used by any external administrator.
# 'unlisted' Set to True if the policy is controlled by Admin Console
# without any user interface for administrator. It can only be used for
# policies with the 'cloud_only' tag. Policy with the 'unlisted' tag will be
# hidden from all documentations, policy templates and Admin Console UI.
#
# The 'max_size' key is used to specify the maximal size of the external data
# that a policy can reference, in bytes. This annotation is compulsory for
# policies of type 'external'. It is ignored for all other policy types.
#
# The 'future' key has been deprecated, please use 'future_on' instead for
# unreleased policies.
#
# Schemas:
# All policies have a key 'schema' which describes the schema of the policy.
# This schema supports a subset of the JSON Schema standard
# (https://json-schema.org/understanding-json-schema/index.html). For more
# information see //components/policy/tools/schema_validator.py. This
# validator is also used during presubmit to validate all schemas,
# validation_schemas and the example_values. On the client-side we use
# //components/policy/core/common/schema.h to validate policy values against
# the provided schemas in this file. This validator supports the same subset
# of features supported by the python schema validator used during presubmit.
#
# For many policies this is simply a type eg 'boolean' or 'string', but for
# 'dict' policies this describes the types of not only the root object, but
# also all of its descendants. This schema data is used to validate 'dict'
# policies, if a SchemaValidatingPolicyHandler is configured appropriately in
# configuration_policy_handler_list_factory.cc
#
# Some policies at first seem to have simple schema e.g. a string or a list of
# strings, but those strings are actually JSON strings, and this JSON has
# another schema. This type of policy is deprecated. When adding new policies,
# make sure the entire schema is described by the 'schema' field and that
# there are no strings which contain JSON.
# The legacy policies which contain JSON strings have an extra field, the
# 'validation_schema' which is used to validate not only the schema of the
# policy itself, but also the content of the JSON strings inside the policy.
# Do not use this field when adding new policies.
#
# In order to hide sensitive policy values from the user, you can use
# 'sensitiveValue': True (default 'False') in the associated schema. Those
# values will be masked with '********' in the chrome://policy UI and policy
# exports. 'sensitiveValue' can be applied to all schema types.
#
# For some policies which have complicated schema we add either
# 'description_schema' which describes some but not necessarily all properties
# of the policy or 'url_schema' which contains the link to the expanded
# documentation.
# Note that 'description_schema' is used for documentation purposes only, but
# not for schema validation. It can be used in cases where validation is not
# desired, e.g. if the schema does not describe all properties (see
# ArcPolicy).
#
# TODO(crbug.com/960274): Add translations of the schemas.
#
# IDs:
# Since a Protocol Buffer definition is generated from this file, unique and
# persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format!
# For your editing convenience:
# The highest ID currently used is always set in the
# 'highest_id_currently_used' value at the end of this file.
# And don't forget to also update the EnterprisePolicies enum of
# histograms.xml (run 'python tools/metrics/histograms/update_policies.py').
# A policy can be deleted from this file if and only if it is never launched;
# in which case its id must be added to the 'deleted_policy_ids' list to
# prevent reuse.
#
# Ownership:
# Each policy has an 'owners' field. This field is a list of strings which
# describe the group of people responsible for maintaining the policy and can
# help answer questions or solve issues with the policy. The entries can be
# either emails of committers or file:// references to OWNERS files in the
# Chromium repository.
#
# Placeholders:
# The following placeholder strings are automatically substituted:
# $1 -> Google Chrome / Chromium
# $2 -> Google Chrome OS / Chromium OS
# $3 -> Google Chrome Frame / Chromium Frame
# $6 is reserved for doc_writer
#
# Device Policy:
# An additional flag 'device_only' (optional, defaults to False) indicates
# that this policy is only supported as a device-level Cloud Policy. In that
# case no entry in the UserPolicy Protobuf is generated and it is assumed that
# it will be added to the DevicePolicy Protobuf manually. Device policy only
# exists on Chrome OS.
#
# Management Type:
# Chrome OS devices can either be managed through the Google cloud or through
# Active Directory. Most policies are supported for both management types, but
# some are not. To indicate supported management types, use
# 'supported_chrome_os_management': ['google_cloud', 'active_directory'],
# where
# 'google_cloud' = Policy is supported for Google cloud management.
# 'active_directory' = Policy is supported for Active Directory management.
# This setting applies to Chrome OS only. If the setting is missing, both
# types are assumed. The array must not be empty.
#
# Enterprise defaults for user policy:
# For managed users on Chrome OS (i.e. users receiving user policy from the
# cloud), if the optional key 'default_for_enterprise_users' is set, its value
# is applied as mandatory policy unless a different setting is received from
# the cloud. This default value handling is automatically enforced by the
# policy stack when filling the PolicyMap (specifically, by the generated
# function SetEnterpriseUsersDefaults).
#
# Enterprise defaults for device policy:
# The optional key 'default_for_managed_devices_doc_only' can be used to
# document a differing default value for devices enrolled into enterprise
# management. This is for documentation only - the enrollment-dependent
# handling must be manually implemented.
#
# Atomic Policy Group:
# An atomic policy group is a group of policies that logically belong together and influence
# a certain aspect of the browser only when considered together and should be treated as a single policy
# when merging policies from multiple sources. They all have to be set in the same
# source to take effect. In case members of a policy group are set at different sources,
# only the policies from the source with the highest priority will be used.
#
'risk_tag_definitions' : [
# All following tags are ordered by severity of their impact.
# TODO(fhorschig|tnagel): Revisit user-descriptions after reviews.
{
'name': 'full-admin-access',
'description': '''Policies with this tag enable an administrator to
execute arbitrary code or configure a machine in a way that a
man-in-the-middle situation can occur.''',
'user-description': '''Your administrator has set up certificates or applications that could potentially access all of your data.
This could possibly allow inspecting and modifying all data sent and received by Chrome.'''
},
{
'name': 'system-security',
'description': '''Policies with this tag can make the user vulnerable
against attacks which are not possible when the policies are unset.
This includes execution of deprecated code or unsafe configuration of
network settings and proxies.''',
'user-description': '''Policy set by your administrator could enable functionality that is outdated or that could reduce the security of the system in other ways.'''
},
{
'name': 'website-sharing',
'description': '''Setting Policies with this tag will allow sharing
information with a server that would normally not be allowed.
Those information can include geolocation, audio/video device inputs or
data that can be used to identify the user.''',
'user-description': '''Policy set by your administrator could enable sharing of data with websites.
Some of these data might suffice to identify you or could be used to record private information.'''
},
{
'name': 'admin-sharing',
'description': '''Policies with this tag enable an administrator to log
the user's activity or traffic.''',
'user-description': '''Policy configured by your administrator might allow them to gather general information about your device and your activity.'''
},
{
'name': 'filtering',
'description': '''Policies with this tag can restrict the information a
user can query from the world-wide web. This includes blocked websites,
enforced search settings and partly data synchronization.''',
'user-description': '''Your administrator has set up policy that may restrict your access to websites, services or search results.'''
},
{
'name': 'local-data-access',
'description': '''Policies with this tag can cause storing data to or
reading data from a local file system without the user's knowledge. This
includes import of existing settings to the cloud or avoiding clean-up of
local history data.''',
'user-description': '''Your administrator has set up policy that could cause private data to be imported from your system or could cause private data to be written to an admin-specified place.'''
},
{
'name': 'google-sharing',
'description': '''Set policies might enforce sharing data with google,
like crash reports or history.''',
'user-description': '''There are policies set by your administrator which can affect the communication with Google services.
Therefore, some services could either be unreachable or you might not be able to restrict sent data.'''
}
],
'policy_definitions': [
{
'name': 'Startup',
'type': 'group',
'caption': '''Startup, Home page and New Tab page''',
'desc': '''Configure the pages to load on startup, the default home page and the default new tab page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing them.
The user's home page settings are only completely locked down if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.
The policy 'URLs to open on startup' is ignored unless you select 'Open a list of URLs' in 'Action on startup'.''',
'policies': [
'ShowHomeButton',
'HomepageLocation',
'HomepageIsNewTabPage',
'NewTabPageLocation',
'RestoreOnStartup',
'RestoreOnStartupURLs',
],
},
{
'name': 'RemoteAccess',
'type': 'group',
'caption': '''Remote access''',
'desc': '''Configure remote access options in Chrome Remote Desktop host.
Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application. The native service is packaged and executed separately from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browser.
These policies are ignored unless the
Chrome Remote Desktop host is installed.''',
'policies': [
'RemoteAccessClientFirewallTraversal',
'RemoteAccessHostClientDomain',
'RemoteAccessHostClientDomainList',
'RemoteAccessHostFirewallTraversal',
'RemoteAccessHostDomain',
'RemoteAccessHostDomainList',
'RemoteAccessHostRequireTwoFactor',
'RemoteAccessHostTalkGadgetPrefix',
'RemoteAccessHostRequireCurtain',
'RemoteAccessHostAllowClientPairing',
'RemoteAccessHostAllowGnubbyAuth',
'RemoteAccessHostAllowRelayedConnection',
'RemoteAccessHostUdpPortRange',
'RemoteAccessHostMatchUsername',
'RemoteAccessHostTokenUrl',
'RemoteAccessHostTokenValidationUrl',
'RemoteAccessHostTokenValidationCertificateIssuer',
'RemoteAccessHostDebugOverridePolicies',
'RemoteAccessHostAllowUiAccessForRemoteAssistance',
'RemoteAccessHostAllowFileTransfer',
'RemoteAccessHostEnableUserInterface',
'RemoteAccessHostAllowRemoteAccessConnections',
],
},
{
'name': 'PasswordManager',
'type': 'group',
'caption': '''Password manager''',
'desc': '''Configures the password manager.''',
'policies': [
'PasswordManagerEnabled',
'PasswordManagerAllowShowPasswords',
'PasswordLeakDetectionEnabled',
],
},
{
'name': 'Proxy',
'type': 'group',
'caption': '''Proxy server''',
'desc': '''Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to auto detect the proxy server, all other options are ignored.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and ARC-apps ignore all proxy-related options specified from the command line.
Leaving these policies not set will allow the users to choose the proxy settings on their own.''',
'policies': [
'ProxyMode',
'ProxyServerMode',
'ProxyServer',
'ProxyPacUrl',
'ProxyBypassList',
],
},
{
'name': 'HTTPAuthentication',
'type': 'group',
'caption': '''HTTP authentication''',
'desc': '''Policies related to integrated HTTP authentication.''',
'policies': [
'AuthSchemes',
'DisableAuthNegotiateCnameLookup',
'EnableAuthNegotiatePort',
'BasicAuthOverHttpEnabled',
'AuthServerAllowlist',
'AuthServerWhitelist',
'AuthNegotiateDelegateAllowlist',
'AuthNegotiateDelegateWhitelist',
'AuthNegotiateDelegateByKdcPolicy',
'GSSAPILibraryName',
'AuthAndroidNegotiateAccountType',
'AllowCrossOriginAuthPrompt',
'NtlmV2Enabled',
'IntegratedWebAuthenticationAllowed',
],
},
{
'name': 'Kerberos',
'type': 'group',
'caption': '''Kerberos''',
'desc': '''Policies related to Kerberos authentication.''',
'policies': [
'KerberosEnabled',
'KerberosRememberPasswordEnabled',
'KerberosAddAccountsAllowed',
'KerberosAccounts',
],
},
{
'name': 'Extensions',
'type': 'group',
'caption': '''Extensions''',
'desc': '''Configures extension-related policies. The user is not allowed to install blacklisted extensions unless they are whitelisted. You can also force <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to automatically install extensions by specifying them in <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph>. Force-installed extensions are installed regardless whether they are present in the blacklist.''',
'policies': [
'ExtensionInstallAllowlist',
'ExtensionInstallBlocklist',
'ExtensionInstallBlacklist',
'ExtensionInstallWhitelist',
'ExtensionInstallForcelist',
'ExtensionInstallSources',
'ExtensionAllowedTypes',
'ExtensionAllowInsecureUpdates',
'ExtensionSettings',
'BlockExternalExtensions',
],
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106683
'name': 'DefaultSearchProvider',
'type': 'group',
'caption': '''Default search provider''',
'desc': '''Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.''',
'policies': [
'DefaultSearchProviderEnabled',
'DefaultSearchProviderName',
'DefaultSearchProviderKeyword',
'DefaultSearchProviderSearchURL',
'DefaultSearchProviderSuggestURL',
'DefaultSearchProviderInstantURL',
'DefaultSearchProviderIconURL',
'DefaultSearchProviderEncodings',
'DefaultSearchProviderAlternateURLs',
'DefaultSearchProviderSearchTermsReplacementKey',
'DefaultSearchProviderImageURL',
'DefaultSearchProviderNewTabURL',
'DefaultSearchProviderSearchURLPostParams',
'DefaultSearchProviderSuggestURLPostParams',
'DefaultSearchProviderInstantURLPostParams',
'DefaultSearchProviderImageURLPostParams',
],
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106682
'name': 'ContentSettings',
'type': 'group',
'caption': '''Content settings''',
'desc': '''Content settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.''',
'policies': [
'DefaultCookiesSetting',
'DefaultFileSystemReadGuardSetting',
'DefaultFileSystemWriteGuardSetting',
'DefaultImagesSetting',
'DefaultInsecureContentSetting',
'DefaultJavaScriptSetting',
'DefaultPluginsSetting',
'DefaultPopupsSetting',
'DefaultNotificationsSetting',
'DefaultGeolocationSetting',
'DefaultMediaStreamSetting',
'DefaultSensorsSetting',
'DefaultWebBluetoothGuardSetting',
'DefaultKeygenSetting',
'DefaultWebUsbGuardSetting',
'DefaultSerialGuardSetting',
'AutoSelectCertificateForUrls',
'CookiesAllowedForUrls',
'CookiesBlockedForUrls',
'CookiesSessionOnlyForUrls',
'FileSystemReadAskForUrls',
'FileSystemReadBlockedForUrls',
'FileSystemWriteAskForUrls',
'FileSystemWriteBlockedForUrls',
'ImagesAllowedForUrls',
'ImagesBlockedForUrls',
'InsecureContentAllowedForUrls',
'InsecureContentBlockedForUrls',
'JavaScriptAllowedForUrls',
'JavaScriptBlockedForUrls',
'KeygenAllowedForUrls',
'KeygenBlockedForUrls',
'LegacySameSiteCookieBehaviorEnabled',
'LegacySameSiteCookieBehaviorEnabledForDomainList',
'PluginsAllowedForUrls',
'PluginsBlockedForUrls',
'PopupsAllowedForUrls',
'RegisteredProtocolHandlers',
'PopupsBlockedForUrls',
'NotificationsAllowedForUrls',
'NotificationsBlockedForUrls',
'SensorsAllowedForUrls',
'SensorsBlockedForUrls',
"WebUsbAllowDevicesForUrls",
'WebUsbAskForUrls',
'WebUsbBlockedForUrls',
'SerialAskForUrls',
'SerialBlockedForUrls',
],
},
{
'name': 'NativeMessaging',
'type': 'group',
'caption': '''Native Messaging''',
'desc': '''Configures policies for Native Messaging. Blacklisted native messaging hosts won't be allowed unless they are whitelisted.''',
'policies': [
'NativeMessagingBlacklist',
'NativeMessagingBlocklist',
'NativeMessagingAllowlist',
'NativeMessagingWhitelist',
'NativeMessagingUserLevelHosts',
],
},
{
'name': 'ChromeFrameRendererSettings',
'owners': ['tommi@chromium.org'],
'type': 'group',
'caption': '''Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'desc': '''Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
The default setting is to allow the host browser do the rendering, but you can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> render HTML pages by default.''',
'policies': [
'ChromeFrameRendererSettings',
'RenderInChromeFrameList',
'RenderInHostList',
'AdditionalLaunchParameters',
'SkipMetadataCheck',
],
},
{
'name': 'ChromeFrameContentTypes',
'owners': ['tommi@chromium.org'],
'type': 'group',
'caption': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types''',
'desc': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types.''',
'policies': [
'ChromeFrameContentTypes',
],
},
{
'name': 'Drive',
'type': 'group',
'caption': '''Google Drive''',
'desc': '''Configure Google Drive in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'DriveDisabled',
'DriveDisabledOverCellular',
],
},
{
'name': 'PowerManagement',
'type': 'group',
'caption': '''Power management''',
'desc': '''Configure power management in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
These policies let you configure how <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> behaves when the user remains idle for some amount of time.''',
'policies': [
'ScreenDimDelayAC',
'ScreenOffDelayAC',
'ScreenLockDelayAC',
'IdleWarningDelayAC',
'IdleDelayAC',
'ScreenDimDelayBattery',
'ScreenOffDelayBattery',
'ScreenLockDelayBattery',
'IdleWarningDelayBattery',
'IdleDelayBattery',
'IdleAction',
'IdleActionAC',
'IdleActionBattery',
'LidCloseAction',
'PowerManagementUsesAudioActivity',
'PowerManagementUsesVideoActivity',
'PresentationIdleDelayScale',
'PresentationScreenDimDelayScale',
'AllowWakeLocks',
'AllowScreenWakeLocks',
'UserActivityScreenDimDelayScale',
'WaitForInitialUserActivity',
'PowerManagementIdleSettings',
'ScreenLockDelays',
'PowerSmartDimEnabled',
'ScreenBrightnessPercent',
'DevicePowerPeakShiftBatteryThreshold',
'DevicePowerPeakShiftDayConfig',
'DevicePowerPeakShiftEnabled',
'DeviceBootOnAcEnabled',
'DeviceAdvancedBatteryChargeModeEnabled',
'DeviceAdvancedBatteryChargeModeDayConfig',
'DeviceBatteryChargeMode',
'DeviceBatteryChargeCustomStartCharging',
'DeviceBatteryChargeCustomStopCharging',
'DeviceUsbPowerShareEnabled'
],
},
{
'name': 'Accessibility',
'type': 'group',
'caption': '''Accessibility settings''',
'desc': '''Configure <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> accessibility features.''',
'policies': [
'ShowAccessibilityOptionsInSystemTrayMenu',
'LargeCursorEnabled',
'SpokenFeedbackEnabled',
'HighContrastEnabled',
'VirtualKeyboardEnabled',
'VirtualKeyboardFeatures',
'StickyKeysEnabled',
'KeyboardDefaultToFunctionKeys',
'ScreenMagnifierType',
'DictationEnabled',
'SelectToSpeakEnabled',
'KeyboardFocusHighlightEnabled',
'CursorHighlightEnabled',
'CaretHighlightEnabled',
'MonoAudioEnabled',
'AccessibilityShortcutsEnabled',
'AutoclickEnabled',
'DeviceLoginScreenDefaultLargeCursorEnabled',
'DeviceLoginScreenDefaultSpokenFeedbackEnabled',
'DeviceLoginScreenDefaultHighContrastEnabled',
'DeviceLoginScreenDefaultVirtualKeyboardEnabled',
'DeviceLoginScreenDefaultScreenMagnifierType',
'DeviceLoginScreenLargeCursorEnabled',
'DeviceLoginScreenSpokenFeedbackEnabled',
'DeviceLoginScreenHighContrastEnabled',
'DeviceLoginScreenVirtualKeyboardEnabled',
'DeviceLoginScreenDictationEnabled',
'DeviceLoginScreenSelectToSpeakEnabled',
'DeviceLoginScreenCursorHighlightEnabled',
'DeviceLoginScreenCaretHighlightEnabled',
'DeviceLoginScreenMonoAudioEnabled',
'DeviceLoginScreenAutoclickEnabled',
'DeviceLoginScreenStickyKeysEnabled',
'DeviceLoginScreenKeyboardFocusHighlightEnabled',
'DeviceLoginScreenScreenMagnifierType',
'DeviceLoginScreenShowOptionsInSystemTrayMenu',
'DeviceLoginScreenAccessibilityShortcutsEnabled',
'FloatingAccessibilityMenuEnabled',
],
},
{
'name': 'Attestation',
'type': 'group',
'caption': 'Remote attestation',
'desc': 'Configure the remote attestation with TPM mechanism.',
'policies': [
'AttestationEnabledForDevice',
'AttestationEnabledForUser',
'AttestationExtensionAllowlist',
'AttestationExtensionWhitelist',
'AttestationForContentProtectionEnabled',
'DeviceWebBasedAttestationAllowedUrls',
],
},
{
'name': 'LocallyManagedUsers',
'type': 'group',
'caption': '''Locally managed users settings''',
'desc': '''Configure settings for managed users.''',
'policies': [
'SupervisedUsersEnabled',
'SupervisedUserCreationEnabled',
'SupervisedUserContentProviderEnabled',
],
},
{
'name': 'GoogleCast',
'type': 'group',
'caption': '''<ph name="PRODUCT_NAME">Google Cast</ph>''',
'desc': '''Configure policies for <ph name="PRODUCT_NAME">Google Cast</ph>, a feature that allows users to send the contents of tabs, sites or the desktop from the browser to remote displays and sound systems.''',
'policies': [
'EnableMediaRouter',
'ShowCastIconInToolbar',
],
},
{
'name': 'QuickUnlock',
'type': 'group',
'caption': '''Quick unlock''',
'desc': '''Configures quick unlock related policies.''',
'policies': [
'QuickUnlockModeAllowlist',
'QuickUnlockModeWhitelist',
'QuickUnlockTimeout',
'PinUnlockMinimumLength',
'PinUnlockMaximumLength',
'PinUnlockWeakPinsAllowed',
'PinUnlockAutosubmitEnabled',
],
},
{
'name': 'CastReceiver',
'type': 'group',
'caption': '''Cast Receiver''',
'desc': '''Configure the Cast Receiver in <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'CastReceiverEnabled',
'CastReceiverName',
]
},
{
'name': 'SafeBrowsing',
'type': 'group',
'caption': '''Safe Browsing settings''',
'desc': '''Configure Safe Browsing related policies.''',
'policies': [
'SafeBrowsingEnabled',
'SafeBrowsingExtendedReportingEnabled',
'SafeBrowsingProtectionLevel',
'SafeBrowsingWhitelistDomains',
'SafeBrowsingAllowlistDomains',
'PasswordProtectionWarningTrigger',
'PasswordProtectionLoginURLs',
'PasswordProtectionChangePasswordURL',
],
},
{
'name': 'NetworkFileShares',
'type': 'group',
'caption': '''Network File Shares settings''',
'desc': '''Configure Network File Share related policies.''',
'policies': [
'NetworkFileSharesAllowed',
'NetBiosShareDiscoveryEnabled',
'NTLMShareAuthenticationEnabled',
'NetworkFileSharesPreconfiguredShares',
],
},
{
'name': 'CloudReporting',
'type': 'group',
'caption': '''Cloud Reporting''',
'desc': '''Configure cloud reporting policies.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, these policies will be ignored.
These policies are only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
These policies are always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'ReportVersionData',
'ReportPolicyData',
'ReportMachineIDData',
'ReportUserIDData',
'ReportExtensionsAndPluginsData',
'ReportSafeBrowsingData',
'CloudExtensionRequestEnabled',
'CloudReportingEnabled',
],
},
{
'name': 'BrowserSwitcher',
'type': 'group',
'caption': '''<ph name="LBS_PRODUCT_NAME">Legacy Browser Support</ph>''',
'desc': '''Configure policies to switch between browsers.
Configured websites will automatically open in another browser than <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'policies': [
'AlternativeBrowserPath',
'AlternativeBrowserParameters',
'BrowserSwitcherChromePath',
'BrowserSwitcherChromeParameters',
'BrowserSwitcherDelay',
'BrowserSwitcherEnabled',
'BrowserSwitcherExternalSitelistUrl',
'BrowserSwitcherExternalGreylistUrl',
'BrowserSwitcherKeepLastChromeTab',
'BrowserSwitcherUrlList',
'BrowserSwitcherUrlGreylist',
'BrowserSwitcherUseIeSitelist',
],
},
{
'name': 'PluginVm',
'type': 'group',
'caption': '''PluginVm''',
'policies': [
'PluginVmAllowed',
'PluginVmDataCollectionAllowed',
'PluginVmImage',
'PluginVmLicenseKey',
'PluginVmRequiredFreeDiskSpace',
'PluginVmUserId',
'UserPluginVmAllowed',
],
'desc': '''Configure <ph name="PLUGIN_VM_NAME">PluginVm</ph> related policies.''',
},
{
'name': 'Signin',
'type': 'group',
'caption': '''Sign-in settings''',
'desc': '''Controls the behavior of the sign-in screen, where users log into their accounts. Settings include who can log in, what type of accounts are allowed, what authentication methods should be used, as well as general accessibility, input method and locale settings.''',
'policies': [
'DeviceGuestModeEnabled',
'DeviceUserWhitelist',
'DeviceUserAllowlist',
'DeviceAllowNewUsers',
'DeviceLoginScreenDomainAutoComplete',
'DeviceShowUserNamesOnSignin',
'DeviceWallpaperImage',
'DeviceEphemeralUsersEnabled',
'LoginAuthenticationBehavior',
'DeviceSamlLoginAuthenticationType',
'DeviceTransferSAMLCookies',
'LoginVideoCaptureAllowedUrls',
'DeviceStartUpFlags',
'DeviceLoginScreenExtensions',
'DeviceLoginScreenLocales',
'DeviceLoginScreenInputMethods',
'DeviceLoginScreenSystemInfoEnforced',
'DeviceSecondFactorAuthentication',
'DeviceLoginScreenIsolateOrigins',
'DeviceLoginScreenSitePerProcess',
'DeviceLoginScreenAutoSelectCertificateForUrls',
'DeviceShowNumericKeyboardForPassword',
'DeviceFamilyLinkAccountsAllowed'
],
},
{
'name': 'UserAndDeviceReporting',
'type': 'group',
'caption': '''User and device reporting''',
'desc': '''Controls what kind of user and device information is reported.''',
'policies': [
'ReportDeviceVersionInfo',
'ReportDeviceBootMode',
'ReportDeviceUsers',
'ReportDeviceActivityTimes',
'ReportDeviceLocation',
'ReportDeviceNetworkInterfaces',
'ReportDeviceHardwareStatus',
'ReportDeviceSessionStatus',
'ReportDeviceGraphicsStatus',
'ReportDeviceCrashReportInfo',
'ReportDeviceOsUpdateStatus',
'ReportDeviceBoardStatus',
'ReportDeviceCpuInfo',
'ReportDeviceTimezoneInfo',
'ReportDeviceMemoryInfo',
'ReportDeviceBacklightInfo',
'ReportDevicePowerStatus',
'ReportDeviceStorageStatus',
'ReportDeviceAppInfo',
'ReportDeviceBluetoothInfo',
'ReportDeviceFanInfo',
'ReportDeviceVpdInfo',
'ReportDeviceSystemInfo',
'ReportUploadFrequency',
'ReportArcStatusEnabled',
'HeartbeatEnabled',
'HeartbeatFrequency',
'LogUploadEnabled',
'DeviceMetricsReportingEnabled',
],
},
{
'name': 'Network',
'type': 'group',
'caption': '''Network settings''',
'desc': '''Controls device-wide network configuration.''',
'policies': [
'DeviceOpenNetworkConfiguration',
'DeviceDataRoamingEnabled',
'NetworkThrottlingEnabled',
'DeviceHostnameTemplate',
'DeviceWiFiFastTransitionEnabled',
'DeviceWiFiAllowed',
'DeviceDockMacAddressSource',
],
},
{
'name': 'DeviceUpdate',
'type': 'group',
'caption': '''Device update settings''',
'desc': '''Controls how and when Chrome OS updates are applied.''',
'policies': [
'ChromeOsReleaseChannel',
'ChromeOsReleaseChannelDelegated',
'DeviceAutoUpdateDisabled',
'DeviceAutoUpdateP2PEnabled',
'DeviceAutoUpdateTimeRestrictions',
'DeviceTargetVersionPrefix',
'DeviceUpdateStagingSchedule',
'DeviceUpdateScatterFactor',
'DeviceUpdateAllowedConnectionTypes',
'DeviceUpdateHttpDownloadsEnabled',
'RebootAfterUpdate',
'MinimumRequiredChromeVersion',
'DeviceRollbackToTargetVersion',
'DeviceRollbackAllowedMilestones',
'DeviceQuickFixBuildToken',
'DeviceMinimumVersion',
'DeviceMinimumVersionAueMessage',
'DeviceChannelDowngradeBehavior',
],
},
{
'name': 'PowerAndShutdown',
'type': 'group',
'caption': '''Power and shutdown''',
'desc': '''Controls settings related to power management and rebooting.''',
'policies': [
'DeviceLoginScreenPowerManagement',
'UptimeLimit',
'DeviceRebootOnShutdown',
],
},
{
'name': 'Kiosk',
'type': 'group',
'caption': '''Kiosk settings''',
'desc': '''Controls public session and kiosk account types.''',
'policies': [
'DeviceLocalAccounts',
'DeviceLocalAccountAutoLoginId',
'DeviceLocalAccountAutoLoginDelay',
'DeviceLocalAccountAutoLoginBailoutEnabled',
'DeviceLocalAccountPromptForNetworkWhenOffline',
'AllowKioskAppControlChromeVersion',
],
},
{
'name': 'Other',
'type': 'group',
'caption': '''Other''',
'desc': '''Controls miscellaneous settings including USB, bluetooth, policy refresh, developer mode and others.''',
'policies': [
'UsbDetachableWhitelist',
'UsbDetachableAllowlist',
'DeviceAllowBluetooth',
'TPMFirmwareUpdateSettings',
'DeviceEcryptfsMigrationStrategy',
'DevicePolicyRefreshRate',
'DeviceBlockDevmode',
'DeviceAllowRedeemChromeOsRegistrationOffers',
'DeviceQuirksDownloadEnabled',
'ExtensionCacheSize',
'DeviceOffHours',
'SuggestedContentEnabled',
'DeviceShowLowDiskSpaceNotification',
],
},
{
'name': 'DateAndTime',
'type': 'group',
'caption': '''Date and time''',
'desc': '''Controls clock and time zone settings.''',
'policies': [
'SystemTimezone',
'SystemTimezoneAutomaticDetection',
'SystemUse24HourClock',
]
},
{
'name': 'Display',
'type': 'group',
'caption': '''Display''',
'desc': '''Controls display settings.''',
'policies': [
'DeviceDisplayResolution',
'DisplayRotationDefault',
]
},
{
'name': 'Printing',
'type': 'group',
'caption': '''Printing''',
'desc': '''Controls printing settings.''',
'policies': [
'PrintingEnabled',
'CloudPrintProxyEnabled',
'PrintingAllowedColorModes',
'PrintingAllowedDuplexModes',
'PrintingAllowedPinModes',
'PrintingAllowedBackgroundGraphicsModes',
'PrintingColorDefault',
'PrintingDuplexDefault',
'PrintingPinDefault',
'PrintingBackgroundGraphicsDefault',
'PrintingPaperSizeDefault',
'PrintingSendUsernameAndFilenameEnabled',
'PrintingMaxSheetsAllowed',
'PrintJobHistoryExpirationPeriod',
'PrintingAPIExtensionsWhitelist',
'PrintingAPIExtensionsAllowlist',
'CloudPrintSubmitEnabled',
'DisablePrintPreview',
'PrintHeaderFooter',
'DefaultPrinterSelection',
'NativePrinters',
'NativePrintersBulkConfiguration',
'NativePrintersBulkAccessMode',
'NativePrintersBulkBlacklist',
'NativePrintersBulkWhitelist',
'Printers',
'PrintersBulkConfiguration',
'PrintersBulkAccessMode',
'PrintersBulkBlocklist',
'PrintersBulkAllowlist',
'DeviceNativePrinters',
'DeviceNativePrintersAccessMode',
'DeviceNativePrintersBlacklist',
'DeviceNativePrintersWhitelist',
'DevicePrinters',
'DevicePrintersAccessMode',
'DevicePrintersBlocklist',
'DevicePrintersAllowlist',
'PrintPreviewUseSystemDefaultPrinter',
'UserNativePrintersAllowed',
'UserPrintersAllowed',
'ExternalPrintServers',
'ExternalPrintServersWhitelist',
'ExternalPrintServersAllowlist',
'DeviceExternalPrintServers',
'DeviceExternalPrintServersAllowlist',
'PrinterTypeDenyList',
'PrintRasterizationMode',
'DeletePrintJobHistoryAllowed',
'CloudPrintWarningsSuppressed',
]
},
{
'name': 'ActiveDirectoryManagement',
'type': 'group',
'caption': '''<ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> management settings''',
'desc': '''Controls settings specific to <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> managed <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.''',
'policies': [
'DeviceMachinePasswordChangeRate',
'DeviceUserPolicyLoopbackProcessingMode',
'DeviceKerberosEncryptionTypes',
'DeviceGpoCacheLifetime',
'DeviceAuthDataCacheLifetime',
]
},
{
'name': 'Arc',
'type': 'group',
'caption': '''Android settings''',
'desc': '''Controls settings for the Android container (ARC) and Android apps.''',
'policies': [
'ArcEnabled',
'UnaffiliatedArcAllowed',
'ArcPolicy',
'ArcAppInstallEventLoggingEnabled',
'ArcBackupRestoreServiceEnabled',
'ArcGoogleLocationServicesEnabled',
'ArcCertificatesSyncMode',
'ArcBackupRestoreEnabled',
'ArcLocationServiceEnabled',
'AppRecommendationZeroStateEnabled',
'DeviceArcDataSnapshotHours',
]
},
{
'name': 'Crostini',
'type': 'group',
'caption': '''Linux container''',
'desc': '''Controls settings for the Linux container (Crostini).''',
'policies': [
'VirtualMachinesAllowed',
'CrostiniAllowed',
'DeviceUnaffiliatedCrostiniAllowed',
'CrostiniExportImportUIAllowed',
'CrostiniRootAccessAllowed',
'CrostiniAnsiblePlaybook',
'CrostiniArcAdbSideloadingAllowed',
'DeviceCrostiniArcAdbSideloadingAllowed',
'CrostiniPortForwardingAllowed',
]
},
{
'name': 'GoogleAssistant',
'type': 'group',
'caption': '''Google Assistant''',
'desc': '''Controls settings for Google Assistant.''',
'policies': [
'AssistantOnboardingMode',
'VoiceInteractionContextEnabled',
'VoiceInteractionHotwordEnabled',
'VoiceInteractionQuickAnswersEnabled',
]
},
{
'name': 'WilcoDtc',
'type': 'group',
'caption': '''Wilco DTC''',
'desc': '''Controls wilco diagnostics and telemetry controller settings.''',
'policies': [
'DeviceWilcoDtcAllowed',
'DeviceWilcoDtcConfiguration',
],
},
{
'name': 'ParentalSupervision',
'type': 'group',
'caption': '''Parental supervision settings''',
'desc': '''Controls parental supervision policies, that are applied to child accounts only.
These policies are not set in the admin console, but configured directly by Kids API Server.''',
'policies': [
'ParentAccessCodeConfig',
'PerAppTimeLimits',
'PerAppTimeLimitsWhitelist',
'PerAppTimeLimitsAllowlist',
'UsageTimeLimit',
'EduCoexistenceToSVersion',
],
},
{
'name': 'PrivacyScreen',
'type': 'group',
'caption': '''Privacy screen settings''',
'desc': '''Controls user and device policies for the privacy screen feature.''',
'policies': [
'DeviceLoginScreenPrivacyScreenEnabled',
'PrivacyScreenEnabled',
],
},
{
'name': 'CertificateManagement',
'type': 'group',
'caption': '''Certificate management settings''',
'desc': '''Controls user and device policies for certificate management.''',
'policies': [
'RequiredClientCertificateForDevice',
'RequiredClientCertificateForUser',
],
},
{
'name': 'SAML',
'type': 'group',
'caption': '''Saml user identity management settings''',
'desc': '''Controls settings for users authenticated via SAML with an extaernal IdP''',
'policies': [
'SamlInSessionPasswordChangeEnabled',
'SamlPasswordExpirationAdvanceWarningDays',
'SamlLockScreenReauthenticationEnabled',
'SAMLOfflineSigninTimeLimit',
],
},
{
'name': 'HomepageLocation',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:81-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.chromium.org',
'id': 1,
'caption': '''Configure the home page URL''',
'tags': [],
'desc': '''Setting the policy sets the default homepage URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. You open the homepage using the Home button. On desktop, the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policies control the pages that open on startup.
If the homepage is set to the New Tab Page, by the user or <ph name="HOMEPAGE_IS_NEW_TAB_PAGE_POLICY_NAME">HomepageIsNewTabPage</ph>, this policy has no effect.
The URL needs a standard scheme, such as http://example.com or https://example.com. When this policy is set, users can't change their homepage URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Leaving both <ph name="HOMEPAGE_LOCATION_POLICY_NAME">HomepageLocation</ph> and <ph name="HOMEPAGE_IS_NEW_TAB_PAGE_POLICY_NAME">HomepageIsNewTabPage</ph> unset lets users choose their homepage.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
'label': '''Home page URL''',
},
{
'name': 'HomepageIsNewTabPage',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 2,
'caption': '''Use New Tab Page as homepage''',
'tags': [],
'desc': '''Setting the policy to Enabled makes the New Tab page the user's homepage, ignoring any homepage URL location. Setting the policy to Disabled means that their homepage is never the New Tab page, unless the user's homepage URL is set to chrome://newtab.
If you set the policy, users can't change their homepage type in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the user decides whether or not the New Tab page is their homepage.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'NewTabPageLocation',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:58-', 'chrome_os:58-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.chromium.org',
'id': 360,
'caption': '''Configure the New Tab page URL''',
'tags': [],
'desc': '''Setting the policy configures the default New Tab page URL and prevents users from changing it.
The New Tab page opens with new tabs and windows.
This policy doesn't decide which pages open on start up. Those are controlled by the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policies. This policy does affect the homepage, if that's set to open the New Tab page, as well as the startup page if it's set to open the New Tab page.
It is a best practice to provide fully canonicalized URL, if the URL is not fully canonicalized <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will default to https://.
Leaving the policy unset or empty puts the default New Tab page in use.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
'label': '''New Tab page URL''',
},
{
'name': 'DefaultBrowserSettingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win7:11-', 'chrome.mac:11-', 'chrome.linux:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 3,
'caption': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
'tags': [],
'desc': '''Setting the policy to True has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> always check whether it's the default browser on startup and, if possible, automatically register itself. Setting the policy to False stops <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from ever checking if it's the default and turns user controls off for this option.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> lets users control whether it's the default and, if not, whether user notifications should appear.
Note: For <ph name="MS_WIN_NAME">Microsoft®Windows®</ph> administrators, turning this setting on only works for machines running Windows 7. For later versions, you must deploy a "default application associations" file that makes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> the handler for the <ph name="HTTPS_PROTOCOL">https</ph> and <ph name="HTTP_PROTOCOL">http</ph> protocols (and, optionally, the <ph name="FTP_PROTOCOL">ftp</ph> protocol and other file formats). See Chrome Help ( https://support.google.com/chrome?p=make_chrome_default_win ).''',
'label': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
},
{
'name': 'ApplicationLocaleValue',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:8-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'en',
'id': 4,
'caption': '''Application locale''',
'tags': [],
'desc': '''Setting the policy specifies the locale <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses.
Turning it off or leaving it unset means the locale will be the first valid locale from:
1) The user specified locale (if configured).
2) The system locale.
3) The fallback locale (en-US).''',
'label': '''Application locale''',
},
{
'name': 'AlternateErrorPagesEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 5,
'caption': '''Enable alternate error pages''',
'tags': [],
'desc': '''Setting the policy to True means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses alternate error pages built into (such as "page not found"). Setting the policy to False means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> never uses alternate error pages.
If you set the policy, users can't change it. If not set, the policy is on, but users can change this setting.''',
},
{
'name': 'SearchSuggestEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 6,
'caption': '''Enable search suggestions''',
'tags': [],
'desc': '''Setting the policy to True turns on search suggestions in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s address bar. Setting the policy to False turns off these search suggestions.
If you set the policy, users can't change it. If not set, search suggestions are on at first, but users can turn them off any time.''',
},
{
'name': 'NativeWindowOcclusionEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.win:84-',
],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 675,
'caption': '''Enable Native Window Occlusion''',
'tags': [],
'desc': '''Enables native window occlusion in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you enable this setting, to reduce CPU and power consumption <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will detect when a window is covered by other windows, and will suspend work painting pixels.
If you disable this setting <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not detect when a window is covered by other windows.
If this policy is left not set, occlusion detection will be enabled.''',
},
{
'name': 'DnsPrefetchingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-53', 'chrome_os:11-53', 'android:30-53'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 7,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''This policy is deprecated in M48 in favor of <ph name="NETWORK_PREDICTION_OPTIONS_POLICY_NAME">NetworkPredictionOptions</ph>, and removed in M54.
Enables network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. The policy name refers to DNS prefetching for historical reasons.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'NetworkPredictionOptions',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'NetworkPredictionAlways',
'value': 0,
'caption': '''Predict network actions on any network connection''',
},
{
'name': 'NetworkPredictionWifiOnly',
'value': 1,
'caption': '''Predict network actions on any network that is not cellular.
(Deprecated in 50, removed in 52. After 52, if value 1 is set, it will be treated as 0 - predict network actions on any network connection.)''',
},
{
'name': 'NetworkPredictionNever',
'value': 2,
'caption': '''Do not predict network actions on any network connection''',
},
],
'supported_on': ['chrome.*:38-', 'chrome_os:38-', 'android:38-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 273,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''This policy controls network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. It controls DNS prefetching, TCP, and SSL preconnection and prerendering of webpages.
If you set the policy, users can't change it. Leaving it unset turns on network prediction, but the user can change it.''',
},
{
'name': 'WPADQuickCheckEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [ 'chrome.*:35-', 'chrome_os:35-' ],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Enable Web Proxy Auto-Discovery (WPAD) optimizations',
},
{
'value': False,
'caption': 'Disable Web Proxy Auto-Discovery (WPAD) optimization',
},
],
'example_value': True,
'default': True,
'id': 261,
'caption': '''Enable WPAD optimization''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset turns on WPAD (Web Proxy Auto-Discovery) optimization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting the policy to Disabled turns off WPAD optimization, causing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to wait longer for DNS-based WPAD servers.
Whether or not this policy is set, users can't change the WPAD optimization setting.''',
},
{
'name': 'DisableSpdy',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-53', 'chrome_os:11-53', 'android:30-53'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 8,
'caption': '''Disable SPDY protocol''',
'tags': [],
'desc': '''This policy is deprecated in M53 and removed in M54, because SPDY/3.1 support is removed.
Disables use of the SPDY protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is enabled the SPDY protocol will not be available in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting this policy to disabled will allow the usage of SPDY.
If this policy is left not set, SPDY will be available.''',
},
{
'name': 'DisabledSchemes',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:12-', 'chrome_os:12-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['file', 'https'],
'id': 85,
'caption': '''Disable URL protocol schemes''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> instead.
Disables the listed protocol schemes in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
URLs using a scheme from this list will not load and can not be navigated to.
If this policy is left not set or the list is empty all schemes will be accessible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''List of disabled protocol schemes''',
},
{
'name': 'GloballyScopeHTTPAuthCacheEnabled',
'owners': ['file://net/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-', 'chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 643,
'caption': '''Enable globally scoped HTTP auth cache''',
'tags': [],
'desc': '''This policy configures a single global per profile cache with HTTP server authentication credentials.
If this policy is unset or disabled, the browser will use the default behavior of cross-site auth, which as of version 80, will be to scope HTTP server authentication credentials by top-level site, so if two sites use resources from the same authenticating domain, credentials will need to be provided independently in the context of both sites. Cached proxy credentials will be reused across sites.
If the policy is enabled, HTTP auth credentials entered in the context of one site will automatically be used in the context of another.
Enabling this policy leaves sites open to some types of cross-site attacks, and allows users to be tracked across sites even without cookies by adding entries to the HTTP auth cache using credentials embedded in URLs.
This policy is intended to give enterprises depending on the legacy behavior a chance to update their login procedures, and will be removed in the future.'''
},
{
'name': 'DNSInterceptionChecksEnabled',
'owners': ['krb@chromium.org', 'jdonnelly@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-', 'chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'items': [
{
'value': True,
'caption': 'Perform DNS interception checks',
},
{
'value': False,
'caption': 'Do not perform DNS interception checks',
},
],
'example_value': True,
'default': True,
'id': 654,
'caption': '''DNS interception checks enabled''',
'tags': [],
'desc': '''This policy configures a local switch that can be used to disable DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
This detection may not be necessary in an enterprise environment where the network configuration is known, since it causes some amount of DNS and HTTP traffic on start-up and each DNS configuration change.
When this policy is not set, or is enabled, the DNS interception checks are performed. When explicitly disabled, they're not.'''
},
{
'name': 'IntranetRedirectBehavior',
'owners': ['jdonnelly@chromium.org', 'tommycli@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'Default',
'value': 0,
'caption': '''Use default browser behavior.''',
},
{
'name': 'DisableInterceptionChecksDisableInfobar',
'value': 1,
'caption': '''Disable DNS interception checks and did-you-mean "http://intranetsite/" infobars.''',
},
{
'name': 'DisableInterceptionChecksEnableInfobar',
'value': 2,
'caption': '''Disable DNS interception checks; allow did-you-mean "http://intranetsite/" infobars.''',
},
{
'name': 'EnableInterceptionChecksEnableInfobar',
'value': 3,
'caption': '''Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.''',
}
],
'supported_on': ['chrome.*:88-', 'chrome_os:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'default': 0,
'id': 792,
'caption': '''Intranet Redirection Behavior''',
'tags': [],
'desc': '''This policy configures behavior for intranet redirection via DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
If this policy is not set, the browser will use the default behavior of DNS interception checks and intranet redirect suggestions. In M88, they are enabled by default but will be disabled by default in the future release.
<ph name="DNS_INTERCEPTION_CHECKS_ENABLED_POLICY_NAME">DNSInterceptionChecksEnabled</ph> is a related policy that may also disable DNS interception checks; this policy is a more flexible version which may separately control intranet redirection infobars and may be expanded in the future.
If either <ph name="DNS_INTERCEPTION_CHECKS_ENABLED_POLICY_NAME">DNSInterceptionChecksEnabled</ph> or this policy requests to disable interception checks, the checks will be disabled.'''
},
{
'name': 'Http09OnNonDefaultPortsEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:54-77', 'chrome_os:54-77'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 345,
'caption': '''Enable HTTP/0.9 support on non-default ports''',
'tags': [],
'desc': '''This policy is deprecated, and slated for removal in Chrome 78, with no replacement.
This policy enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS.
This policy is disabled by default, and if enabled, leaves users open to the security issue https://crbug.com/600352.
This policy is intended to give enterprises a chance to migrate exising servers off of HTTP/0.9, and will be removed in the future.
If this policy is not set, HTTP/0.9 will be disabled on non-default ports.''',
},
{
'name': 'JavascriptEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 9,
'caption': '''Enable JavaScript''',
'tags': [],
'desc': '''This policy is deprecated, please use DefaultJavaScriptSetting instead.
Can be used to disabled JavaScript in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.
If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.''',
},
{
'name': 'IncognitoEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 10,
'caption': '''Enable Incognito mode''',
'tags': [],
'desc': '''This policy is deprecated. Please, use IncognitoModeAvailability instead.
Enables Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is enabled or not configured, users can open web pages in incognito mode.
If this setting is disabled, users cannot open web pages in incognito mode.
If this policy is left not set, this will be enabled and the user will be able to use incognito mode.''',
},
{
'name': 'IncognitoModeAvailability',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Enabled',
'value': 0,
'caption': '''Incognito mode available''',
},
{
'name': 'Disabled',
'value': 1,
'caption': '''Incognito mode disabled''',
},
{
'name': 'Forced',
'value': 2,
'caption': '''Incognito mode forced''',
'supported_on': [
'chrome.*:14-',
'chrome_os:14-',
],
},
],
'supported_on': [
'chrome.*:14-',
'chrome_os:14-',
'android:30-',
],
'future_on': [ 'ios' ],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 93,
'caption': '''Incognito mode availability''',
'tags': ['filtering'],
'desc': '''Specifies whether the user may open pages in Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.
If 'Disabled' is selected, pages may not be opened in Incognito mode.
If 'Forced' is selected, pages may be opened ONLY in Incognito mode. Note that 'Forced' does not work for Android-on-Chrome''',
},
{
'name': 'SavingBrowserHistoryDisabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 11,
'caption': '''Disable saving browser history''',
'tags': [],
'desc': '''Setting the policy to Enabled means browsing history is not saved, tab syncing is off and users can't change this setting.
Setting the policy to Disabled or leaving it unset saves browsing history.''',
},
{
'name': 'AllowDeletingBrowserHistory',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:57-', 'chrome_os:57-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 187,
'caption': '''Enable deleting browser and download history''',
'tags': ['local-data-access', 'admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset means browser history and download history can be deleted in Chrome, and users can't change this setting.
Setting the policy to Disabled means browser history and download history can't be deleted. Even with this policy off, the browsing and download history are not guaranteed to be retained. Users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.''',
},
{
'name': 'AllowDinosaurEasterEgg',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:48-', 'chrome.*:48-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 309,
'default_for_enterprise_users': False,
'caption': '''Allow Dinosaur Easter Egg Game''',
'tags': [],
'desc': '''Setting the policy to True allows users to play the dinosaur game. Setting the policy to False means users can't play the dinosaur easter egg game when device is offline.
Leaving the policy unset means users can't play the game on enrolled <ph name="PRODUCT_OS_NAME">$2<ex>GoogleChromeOS</ex></ph>, but can under other circumstances.''',
},
{
'name': 'ForceLegacyDefaultReferrerPolicy',
'owners': ['davidvc@chromium.org', 'chrome-network-stack@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-87', 'chrome_os:80-87'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 648,
'caption': '''Use a default referrer policy of no-referrer-when-downgrade.''',
'tags': [],
'desc': '''This enterprise policy is for short-term adaptation and will be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 88.
Chrome's default referrer policy is being strengthened from its current value of no-referrer-when-downgrade to the more secure strict-origin-when-cross-origin through a gradual rollout targeting Chrome 85 stable.
Before the rollout, this enterprise policy will have no effect. After the rollout, when this enterprise policy is enabled, Chrome's default referrer policy will be set to its previous value of no-referrer-when-downgrade.
This enterprise policy is disabled by default.''',
},
{
'name': 'RemoteAccessClientFirewallTraversal',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-16', 'chrome_os:14-16'],
'features': {
'dynamic_refresh': True,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 94,
'caption': '''Enable firewall traversal from remote access client''',
'tags': [],
'desc': '''This policy is no longer supported.
Enables usage of STUN and relay servers when connecting to a remote client.
If this setting is enabled, then this machine can discover and connect to remote host machines even if they are separated by a firewall.
If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine can only connect to host machines within the local network.''',
},
{
'name': 'RemoteAccessHostClientDomain',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'deprecated': True,
'example_value': 'my-awesome-domain.com',
'id': 316,
'caption': '''Configure the required domain name for remote access clients''',
'tags': [],
'desc': '''This policy is deprecated. Please use <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostClientDomainList</ph> instead.''',
},
{
'name': 'RemoteAccessHostClientDomainList',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:60-', 'chrome_os:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
'id': 369,
'caption': '''Configure the required domain names for remote access clients''',
'tags': [],
'desc': '''Setting the policy specifies the client domain names that are imposed on remote access clients, and users can't change them. Only clients from one of the specified domains can connect to the host.
Setting the policy to an empty list or leaving it unset applies the default policy for the connection type. For remote assistance, this allows clients from any domain to connect to the host. For anytime remote access, only the host owner can connect.
See also <ph name="REMOTE_ACCESS_HOST_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostDomainList</ph>.
Note: This setting overrides <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_POLICY_NAME">RemoteAccessHostClientDomain</ph>, if present.''',
},
{
'name': 'RemoteAccessHostFirewallTraversal',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': False,
'id': 95,
'caption': '''Enable firewall traversal from remote access host''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset allows the usage of STUN servers, letting remote clients discover and connect to this machine, even if separated by a firewall.
Setting the policy to Disabled when outgoing UDP connections are filtered by the firewall means the machine only allows connections from client machines within the local network.''',
},
{
'name': 'RemoteAccessHostDomain',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'deprecated': True,
'example_value': 'my-awesome-domain.com',
'id': 154,
'caption': '''Configure the required domain name for remote access hosts''',
'tags': [],
'desc': '''This policy is deprecated. Please use <ph name="REMOTE_ACCESS_HOST_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostDomainList</ph> instead.''',
},
{
'name': 'RemoteAccessHostDomainList',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string' },
},
'supported_on': ['chrome.*:60-', 'chrome_os:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
'id': 368,
'caption': '''Configure the required domain names for remote access hosts''',
'tags': [],
'desc': '''Setting the policy specifies the host domain names that are imposed on remote access hosts, and users can't change them. Hosts can be shared only using accounts registered on one of the specified domain names.
Setting the policy to an empty list or leaving it unset means hosts can be shared using any account.
See also <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostClientDomainList</ph>.
Note: This setting will override <ph name="REMOTE_ACCESS_HOST_DOMAIN_POLICY_NAME">RemoteAccessHostDomain</ph>, if present.''',
},
{
'name': 'RemoteAccessHostRequireTwoFactor',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:22-22'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 155,
'caption': '''Enable two-factor authentication for remote access hosts''',
'tags': [],
'desc': '''Enables two-factor authentication for remote access hosts instead of a user-specified PIN.
If this setting is enabled, then users must provide a valid two-factor code when accessing a host.
If this setting is disabled or not set, then two-factor will not be enabled and the default behavior of having a user-defined PIN will be used.''',
},
{
'name': 'RemoteAccessHostTalkGadgetPrefix',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-75', 'chrome_os:41-75'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'deprecated': True,
'example_value': 'chromoting-host',
'id': 156,
'caption': '''Configure the TalkGadget prefix for remote access hosts''',
'tags': [],
'desc': '''Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.
If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.
If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.
If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.
Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.''',
},
{
'name': 'RemoteAccessHostRequireCurtain',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:23-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': False,
'id': 157,
'caption': '''Enable curtaining of remote access hosts''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled turns off remote access hosts' physical input and output devices during a remote connection.
Setting the policy to Disabled or leaving it unset lets both local and remote users interact with the host while it's shared.''',
},
{
'name': 'RemoteAccessHostAllowClientPairing',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': False,
'id': 234,
'caption': '''Enable or disable PIN-less authentication for remote access hosts''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
Setting the policy to Disabled makes this feature unavailable.''',
},
{
'name': 'RemoteAccessHostAllowGnubbyAuth',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:35-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': True,
'id': 257,
'caption': '''Allow gnubby authentication for remote access hosts''',
'tags': [],
'desc': '''Setting the policy to Enabled means gnubby authentication requests will be proxied across a remote host connection.
Setting the policy to Disabled or leaving it unset means gnubby authentication requests won't be proxied.
Note that this feature requires additional components which are not available outside of the Google network environment in order to work properly.''',
},
{
'name': 'RemoteAccessHostAllowRelayedConnection',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:36-', 'chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': False,
'id': 263,
'caption': '''Enable the use of relay servers by the remote access host''',
'tags': [],
'desc': '''If <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is set to Enabled, setting <ph name="REMOTE_ACCESS_HOST_ALLOW_RELAYED_CONNECTION_POLICY_NAME">RemoteAccessHostAllowRelayedConnection</ph>to Enabled or leaving it unset allows the use of remote clients to use relay servers to connect to this machine when a direct connection is not available, for example, because of firewall restrictions.
Setting the policy to Disabled doesn't turn remote access off, but only allows connections from the same network (not NAT traversal or relay).''',
},
{
'name': 'RemoteAccessHostUdpPortRange',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': '12400-12409',
'id': 264,
'caption': '''Restrict the UDP port range used by the remote access host''',
'tags': [],
'desc': '''Setting the policy restricts the UDP port range used by the remote access host in this machine.
Leaving the policy unset or set to an empty string means the remote access host can use any available port.
Note: If <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is Disabled, the remote access host will use UDP ports in the 12400-12409 range.''',
},
{
'name': 'RemoteAccessHostMatchUsername',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.linux:25-', 'chrome.mac:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': False,
'id': 285,
'caption': '''Require that the name of the local user and the remote access host owner match''',
'tags': [],
'desc': '''Setting the policy to Enabled has the remote access host compare the name of the local user the host is associated with and the name of the Google Account registered as the host owner ("johndoe," if the host is owned by "johndoe@example.com"). This host won't start if the host owner's name differs from the name of the local user that the host is associated with. To enforce that the owner's Google Account is associated with a specific domain, use the policy with <ph name="REMOTE_ACCESS_HOST_DOMAIN_POLICY_NAME">RemoteAccessHostDomain</ph>.
Setting the policy to Disabled or leaving it unset means the remote access host can be associated with any local user.''',
},
{
'name': 'RemoteAccessHostTokenUrl',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': 'https://example.com/issue',
'id': 286,
'caption': '''URL where remote access clients should obtain their authentication token''',
'tags': ['website-sharing'],
'desc': '''Setting the policy means the remote access host requires authenticating clients to get an authentication token from this URL to connect.
This feature is disabled if empty or not set.
Note: This policy must be used with <ph name="REMOTE_ACCESS_HOST_TOKEN_VALIDATION_URL_POLICY_NAME">RemoteAccessHostTokenValidationUrl</ph>.''',
},
{
'name': 'RemoteAccessHostTokenValidationUrl',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': 'https://example.com/validate',
'id': 287,
'caption': '''URL for validating remote access client authentication token''',
'tags': ['website-sharing'],
'desc': '''Setting the policy means the remote access host uses this URL to validate authentication tokens from remote access clients to accept connections. This feature is disabled if empty or not set.
Note: Use the policy with <ph name="REMOTE_ACCESS_HOST_TOKEN_URL_POLICY_NAME">RemoteAccessHostTokenUrl</ph>.''',
},
{
'name': 'RemoteAccessHostTokenValidationCertificateIssuer',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': 'Example Certificate Authority',
'id': 288,
'caption': '''Client certificate for connecting to RemoteAccessHostTokenValidationUrl''',
'tags': [],
'desc': '''Setting the policy means the remote access host uses a client certificate with the given issuer CN to authenticate to <ph name="REMOTE_ACCESS_HOST_TOKEN_VALIDATION_URL_POLICY_NAME">RemoteAccessHostTokenValidationUrl</ph>. To use any available client certificate, set it to <ph name="WILDCARD_VALUE">*</ph>. This feature is disabled if empty or not set.''',
},
{
'name': 'RemoteAccessHostDebugOverridePolicies',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:25-47','chrome_os:42-47'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'deprecated': True,
'example_value': '{ "RemoteAccessHostMatchUsername": true }',
'id': 289,
'caption': '''Policy overrides for Debug builds of the remote access host''',
'tags': [],
'desc': '''Overrides policies on Debug builds of the remote access host.
The value is parsed as a JSON dictionary of policy name to policy value mappings.''',
},
{
'name': 'RemoteAccessHostAllowUiAccessForRemoteAssistance',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:55-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'default': False,
'example_value': True,
'id': 344,
'caption': '''Allow remote users to interact with elevated windows in remote assistance sessions''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled means the remote assistance host runs in a process with <ph name="UIACCESS_PERMISSION_NAME">uiAccess</ph> permissions. This lets remote users interact with elevated windows on the local user's desktop.
Setting the policy to Disabled or leaving it unset means the remote assistance host runs in the user's context, and remote users can't interact with elevated windows on the desktop.''',
},
{
'name': 'RemoteAccessHostAllowFileTransfer',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:74-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'default': True,
'example_value': False,
'id': 534,
'caption': '''Allow remote access users to transfer files to/from the host''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset allows users connected to a remote access host to transfer files between the client and the host. This doesn't apply to remote assistance connections, which don't support file transfer.
Setting the policy to Disabled disallows file transfer.''',
},
{
'name': 'RemoteAccessHostEnableUserInterface',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:88-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'default': True,
'example_value': False,
'id': 803,
'caption': '''Enable connection-related UI on the host desktop when a connection is active''',
'tags': [],
'desc': '''If this policy is disabled, connection related UI (e.g. the disconnect window) will not be shown for non-curtained remote access connections. Curtained remote access sessions and remote support sessions are not affected by this policy.
This policy has no effect if it is set to true, left empty, or is not set.''',
},
{
'name': 'RemoteAccessHostAllowRemoteAccessConnections',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:89-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'items': [
{
'value': True,
'caption': 'Allow remote access connections to this machine',
},
{
'value': False,
'caption': 'Prevent remote access connections to this machine',
},
],
'default': True,
'example_value': False,
'id': 812,
'caption': '''Allow remote access connections to this machine''',
'tags': [],
'desc': '''If this policy is disabled, the remote access host service cannot be started or configured to accept incoming connections. This policy does not affect remote support scenarios.
This policy has no effect if it is set to true, left empty, or is not set.''',
},
{
'name': 'PrintingEnabled',
'owners': ['file://printing/OWNERS', 'thestig@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:39-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 12,
'caption': '''Enable printing''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users print in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, and users can't change this setting.
Setting the policy to Disabled means users can't print from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Printing is off in the three dots menu, extensions, and JavaScript applications.''',
'arc_support': 'This policy has no effect on Android apps.',
},
{
'name': 'CloudPrintProxyEnabled',
'owners': ['file://printing/OWNERS', 'rbpotter@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 13,
'caption': '''Enable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> act as a proxy between <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>and legacy printers connected to the machine. Using their Google Account, users may turn on the cloud print proxy by authentication.
Setting the policy to Disabled means users can't turn on the proxy, and the machine can't share its printers with <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>.''',
},
{
'name': 'PrintingAllowedColorModes',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'any',
'color',
'monochrome',
],
},
'items': [
{
'name': 'any',
'value': 'any',
'caption': '''Allow all color modes''',
},
{
'name': 'color',
'value': 'color',
'caption': '''Color printing only''',
},
{
'name': 'monochrome',
'value': 'monochrome',
'caption': '''Monochrome printing only''',
},
],
'supported_on': ['chrome_os:71-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'monochrome',
'id': 474,
'caption': '''Restrict printing color mode''',
'tags': [],
'desc': '''Setting the policy sets printing to color only, monochrome only, or no color mode restriction. Leaving the policy unset results in no restriction.''',
},
{
'name': 'PrintingAllowedDuplexModes',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'any',
'simplex',
'duplex',
],
},
'items': [
{
'name': 'any',
'value': 'any',
'caption': '''Allow all duplex modes''',
},
{
'name': 'simplex',
'value': 'simplex',
'caption': '''Simplex printing only''',
},
{
'name': 'duplex',
'value': 'duplex',
'caption': '''Duplex printing only''',
},
],
'supported_on': ['chrome_os:71-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'duplex',
'id': 475,
'caption': '''Restrict printing duplex mode''',
'tags': [],
'desc': '''Setting the policy restricts printing duplex mode.
Leaving the policy unset or empty results in no restriction.''',
},
{
'name': 'PrintingAllowedPinModes',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'any',
'pin',
'no_pin',
],
},
'items': [
{
'name': 'any',
'value': 'any',
'caption': '''Allow printing both with and without PIN''',
},
{
'name': 'pin',
'value': 'pin',
'caption': '''Allow printing only with PIN''',
},
{
'name': 'no_pin',
'value': 'no_pin',
'caption': '''Allow printing only without PIN''',
},
],
'supported_on': ['chrome_os:75-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'pin',
'id': 525,
'caption': '''Restrict PIN printing mode''',
'tags': [],
'desc': '''Restricts PIN printing mode. Unset policy is treated as no restriction. If the mode is unavailable this policy is ignored. Note that PIN printing feature is enabled only for printers that use one of IPPS, HTTPS, USB or IPP-over-USB protocols.''',
},
{
'name': 'PrintingAllowedBackgroundGraphicsModes',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'any',
'enabled',
'disabled',
],
},
'items': [
{
'name': 'any',
'value': 'any',
'caption': '''Allow printing both with and without background graphcis''',
},
{
'name': 'enabled',
'value': 'enabled',
'caption': '''Allow printing only with background graphics''',
},
{
'name': 'disabled',
'value': 'disabled',
'caption': '''Allow printing only without background graphics''',
},
],
'supported_on': ['chrome_os:79-', 'chrome.*:80-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'enabled',
'id': 621,
'caption': '''Restrict background graphics printing mode''',
'tags': [],
'desc': '''Restricts background graphics printing mode. Unset policy is treated as no restriction.''',
},
{
'name': 'PrintingColorDefault',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'color',
'monochrome',
],
},
'items': [
{
'name': 'color',
'value': 'color',
'caption': '''Enable color printing''',
},
{
'name': 'monochrome',
'value': 'monochrome',
'caption': '''Enable monochrome printing''',
},
],
'supported_on': ['chrome_os:72-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'monochrome',
'id': 477,
'caption': '''Default printing color mode''',
'tags': [],
'desc': '''Setting the policy overrides the default printing color mode. If the mode is unavailable, this policy is ignored.''',
},
{
'name': 'PrintingDuplexDefault',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'simplex',
'short-edge',
'long-edge',
],
},
'items': [
{
'name': 'simplex',
'value': 'simplex',
'caption': '''Enable simplex printing''',
},
{
'name': 'short-edge',
'value': 'short-edge',
'caption': '''Enable short edge duplex printing''',
},
{
'name': 'long-edge',
'value': 'long-edge',
'caption': '''Enable long edge duplex printing''',
},
],
'supported_on': ['chrome_os:72-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'long-edge',
'id': 478,
'caption': '''Default printing duplex mode''',
'tags': [],
'desc': '''Setting the policy overrides the default printing duplex mode. If the mode is unavailable, this policy is ignored.''',
},
{
'name': 'PrintingPinDefault',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'pin',
'no_pin',
],
},
'items': [
{
'name': 'pin',
'value': 'pin',
'caption': '''Enable PIN printing by default''',
},
{
'name': 'no_pin',
'value': 'no_pin',
'caption': '''Disable PIN printing by default''',
},
],
'supported_on': ['chrome_os:75-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'pin',
'id': 526,
'caption': '''Default PIN printing mode''',
'tags': [],
'desc': '''Overrides default PIN printing mode. If the mode is unavailable this policy is ignored.''',
},
{
'name': 'PrintingBackgroundGraphicsDefault',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'enabled',
'disabled',
],
},
'items': [
{
'name': 'enabled',
'value': 'enabled',
'caption': '''Enable background graphics printing mode by default''',
},
{
'name': 'disabled',
'value': 'disabled',
'caption': '''Disable background graphics printing mode by default''',
},
],
'supported_on': ['chrome_os:79-', 'chrome.*:80-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'enabled',
'id': 622,
'caption': '''Default background graphics printing mode''',
'tags': [],
'desc': '''Overrides default background graphics printing mode.''',
},
{
'name': 'PrintingPaperSizeDefault',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'name' : {
'type': 'string',
'enum': [
'custom',
'asme_f_28x40in',
'iso_2a0_1189x1682mm',
'iso_a0_841x1189mm',
'iso_a10_26x37mm',
'iso_a1_594x841mm',
'iso_a2_420x594mm',
'iso_a3_297x420mm',
'iso_a4-extra_235.5x322.3mm',
'iso_a4-tab_225x297mm',
'iso_a4_210x297mm',
'iso_a5-extra_174x235mm',
'iso_a5_148x210mm',
'iso_a6_105x148mm',
'iso_a7_74x105mm',
'iso_a8_52x74mm',
'iso_a9_37x52mm',
'iso_b0_1000x1414mm',
'iso_b10_31x44mm',
'iso_b1_707x1000mm',
'iso_b2_500x707mm',
'iso_b3_353x500mm',
'iso_b4_250x353mm',
'iso_b5-extra_201x276mm',
'iso_b5_176x250mm',
'iso_b6_125x176mm',
'iso_b6c4_125x324mm',
'iso_b7_88x125mm',
'iso_b8_62x88mm',
'iso_b9_44x62mm',
'iso_c0_917x1297mm',
'iso_c10_28x40mm',
'iso_c1_648x917mm',
'iso_c2_458x648mm',
'iso_c3_324x458mm',
'iso_c4_229x324mm',
'iso_c5_162x229mm',
'iso_c6_114x162mm',
'iso_c6c5_114x229mm',
'iso_c7_81x114mm',
'iso_c7c6_81x162mm',
'iso_c8_57x81mm',
'iso_c9_40x57mm',
'iso_dl_110x220mm',
'jis_exec_216x330mm',
'jpn_chou2_111.1x146mm',
'jpn_chou3_120x235mm',
'jpn_chou4_90x205mm',
'jpn_hagaki_100x148mm',
'jpn_kahu_240x322.1mm',
'jpn_kaku2_240x332mm',
'jpn_oufuku_148x200mm',
'jpn_you4_105x235mm',
'na_10x11_10x11in',
'na_10x13_10x13in',
'na_10x14_10x14in',
'na_10x15_10x15in',
'na_11x12_11x12in',
'na_11x15_11x15in',
'na_12x19_12x19in',
'na_5x7_5x7in',
'na_6x9_6x9in',
'na_7x9_7x9in',
'na_9x11_9x11in',
'na_a2_4.375x5.75in',
'na_arch-a_9x12in',
'na_arch-b_12x18in',
'na_arch-c_18x24in',
'na_arch-d_24x36in',
'na_arch-e_36x48in',
'na_b-plus_12x19.17in',
'na_c5_6.5x9.5in',
'na_c_17x22in',
'na_d_22x34in',
'na_e_34x44in',
'na_edp_11x14in',
'na_eur-edp_12x14in',
'na_f_44x68in',
'na_fanfold-eur_8.5x12in',
'na_fanfold-us_11x14.875in',
'na_foolscap_8.5x13in',
'na_govt-legal_8x13in',
'na_govt-letter_8x10in',
'na_index-3x5_3x5in',
'na_index-4x6-ext_6x8in',
'na_index-4x6_4x6in',
'na_index-5x8_5x8in',
'na_invoice_5.5x8.5in',
'na_ledger_11x17in',
'na_legal-extra_9.5x15in',
'na_legal_8.5x14in',
'na_letter-extra_9.5x12in',
'na_letter-plus_8.5x12.69in',
'na_letter_8.5x11in',
'na_number-10_4.125x9.5in',
'na_number-11_4.5x10.375in',
'na_number-12_4.75x11in',
'na_number-14_5x11.5in',
'na_personal_3.625x6.5in',
'na_super-a_8.94x14in',
'na_super-b_13x19in',
'na_wide-format_30x42in',
'om_dai-pa-kai_275x395mm',
'om_folio-sp_215x315mm',
'om_invite_220x220mm',
'om_italian_110x230mm',
'om_juuro-ku-kai_198x275mm',
'om_large-photo_200x300',
'om_pa-kai_267x389mm',
'om_postfix_114x229mm',
'om_small-photo_100x150mm',
'prc_10_324x458mm',
'prc_16k_146x215mm',
'prc_1_102x165mm',
'prc_2_102x176mm',
'prc_32k_97x151mm',
'prc_3_125x176mm',
'prc_4_110x208mm',
'prc_5_110x220mm',
'prc_6_120x320mm',
'prc_7_160x230mm',
'prc_8_120x309mm',
'roc_16k_7.75x10.75in',
'roc_8k_10.75x15.5in',
'jis_b0_1030x1456mm',
'jis_b1_728x1030mm',
'jis_b2_515x728mm',
'jis_b3_364x515mm',
'jis_b4_257x364mm',
'jis_b5_182x257mm',
'jis_b6_128x182mm',
'jis_b7_91x128mm',
'jis_b8_64x91mm',
'jis_b9_45x64mm',
'jis_b10_32x45mm',
]
},
'custom_size': {
'type': 'object',
'properties': {
'width': {
'description': 'Width of the page in micrometers',
'type': 'integer',
},
'height': {
'description': 'Height of the page in micrometers',
'type': 'integer',
}
},
'required': ['width', 'height']
}
},
'required': ['name']
},
'supported_on': ['chrome.*:84-', 'chrome_os:84-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
'name': 'custom',
'custom_size': {
'width': 210000,
'height': 297000
}
},
'id': 479,
'caption': '''Default printing page size''',
'tags': [],
'desc': '''Overrides default printing page size.
<ph name="PAGE_SIZE_NAME">name</ph> should contain one of the listed formats or 'custom' if required paper size is not in the list. If 'custom' value is provided <ph name="PAGE_SIZE_CUSTOM_SIZE">custom_size</ph> property should be specified. It describes the desired height and width in micrometers. Otherwise <ph name="PAGE_SIZE_CUSTOM_SIZE">custom_size</ph> property shouldn't be specified. Policy that violates these rules is ignored.
If the page size is unavailable on the printer chosen by the user this policy is ignored.''',
},
{
'name': 'PrintingSendUsernameAndFilenameEnabled',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:72-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 506,
'caption': '''Send username and filename to native printers''',
'tags': [],
'desc': '''Send username and filename to native printers server with every print job. The default is not to send.
Setting this policy to true also disables printers that use protocols other than IPPS, USB, or IPP-over-USB since username and filename shouldn't be sent over the network openly.''',
},
{
'name': 'PrintingMaxSheetsAllowed',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 1 },
'supported_on': ['chrome_os:84-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 10,
'id': 692,
'caption': '''Maximal number of sheets allowed to use for a single print job''',
'tags': [],
'desc': '''Specifies the maximal number of sheets user is allowed to print for a single print job.
If not set, no limitations are applied and user can print any documents.''',
},
{
'name': 'AppCacheForceEnabled',
'owners': ['enne@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:84-', 'chrome_os:84-', 'android:84-', 'webview_android:84-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 704,
'caption': '''Allows the AppCache feature to be re-enabled even if it is off by default.''',
'tags': [],
'desc': '''If set to true, this will force AppCache to be enabled, even when AppCache in Chrome is not available by default.
If unset or set to false, AppCache will follow Chrome's defaults.''',
},
{
'name': 'PrintJobHistoryExpirationPeriod',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': -1 },
'supported_on': ['chrome_os:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 90,
'id': 625,
'caption': '''Set the time period in days for storing print jobs metadata''',
'tags': [],
'desc': '''This policy controls how long print jobs metadata is stored on the device, in days.
When this policy is set to a value of -1, the print jobs metadata is stored indefinitely. When this policy is set to a value of 0, the print jobs metadata is not stored at all. When this policy is set to any other value, it specifies the period of time during which the metadata of completed print jobs is stored on the device.
If not set, the default period of 90 days is used for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.
The policy value should be specified in days.''',
},
{
'name': 'PrintingAPIExtensionsWhitelist',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:81-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'deprecated': True,
'example_value': ['abcdefghabcdefghabcdefghabcdefgh'],
'id': 664,
'caption': '''Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API''',
'tags': [],
'desc': '''This policy specifies the allowed extensions to skip print job confirmation dialog when they use the <ph name="PRINTING_API">Printing API</ph> function <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> for sending a print job.
If an extension is not in the list, or the list is not set, the print job confirmation dialog will be shown to the user for every <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> function call.
This policy is deprecated, please use <ph name="PRINTING_API_EXTENSIONS_ALLOWLIST_POLICY_NAME">PrintingAPIExtensionsAllowlist</ph> instead.'''
},
{
'name': 'PrintingAPIExtensionsAllowlist',
'owners': ['bmalcolm@chromium.org', 'skau@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:87-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': ['abcdefghabcdefghabcdefghabcdefgh'],
'id': 783,
'caption': '''Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API''',
'tags': [],
'desc': '''This policy specifies the allowed extensions to skip print job confirmation dialog when they use the <ph name="PRINTING_API">Printing API</ph> function <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> for sending a print job.
If an extension is not in the list, or the list is not set, the print job confirmation dialog will be shown to the user for every <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> function call.'''
},
{
'name': 'ForceSafeSearch',
'owners': ['sergiu@chromium.org', 'igorcov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-', 'chrome_os:25-', 'android:30-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 162,
'caption': '''Force SafeSearch''',
'tags': ['filtering'],
'desc': '''This policy is deprecated, please use <ph name="FORCE_GOOGLE_SAFE_SEARCH_POLICY_NAME">ForceGoogleSafeSearch</ph> and <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph> instead. This policy is ignored if either the <ph name="FORCE_GOOGLE_SAFE_SEARCH_POLICY_NAME">ForceGoogleSafeSearch</ph>, the <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph> or the (deprecated) <ph name="FORCE_YOUTUBE_SAFETY_MODE_POLICY_NAME">ForceYouTubeSafetyMode</ph> policies are set.
Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Moderate Restricted Mode on YouTube.
If you enable this setting, SafeSearch in Google Search and Moderate Restricted Mode YouTube is always active.
If you disable this setting or do not set a value, SafeSearch in Google Search and Restricted Mode in YouTube is not enforced.''',
},
{
'name': 'ForceGoogleSafeSearch',
'owners': ['treib@chromium.org', 'igorcov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:41-', 'chrome_os:41-', 'android:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 282,
'caption': '''Force Google SafeSearch''',
'tags': ['filtering'],
'desc': '''Setting the policy to Enabled means SafeSearch in Google Search is always active, and users can't change this setting.
Setting the policy to Disabled or leaving it unset means SafeSearch in Google Search is not enforced.''',
},
{
'name': 'ForceYouTubeSafetyMode',
'owners': ['treib@chromium.org', 'igorcov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:41-', 'chrome_os:41-', 'android:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 283,
'caption': '''Force YouTube Safety Mode''',
'tags': ['filtering'],
'desc': '''This policy is deprecated. Consider using <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph>, which overrides this policy and allows more fine-grained tuning.
Forces YouTube Moderate Restricted Mode and prevents users from changing this setting.
If this setting is enabled, Restricted Mode on YouTube is always enforced to be at least Moderate.
If this setting is disabled or no value is set, Restricted Mode on YouTube is not enforced by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. External policies such as YouTube policies might still enforce Restricted Mode, though.''',
'arc_support': 'This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.',
},
{
'name': 'ForceYouTubeRestrict',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Off',
'value': 0,
'caption': '''Do not enforce Restricted Mode on YouTube''',
},
{
'name': 'Moderate',
'value': 1,
'caption': '''Enforce at least Moderate Restricted Mode on YouTube''',
},
{
'name': 'Strict',
'value': 2,
'caption': '''Enforce Strict Restricted Mode for YouTube''',
},
],
'supported_on': ['chrome.*:55-', 'chrome_os:55-', 'android:55-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 0,
'id': 348,
'caption': '''Force minimum YouTube Restricted Mode''',
'tags': ['filtering'],
'desc': '''Setting the policy enforces a minimum Restricted mode on YouTube and prevents users from picking a less restricted mode. If you set it to:
* Strict, Strict Restricted mode on YouTube is always active.
* Moderate, the user may only pick Moderate Restricted mode and Strict Restricted mode on YouTube, but can't turn off Restricted mode.
* Off or if no value is set, Restricted mode on YouTube isn't enforced by Chrome. External policies such as YouTube policies might still enforce Restricted mode.''',
'arc_support': 'This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.',
},
{
'name': 'SafeBrowsingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 14,
'caption': '''Enable Safe Browsing''',
'tags': ['system-security'],
'desc': '''This policy is deprecated in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 83, please use <ph name="SAFE_BROWSING_PROTECTION_LEVEL_POLICY_NAME">SafeBrowsingProtectionLevel</ph> instead.
Setting the policy to Enabled keeps Chrome's Safe Browsing feature on. Setting the policy to Disabled keeps Safe Browsing off.
If you set this policy, users can't change it or override the "Enable phishing and malware protection" setting in Chrome. If not set, "Enable phishing and malware protection" is set to True, but the user can change it.
See more about Safe Browsing ( https://developers.google.com/safe-browsing ).
If the policy <ph name="SAFE_BROWSING_PROTECTION_LEVEL_POLICY_NAME">SafeBrowsingProtectionLevel</ph> is set, the value of the policy <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> is ignored.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'SafeBrowsingProtectionLevel',
'owners': ['vakh@chromium.org', 'file://components/safe_browsing/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'NoProtection',
'value': 0,
'caption': '''Safe Browsing is never active.''',
},
{
'name': 'StandardProtection',
'value': 1,
'caption': '''Safe Browsing is active in the standard mode.''',
},
{
'name': 'EnhancedProtection',
'value': 2,
'caption': '''Safe Browsing is active in the enhanced mode. This mode provides better security, but requires sharing more browsing information with Google.''',
},
],
'supported_on': [
'chrome.*:83-',
'chrome_os:83-',
'android:87-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 684,
'caption': '''Safe Browsing Protection Level''',
'tags': ['system-security'],
'desc': '''Allows you to control whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Safe Browsing feature is enabled and the mode it operates in.
If this policy is set to 'NoProtection' (value 0), Safe Browsing is never active.
If this policy is set to 'StandardProtection' (value 1, which is the default), Safe Browsing is always active in the standard mode.
If this policy is set to 'EnhancedProtection' (value 2), Safe Browsing is always active in the enhanced mode, which provides better security, but requires sharing more browsing information with Google.
If you set this policy as mandatory, users cannot change or override the Safe Browsing setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, Safe Browsing will operate in Standard Protection mode but users can change this setting.
See https://developers.google.com/safe-browsing for more info on Safe Browsing.''',
'arc_support': 'This policy is not supported within Arc.',
},
{
'name': 'MetricsReportingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 15,
'caption': '''Enable reporting of usage and crash-related data''',
'tags': ['google-sharing'],
'desc': '''Setting the policy to Enabled turns on anonymous reporting of usage and crash-related data about Chrome to Google and prevents users from changing this setting. Setting the policy to Disabled means this information is not sent to Google.
If you set the policy, users can't change it. If not set, users choose the behavior at installation or first run.
This policy is available only on Windows instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain. or Windows 10 Pro or Enterprise instances that enrolled for device management and macOS instances that are that are managed via MDM or joined to a domain via MCX.
(For Chrome OS, see DeviceMetricsReportingEnabled.)''',
},
{
'name': 'PasswordManagerEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 16,
'caption': '''Enable saving passwords to the password manager''',
'tags': [],
'desc': '''Setting the policy to Enabled means users have <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> remember passwords and provide them the next time they sign in to a site.
Setting the policy to Disabled means users can't save new passwords, but previously saved passwords will still work.
If the policy is set, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the user can turn off password saving.''',
'arc_support': 'This policy has no effect on Android apps.',
},
{
'name': 'PasswordManagerAllowShowPasswords',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-50', 'chrome_os:11-50'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 17,
'caption': '''Allow users to show passwords in Password Manager (deprecated)''',
'tags': [],
'desc': '''The associated setting was used before reauthentication on viewing passwords was introduced. Since then, the setting and hence this policy had no effect on the behavior of Chrome. The current behavior of Chrome is now the same as if the policy was set to disable showing passwords in clear text in the password manager settings page. That means that the settings page contains just a placeholder, and only upon the user clicking "Show" (and reauthenticating, if applicable) Chrome shows the password. Original description of the policy follows below.
Controls whether the user may show passwords in clear text in the password manager.
If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window.
If you enable or do not set this policy, users can view their passwords in clear text in the password manager.''',
},
{
'name': 'PasswordLeakDetectionEnabled',
'owners': ['file://components/password_manager/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:79-',
'chrome_os:79-',
'android:79-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 580,
'caption': '''Enable leak detection for entered credentials''',
'tags': ['google-sharing'],
'desc': '''Setting the policy to Enabled lets users have <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> check whether usernames and passwords entered were part of a leak.
If the policy is set, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, credential leak checking is allowed, but the user can turn it off
This behavior will not trigger if Safe Browsing is disabled (either by policy or by the user). In order to force Safe Browsing on, use the <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> policy or the <ph name="SAFE_BROWSING_PROTETION_LEVEL_POLICY_NAME">SafeBrowsingProtectionLevel</ph> policy.''',
},
{
'name': 'AutoFillEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 18,
'caption': '''Enable AutoFill''',
'tags': [],
'desc': '''This policy is deprecated in M70, please use AutofillAddressEnabled and AutofillCreditCardEnabled instead.
Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.
If you disable this setting, AutoFill will be inaccessible to users.
If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.''',
},
{
'name': 'AutofillAddressEnabled',
'owners': ['file://components/autofill/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:69-',
'chrome_os:69-',
'android:69-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 459,
'caption': '''Enable AutoFill for addresses''',
'tags': [],
'desc': '''Setting the policy to True or leaving it unset gives users control of Autofill for addresses in the UI.
Setting the policy to False means Autofill never suggests or fills address information, nor does it save additional address information that users submit while browsing the web.''',
},
{
'name': 'AutofillCreditCardEnabled',
'owners': ['caitkp@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:63-',
'chrome_os:63-',
'android:63-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 392,
'caption': '''Enable AutoFill for credit cards''',
'tags': [],
'desc': '''Setting the policy to True or leaving it unset means users can control autofill suggestions for credit cards in the UI.
Setting the policy to False means autofill never suggests or fills credit card information, nor will it save additional credit card information that users might submit while browsing the web.''',
},
{
'name': 'DisabledPlugins',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-87', 'chrome_os:11-87'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 19,
'caption': '''Specify a list of disabled plugins''',
'tags': [],
'desc': '''This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the availability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
Specifies a list of plugins that are disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
If you enable this setting, the specified list of plugins is never used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The plugins are marked as disabled in 'about:plugins' and users cannot enable them.
Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions.
If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.''',
'label': '''List of disabled plugins''',
},
{
'name': 'EnabledPlugins',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-87', 'chrome_os:11-87'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 78,
'caption': '''Specify a list of enabled plugins''',
'tags': ['system-security'],
'desc': '''This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the availability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
Specifies a list of plugins that are enabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
The specified list of plugins is always used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them.
Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions.
If this policy is left not set the user can disable any plugin installed on the system.''',
'label': '''List of enabled plugins''',
},
{
'name': 'DisabledPluginsExceptions',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-87', 'chrome_os:11-87'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 79,
'caption': '''Specify a list of plugins that the user can enable or disable''',
'tags': [],
'desc': '''This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the availability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
Specifies a list of plugins that user can enable or disable in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
If you enable this setting, the specified list of plugins can be used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Users can enable or disable them in 'about:plugins', even if the plugin also matches a pattern in DisabledPlugins. Users can also enable and disable plugins that don't match any patterns in DisabledPlugins, DisabledPluginsExceptions and EnabledPlugins.
This policy is meant to allow for strict plugin blacklisting where the 'DisabledPlugins' list contains wildcarded entries like disable all plugins '*' or disable all Java plugins '*Java*' but the administrator wishes to enable some particular version like 'IcedTea Java 2.3'. This particular versions can be specified in this policy.
Note that both the plugin name and the plugin's group name have to be exempted. Each plugin group is shown in a separate section in about:plugins; each section may have one or more plugins. For example, the "Shockwave Flash" plugin belongs to the "Adobe Flash Player" group, and both names have to have a match in the exceptions list if that plugin is to be exempted from the blacklist.
If this policy is left not set any plugin that matches the patterns in the 'DisabledPlugins' will be locked disabled and the user won't be able to enable them.''',
'label': '''List of exceptions to the list of disabled plugins''',
},
{
'name': 'AlwaysOpenPdfExternally',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:55-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 347,
'caption': '''Always Open PDF files externally''',
'tags': [],
'desc': '''Setting the policy to True turns the internal PDF viewer off in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, treats PDF files as a download, and lets users open PDFs with the default application.
Setting the policy to False or leaving it unset means that unless users turns off the PDF plugin, it will open PDF files.''',
},
{
'name': 'DisablePluginFinder',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-64', 'chrome_os:11-64'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 66,
'caption': '''Specify whether the plugin finder should be disabled (deprecated)''',
'tags': [],
'desc': '''This policy has been removed as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 64.
Automatic search and installation of missing plugins is no longer supported.''',
'label': '''Disable plugin finder (deprecated)''',
},
{
'name': 'SyncDisabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'future_on': ['android'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 20,
'caption': '''Disable synchronization of data with Google''',
'tags': ['filtering', 'google-sharing'],
'desc': '''Disables data synchronization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> using Google-hosted synchronization services and prevents users from changing this setting.
If you enable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.
To fully disable Google Sync, it is recommended that you disable the Google Sync service in the Google Admin console.''',
'arc_support': 'Disabling Google Sync will cause Android Backup and Restore to not function properly.',
},
{
'name': 'SyncTypesListDisabled',
'owners': ['pastarmovj@chromium.org', 'mastiz@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string'},
},
'supported_on': ['chrome.*:79-','android:79-','chrome_os:79-'],
'features': {
'per_profile': True,
'dynamic_refresh': False,
},
'example_value': ['bookmarks'],
'id': 649,
'caption': '''List of types that should be excluded from synchronization''',
'tags': ['system-security'],
'desc': '''If this policy is set all specified data types will be excluded from synchronization both for Google Sync as well as for roaming profile synchronization. This can be beneficial to reduce the size of the roaming profile or limit the type of data uploaded to the Google Sync Servers.
The current data types for this policy are: "bookmarks", "preferences", "passwords", "autofill", "themes", "typedUrls", "extensions", "apps", "tabs", "wifiConfigurations". Those names are case sensitive!''',
},
{
'name': 'RoamingProfileSupportEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:57-', 'chrome.mac:88-', 'chrome.linux:88-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 358,
'caption': '''Enable the creation of roaming copies for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profile data''',
'tags': ['local-data-access'],
'desc': '''If you enable this setting, the settings stored in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the <ph name="ROAMING_PROFILE_LOCATION_POLICY_NAME">RoamingProfileLocation</ph> policy. Enabling this policy disables cloud sync.
If this policy is disabled or left not set only the regular local profiles will be used.''',
'label': '''Enable the creation of roaming copies for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profile data.''',
},
{
'name': 'RoamingProfileLocation',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:57-', 'chrome.mac:88-', 'chrome.linux:88-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '${roaming_app_data}\\chrome-profile',
'id': 359,
'caption': '''Set the roaming profile directory''',
'tags': ['local-data-access'],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing the roaming copy of the profiles.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory to store the roaming copy of the profiles if the <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">RoamingProfileSupportEnabled</ph> policy has been enabled. If the <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">RoamingProfileSupportEnabled</ph> policy is disabled or left unset the value stored in this policy is not used.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
On non-Windows platforms, this policy must be set for roaming profiles to work.
On Windows, if this policy is left unset, the default roaming profile path will be used.''',
'label': '''Set the roaming profile directory''',
},
{
'name': 'SigninAllowed',
'owners': ['akuegel@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:27-', 'android:38-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 190,
'caption': '''Allow sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''This policy is deprecated, consider using BrowserSignin instead.
Allows the user to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you set this policy, you can configure whether a user is allowed to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Setting this policy to 'False' will prevent apps and extensions that use the chrome.identity API from functioning, so you may want to use SyncDisabled instead.''',
},
{
'name': 'EnableDeprecatedWebBasedSignin',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:35-42'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 265,
'caption': '''Enable the old web-based signin flow''',
'tags': [],
'desc': '''This setting was named EnableWebBasedSignin prior to Chrome 42, and support for it will be removed entirely in Chrome 43.
This setting is useful for enterprise customers who are using SSO solutions that are not compatible with the new inline signin flow yet.
If you enable this setting, the old web-based signin flow would be used.
If you disable this setting or leave it not set, the new inline signin flow would be used by default. Users may still enable the old web-based signin flow through the command line flag --enable-web-based-signin.
The experimental setting will be removed in the future when the inline signin fully supports all SSO signin flows.''',
},
{
'name': 'UserDataDir',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:11-', 'chrome.mac:11-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
# TODO(crbug.com/1149118): Query cloud policies before using
# UserDataDir so this policy won't need to be platform_only anymore.
'platform_only': True,
},
'example_value': '${users}/${user_name}/Chrome',
'id': 63,
'caption': '''Set user data directory''',
'tags': ['local-data-access'],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing user data.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a directory used for other purposes, because <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> manages its contents.
See https://support.google.com/chrome/a?p=Supported_directory_variables for a list of variables that can be used.
If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.''',
'label': '''Set user data directory''',
},
{
'name': 'DiskCacheDir',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:13-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '${user_home}/Chrome_cache',
'id': 88,
'caption': '''Set disk cache directory''',
'tags': [],
'desc': '''Setting the policy has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> use the directory you provide for storing cached files on the diskwhether or not users specify the --disk-cache-dir flag.
If not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default cache directory, but users can change that setting with the --disk-cache-dir command line flag.
<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> manages the contents of a volume's root directory. So to avoid data loss or other errors, do not set this policy to the root directory or any directory used for other purposes. See the variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).''',
'label': '''Set disk cache directory''',
},
{
'name': 'DiskCacheSize',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 104857600,
'id': 110,
'caption': '''Set disk cache size in bytes''',
'tags': [],
'desc': '''Setting the policy to None has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> use the default cache size for storing cached files on the disk. Users can't change it.
If you set the policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the cache size you providewhether or not users specify the --disk-cache-size flag. (Values below a few megabytes are rounded up.)
If not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default size. Users can change that setting using the --disk-cache-size flag.''',
'label': '''Set disk cache size''',
},
{
'name': 'MediaCacheSize',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:17-71'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': 104857600,
'id': 111,
'caption': '''Set media disk cache size in bytes''',
'tags': [],
'desc': '''Setting the policy configures the cache size that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses for storing cached media files on the disk, regardless of whether or not users specify the --media-cache-size flag. The value specified in this policy isn't a hard boundary, but a suggestion to the caching system. Any value below a few megabytes is rounded up.
Setting the value of the policy to 0 uses the default cache size, and users can't change it.
Leaving the policy unset uses the default cache size and users can change it with the --media-cache-size flag.''',
'label': '''Set media disk cache size''',
},
{
'name': 'DownloadRestrictions',
'owners': ['mad@chromium.org', 'zmin@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3, 4 ],
},
'items': [
{
'name': 'DefaultDownloadSecurity',
'value': 0,
'caption': '''No special restrictions''',
},
{
'name': 'BlockDangerousDownloads',
'value': 1,
'caption': '''Block dangerous downloads''',
},
{
'name': 'BlockPotentiallyDangerousDownloads',
'value': 2,
'caption': '''Block potentially dangerous downloads''',
},
{
'name': 'BlockAllDownloads',
'value': 3,
'caption': '''Block all downloads''',
},
{
'name': 'BlockMaliciousDownloads',
'value': 4,
'caption': '''Block malicious downloads''',
},
],
'supported_on': ['chrome.*:61-', 'chrome_os:61-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 371,
'caption': '''Allow download restrictions''',
'tags': ['local-data-access'],
'desc': '''Setting the policy means users can't bypass download security decisions.
Setting the policy to:
* Block dangerous downloads means all downloads are allowed, except for those that carry safety warnings.
* Block potentially dangerous downloads means all downloads allowed, except for those that carry safety warnings of potentially dangerous downloads.
* Block all downloads means all downloads are blocked.
* Block malicious downloads means all downloads are allowed, except for those assessed to be malware with high confidence. Unlike with dangerous downloads, this does not take into account file type, but does take into account the host.
* No special restrictions means the downloads go through the usual security restrictions based on safety analysis results.
Note: These restrictions apply to downloads triggered from webpage content, as well as the Download link... menu option. They don't apply to the download of the currently displayed page or to saving as PDF from the printing options. Read more about Safe Browsing ( https://developers.google.com/safe-browsing ).''',
'label': '''Download restrictions''',
},
{
'name': 'DownloadDirectory',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:11-', 'chrome_os:35-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '/home/${user_name}/Downloads',
'id': 64,
'caption': '''Set download directory''',
'tags': ['local-data-access'],
'desc': '''Setting the policy sets up the directory Chrome uses for downloading files. It uses the provided directory, whether or not users specify one or turned on the flag to be prompted for download location every time.
Leaving the policy unset means Chrome uses the default download directory, and users can change it.
Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).''',
'label': '''Set download directory''',
'arc_support': 'This policy has no effect on Android apps. Android apps always use the default downloads directory and cannot access any files downloaded by <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> into a non-default downloads directory.',
},
{
'name': 'AutoOpenFileTypes',
'owners': ['csharp@chromium.org', 'qinmin@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
},
},
'example_value': ['exe', 'txt'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'id': 700,
'supported_on' : ['chrome.*:84-', 'chrome_os:84-'],
'caption': '''List of file types that should be automatically opened on download''',
'tags': [],
'desc': '''List of file types that should be automatically opened on download. The leading separator should not be included when listing the file type, so list "txt" instead of ".txt".
Files with types that should be automatically opened will still be subject to the enabled safe browsing checks and won't be opened if they fail those checks.
If this policy isn't set, only file types that a user has already specified to automatically be opened will do so when downloaded.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'AutoOpenAllowedForURLs',
'owners': ['csharp@chromium.org', 'qinmin@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
},
},
'example_value': ['example.com', 'https://ssl.server.com', 'hosting.com/good_path', 'https://server:8080/path', '.exact.hostname.com'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'id': 707,
'supported_on' : ['chrome.*:84-', 'chrome_os:84-'],
'caption': '''URLs where AutoOpenFileTypes can apply''',
'tags': [],
'desc': '''List of URLs specifying which urls <ph name="AUTO_OPEN_FILE_TYPES_POLICY_NAME">AutoOpenFileTypes</ph> will apply to. This policy has no impact on automatically open values set by users.
If this policy is set, files will only automatically open by policy if the url is part of this set and the file type is listed in <ph name="AUTO_OPEN_FILE_TYPES_POLICY_NAME">AutoOpenFileTypes</ph>. If either condition is false the download won't automatically open by policy.
If this policy isn't set, all downloads where the file type is in <ph name="AUTO_OPEN_FILE_TYPES_POLICY_NAME">AutoOpenFileTypes</ph> will automatically open.
A URL pattern has to be formatted according to https://www.chromium.org/administrators/url-blacklist-filter-format.''',
},
{
'name': 'AutoLaunchProtocolsFromOrigins',
'owners': ['csharp@chromium.org', 'engedy@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'protocol': { 'type': 'string' },
'allowed_origins': {
'type': 'array',
'items': { 'type': 'string' }
}
},
'required': ['protocol', 'allowed_origins']
}
},
'supported_on': ['chrome.*:85-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [{"protocol": "spotify", "allowed_origins":["example.com", "http://www.example.com:8080"]},
{"protocol": "teams", "allowed_origins":["https://example.com", "https://.mail.example.com"]},
{"protocol": "outlook", "allowed_origins":["*"]}],
'id': 722,
'caption': '''Define a list of protocols that can launch an external application from listed origins without prompting the user''',
'tags': [],
'desc': '''Allows you to set a list of protocols, and for each protocol an associated list of allowed origin patterns, that can launch an external application without prompting the user. The trailing separator should not be included when listing the protocol, so list "skype" instead of "skype:" or "skype://".
If this policy is set, a protocol will only be permitted to launch an external application without prompting by policy if the protocol is listed, and the origin of the site trying to launch the protocol matches one of the origin patterns in that protocol's allowed_origins list. If either condition is false the external protocol launch prompt will not be omitted by policy.
If this policy is not set, no protocols can launch without a prompt by default. Users may opt out of prompts on a per-protocol/per-site basis unless the <ph name="EXTERNAL_PROTOCOL_DIALOG_SHOW_ALWAYS_OPEN_CHECKBOX_POLICY_NAME">ExternalProtocolDialogShowAlwaysOpenCheckbox</ph> policy is set to Disabled. This policy has no impact on per-protocol/per-site prompt exemptions set by users.
The origin matching patterns use a similar format to those for the '<ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>' policy, which are documented at http://www.chromium.org/administrators/url-blacklist-filter-format.
However, origin matching patterns for this policy cannot contain "/path" or "@query" elements. Any pattern that does contain a "/path" or "@query" element will be ignored.''',
},
{
'name': 'SafeBrowsingForTrustedSourcesEnabled',
'owners': ['mad@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:61-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Perform Safe Browsing checks on all downloaded files',
},
{
'value': False,
'caption': 'Skip Safe Browsing checks for files download from trusted sources',
},
],
'example_value': False,
'default': True,
'id': 375,
'caption': '''Enable Safe Browsing for trusted sources''',
'tags': ['local-data-access'],
'desc': '''Setting the policy to Enabled or leaving it unset means downloaded files are sent to be analyzed by Safe Browsing, even when it's from a trusted source.
Setting the policy to Disabled means downloaded files won't be sent to be analyzed by Safe Browsing when it's from a trusted source.
These restrictions apply to downloads triggered from webpage content, as well as the Download link menu option. These restrictions don't apply to the save or download of the currently displayed page or to saving as PDF from the printing options.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
'label': '''Safe Browsing enable state for trusted sources''',
},
{
'name': 'ClearSiteDataOnExit',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-28', 'chrome_os:11-28'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 65,
'caption': '''Clear site data on browser shutdown (deprecated)''',
'tags': [],
'desc': '''This policy has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 29.''',
'label': '''Clear site data on browser shutdown (deprecated)''',
},
{
'name': 'CaptivePortalAuthenticationIgnoresProxy',
'owners': ['ultrotter@google.com', 'rsorokin@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 295,
'caption': '''Captive portal authentication ignores proxy''',
'tags': [],
'desc': '''Setting the policy to Enabled lets <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> bypass any proxy for captive portal authentication. These authentication webpages, starting from the captive portal sign-in page until Chrome detects a successful internet connection, open in a separate window, ignoring all policy settings and restrictions for the current user. This policy only takes effect if a proxy is set up (by policy, extension, or the user in chrome://settings).
Setting the policy to Disabled or leaving it unset means any captive portal authentication pages are shown in a (regular) new browser tab, using the current user's proxy settings.''',
},
{
'name': 'ProxyMode',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'direct',
'auto_detect',
'pac_script',
'fixed_servers',
'system'
],
},
'items': [
{
'name': 'ProxyDisabled',
'value': 'direct',
'caption': '''Never use a proxy''',
},
{
'name': 'ProxyAutoDetect',
'value': 'auto_detect',
'caption': '''Auto detect proxy settings''',
},
{
'name': 'ProxyPacScript',
'value': 'pac_script',
'caption': '''Use a .pac proxy script''',
},
{
'name': 'ProxyFixedServers',
'value': 'fixed_servers',
'caption': '''Use fixed proxy servers''',
},
{
'name': 'ProxyUseSystem',
'value': 'system',
'caption': '''Use system proxy settings''',
},
],
'supported_on': [
'chrome.*:10-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 'direct',
'id': 21,
'caption': '''Choose how to specify proxy server settings''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
Setting the policy to Enabled lets you specify the proxy server Chrome uses and prevents users from changing proxy settings. Chrome and ARC-apps ignore all proxy-related options specified from the command line. The policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified.
Other options are ignored if you choose:
* <ph name="PROXY_MODE_ENUM_DIRECT">direct</ph> = Never use a proxy server and always connect directly
* <ph name="PROXY_MODE_ENUM_SYSTEM">system</ph> = Use system proxy settings
* <ph name="PROXY_MODE_ENUM_AUTO_DETECT">auto_detect</ph> = Auto detect the proxy server
If you choose to use:
* <ph name="PROXY_MODE_ENUM_FIXED_SERVERS">fixed_servers</ph> = Fixed proxy servers. You can specify further options with <ph name="PROXY_SERVER_POLICY_NAME">ProxyServer</ph> and <ph name="PROXY_BYPASS_LIST_POLICY_NAME">ProxyBypassList</ph>. Only the HTTP proxy server with the highest priority is available for ARC-apps.
* <ph name="PROXY_MODE_ENUM_PAC_SCRIPT">pac_script</ph> = A .pac proxy script. Use <ph name="PROXY_PAC_URL_POLICY_NAME">ProxyPacUrl</ph> to set the URL to a proxy .pac file.
Leaving the policy unset lets users choose the proxy settings.
Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).''',
},
{
'name': 'ProxyServerMode',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
'id': 'ProxyServerMode',
},
'items': [
{
'name': 'ProxyServerDisabled',
'value': 0,
'caption': '''Never use a proxy''',
},
{
'name': 'ProxyServerAutoDetect',
'value': 1,
'caption': '''Auto detect proxy settings''',
},
{
'name': 'ProxyServerManual',
'value': 2,
'caption': '''Manually specify proxy settings''',
},
{
'name': 'ProxyServerUseSystem',
'value': 3,
'caption': '''Use system proxy settings''',
},
],
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 2,
'id': 22,
'caption': '''Choose how to specify proxy server settings''',
'tags': [],
'desc': '''This policy is deprecated, use ProxyMode instead.
Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
This policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy has not been specified.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.
If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores all proxy-related options specified from the command line.
Leaving this policy not set will allow the users to choose the proxy settings on their own.''',
'arc_support': 'You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.',
},
{
'name': 'ProxyServer',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': '123.123.123.123:8080',
'id': 23,
'caption': '''Address or URL of proxy server''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
Setting the policy lets you specify the URL of the proxy server. This policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified and you selected <ph name="PROXY_MODE_ENUM_FIXED_SERVERS">fixed_servers</ph> with <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph>.
Leave this policy unset if you selected any other mode for setting proxy policies.
Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).''',
'arc_support': 'You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.',
},
{
'name': 'ProxyPacUrl',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 'https://internal.site/example.pac',
'id': 24,
'caption': '''URL to a proxy .pac file''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
Setting the policy lets you specify a URL to a proxy .pac file. This policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified and you selected <ph name="PROXY_MODE_ENUM_PAC_SCRIPT">pac_script</ph> with <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph>.
Leave this policy unset if you selected any other mode for setting proxy policies.
Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).''',
'arc_support': 'You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.',
},
{
'name': 'ProxyBypassList',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 'https://www.example1.com,https://www.example2.com,https://internalsite/',
'id': 25,
'caption': '''Proxy bypass rules''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
Setting the policy means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> bypasses any proxy for the list of hosts given here. This policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified and you selected a <ph name="PROXY_MODE_ENUM_FIXED_SERVERS">fixed_servers</ph> with <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph>.
Leave this policy unset if you selected any other mode for setting proxy policies.
Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).''',
'label': '''Comma-separated list of proxy bypass rules''',
'arc_support': 'You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.',
},
{
'name': 'ProxySettings',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'ProxyMode': {
'type': 'string',
'enum': ['direct', 'auto_detect', 'pac_script', 'fixed_servers', 'system'],
},
'ProxyPacUrl': { 'type': 'string' },
'ProxyServer': { 'type': 'string' },
'ProxyBypassList': { 'type': 'string' },
'ProxyServerMode': { '$ref': 'ProxyServerMode' },
},
},
'supported_on': [
'chrome.*:18-',
'chrome_os:18-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': { "ProxyMode": "direct", "ProxyPacUrl": "https://internal.site/example.pac", "ProxyServer": "123.123.123.123:8080", "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyServerMode": 2 },
'id': 116,
'caption': '''Proxy settings''',
'tags': ['system-security'],
'desc': '''Setting the policy configures the proxy settings for Chrome and ARC-apps, which ignore all proxy-related options specified from the command line.
Leaving the policy unset lets users choose their proxy settings.
Setting the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy accepts the following fields:
* <ph name="PROXY_MODE_PROXY_SETTINGS_FIELD">ProxyMode</ph>, which lets you specify the proxy server Chrome uses and prevents users from changing proxy settings
* <ph name="PROXY_PAC_URL_PROXY_SETTINGS_FIELD">ProxyPacUrl</ph>, a URL to a proxy .pac file
* <ph name="PROXY_SERVER_PROXY_SETTINGS_FIELD">ProxyServer</ph>, a URL of the proxy server
* <ph name="PROXY_BYPASS_LIST_PROXY_SETTINGS_FIELD">ProxyBypassList</ph>, a list of proxy hosts that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> bypasses
The <ph name="PROXY_SERVER_MODE_PROXY_SETTINGS_FIELD">ProxyServerMode</ph> field is deprecated in favor of the <ph name="PROXY_MODE_PROXY_SETTINGS_FIELD">ProxyMode</ph> field, which lets you specify the proxy server Chrome uses and prevents users from changing proxy settings.
For <ph name="PROXY_MODE_PROXY_SETTINGS_FIELD">ProxyMode</ph>, if you choose the value:
* <ph name="PROXY_MODE_ENUM_DIRECT">direct</ph>, a proxy is never used and all other fields are ignored.
* <ph name="PROXY_MODE_ENUM_SYSTEM">system</ph>, the systems's proxy is used and all other fields are ignored.
* <ph name="PROXY_MODE_ENUM_AUTO_DETECT">auto_detect</ph>, all other fields are ignored.
* <ph name="PROXY_MODE_ENUM_FIXED_SERVER">fixed_server</ph>, the <ph name="PROXY_SERVER_PROXY_SETTINGS_FIELD">ProxyServer</ph> and <ph name="PROXY_BYPASS_LIST_PROXY_SETTINGS_FIELD">ProxyBypassList</ph> fields are used.
* <ph name="PROXY_MODE_ENUM_PAC_SCRIPT">pac_script</ph>, the <ph name="PROXY_BYPASS_LIST_PROXY_PAC_URL">ProxyPacUrl</ph> and <ph name="PROXY_BYPASS_LIST_PROXY_SETTINGS_FIELD">ProxyBypassList</ph> fields are used.
Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).''',
'arc_support': 'Only a subset of proxy configuration options are made available to Android apps. Android apps may voluntarily choose to use the proxy. You cannot force them to use a proxy.',
},
{
'name': 'AuthSchemes',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:9-','android:46-','chrome_os:62-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'basic,digest,ntlm,negotiate',
'id': 26,
'caption': '''Supported authentication schemes''',
'tags': [],
'desc': '''Setting the policy specifies which HTTP authentication schemes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> supports.
Leaving the policy unset employs all 4 schemes.
Valid values:
* basic
* digest
* ntlm
* negotiate
Note: Separate multiple values with commas.''',
},
{
'name': 'DisableAuthNegotiateCnameLookup',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-','android:46-','chrome_os:62-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 27,
'caption': '''Disable CNAME lookup when negotiating Kerberos authentication''',
'tags': [],
'desc': '''Setting the policy to Enabled skips CNAME lookup. The server name is used as entered when generating the Kerberos SPN.
Setting the policy to Disabled or leaving it unset means CNAME lookup determines the canonical name of the server when generating the Kerberos SPN.''',
},
{
'name': 'EnableAuthNegotiatePort',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-','chrome_os:62-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 28,
'caption': '''Include non-standard port in Kerberos SPN''',
'tags': [],
'desc': '''Setting the policy to Enabled and entering a nonstandard port (in other words, a port other than 80 or 443) includes it in the generated Kerberos SPN.
Setting the policy to Disabled or leaving it unset means the generated Kerberos SPN won't include a port.''',
},
{
'name': 'BasicAuthOverHttpEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:88-','chrome_os:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': '<ph name="BASIC_AUTH">Basic</ph> authentication is allowed on HTTP connections',
},
{
'value': False,
'caption': 'Non-secure HTTP connections are not permitted to use <ph name="BASIC_AUTH">Basic</ph> authentication; HTTPS is required',
},
],
'default': True,
'example_value': False,
'id': 806,
'caption': '''Allow <ph name="BASIC_AUTH">Basic</ph> authentication for HTTP''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset will allow <ph name="BASIC_AUTH">Basic</ph> authentication challenges received over non-secure HTTP.
Setting the policy to Disabled forbids non-secure HTTP requests from using the <ph name="BASIC_AUTH">Basic</ph> authentication scheme; only secure HTTPS is allowed.''',
},
{
'name': 'AuthServerWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:9-','android:46-','webview_android:49-','chrome_os:62-'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '*.example.com,example.com',
'id': 29,
'caption': '''Authentication server whitelist''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="AUTH_SERVER_ALLOWLIST_POLICY_NAME">AuthServerAllowlist</ph>' policy instead.
Setting the policy specifies which servers should be allowed for integrated authentication. Integrated authentication is only on when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> gets an authentication challenge from a proxy or from a server in this permitted list.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> tries to detect if a server is on the intranet. Only then will it respond to IWA requests. If a server is detected as internet, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores IWA requests from it.
Note: Separate multiple server names with commas. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.''',
},
{
'name': 'AuthServerAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:86-','android:86-','webview_android:86-','chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '*.example.com,example.com',
'id': 747,
'caption': '''Authentication server allowlist''',
'tags': [],
'desc': '''Setting the policy specifies which servers should be allowed for integrated authentication. Integrated authentication is only on when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> gets an authentication challenge from a proxy or from a server in this permitted list.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> tries to detect if a server is on the intranet. Only then will it respond to IWA requests. If a server is detected as internet, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores IWA requests from it.
Note: Separate multiple server names with commas. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.''',
},
{
'name': 'AuthNegotiateDelegateWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:9-','android:46-','chrome_os:62-'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'foobar.example.com',
'id': 30,
'caption': '''Kerberos delegation server whitelist''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="AUTH_NEGOCIATE_DELEGATE_ALLOWLIST_POLICY_NAME">AuthNegotiateDelegateAllowlist</ph>' policy instead.
Setting the policy assigns servers that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may delegate to. Separate multiple server names with commas. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't delegate user credentials, even if a server is detected as intranet.''',
},
{
'name': 'AuthNegotiateDelegateAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:86-','android:86-','chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'foobar.example.com',
'id': 746,
'caption': '''Kerberos delegation server allowlist''',
'tags': [],
'desc': '''Setting the policy assigns servers that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may delegate to. Separate multiple server names with commas. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't delegate user credentials, even if a server is detected as intranet.''',
},
{
'name': 'AuthNegotiateDelegateByKdcPolicy',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.linux:74-','chrome.mac:74-','chrome_os:74-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 528,
'caption': '''Use KDC policy to delegate credentials.''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to Enabled means HTTP authentication respects approval by KDC policy. In other words, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> delegates user credentials to the service being accessed if the KDC sets <ph name="OK_AS_DELEGATE">OK-AS-DELEGATE</ph> on the service ticket. See RFC 5896 ( https://tools.ietf.org/html/rfc5896.html ). The service should also be allowed by <ph name="AUTH_NEGOTIATE_DELEGATE_ALLOWLIST_POLICY_NAME">AuthNegotiateDelegateAllowlist</ph>.
Setting the policy to Disabled or leaving it unset means KDC policy is ignored on supported platforms and only <ph name="AUTH_NEGOTIATE_DELEGATE_ALLOWLIST_POLICY_NAME">AuthNegotiateDelegateAllowlist</ph> is respected.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, KDC policy is always respected.''',
},
{
'name': 'GSSAPILibraryName',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.linux:9-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'libgssapi_krb5.so.2',
'id': 31,
'caption': '''GSSAPI library name''',
'tags': [],
'desc': '''Setting the policy specifies which GSSAPI library to use for HTTP authentication. Set the policy to either a library name or a full path.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses a default library name.''',
},
{
'name': 'AuthAndroidNegotiateAccountType',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['android:46-','webview_android:49-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'com.example.spnego',
'id': 305,
'caption': '''Account type for <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication''',
'tags': [],
'desc': '''Setting the policy specifies the type of accounts provided by the Android authentication app that supports <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication (such as Kerberos authentication). This information should be available from the supplier of the authentication app. For details, see The Chromium Projects ( https://goo.gl/hajyfN )
Leaving the policy unset turns off <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication on Android.''',
},
{
'name': 'AllowCrossOriginAuthPrompt',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:13-','chrome_os:62-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 89,
'caption': '''Cross-origin HTTP Authentication prompts''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to Enabled allows third-party images on a page to show an authentication prompt.
Setting the policy to Disabled or leaving it unset renders third-party images unable to show an authentication prompt.
Typically, this policy is Disabled as a phishing defense.''',
},
{
'name': 'NtlmV2Enabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.linux:63-','chrome.mac:63-','chrome_os:63-','android:63-','webview_android:63-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Turn NTLMv2 on',
},
{
'value': False,
'caption': 'Turn NTLMv2 off',
},
],
'example_value': True,
'default': True,
'id': 393,
'caption': '''Enable NTLMv2 authentication.''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset turns NTLMv2 on.
Setting the policy to Disabled turns NTLMv2 off.
All recent versions of Samba and <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> servers support NTLMv2. This should only be turned off for backward compatibility as it reduces the security of authentication.''',
},
{
'name': 'ExtensionInstallBlacklist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['extension_id1', 'extension_id2'],
'id': 32,
'deprecated': True,
'caption': '''Configure extension installation blacklist''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph>' policy instead.
Setting the policy specifies which extensions users can't install. Extensions already installed are turned off, if prohibited, without a way for users to turn them on. If a prohibited extension gets removed from the blocked list, it's automatically re-enabled. Use a value of <ph name="ALL_EXTENSIONS">*</ph> to prohibit all extensions, except those explicitly allowed.
If the policy is unset, users can install any extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''Extension IDs the user should be prevented from installing (or * for all)''',
},
{
'name': 'ExtensionInstallBlocklist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:86-', 'chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['extension_id1', 'extension_id2'],
'id': 740,
'caption': '''Configure extension installation blocklist''',
'tags': [],
'desc': '''Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blocked, without a way for the user to enable them. Once an extension disabled due to the blocklist is removed from it, it will automatically get re-enabled.
A blocklist value of '*' means all extensions are blocked unless they are explicitly listed in the allowlist.
If this policy is left not set the user can install any extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''Extension IDs the user should be prevented from installing (or * for all)''',
},
{
'name': 'ExtensionInstallAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:86-', 'chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['extension_id1', 'extension_id2'],
'id': 738,
'caption': '''Configure extension installation allow list''',
'tags': [],
'desc': '''Setting the policy specifies which extensions are not subject to the blocklist.
A blocklist value of <ph name="ALL_EXTENSIONS">*</ph> means all extensions are blocked and users can only install extensions listed in the allow list.
By default, all extensions are allowed. But, if you prohibited extensions by policy, use the list of allowed extensions to change that policy.''',
'label': '''Extension IDs to exempt from the blocklist''',
},
{
'name': 'ExtensionInstallWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['extension_id1', 'extension_id2'],
'id': 33,
'deprecated': True,
'caption': '''Configure extension installation whitelist''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="EXTENSION_INSTALL_ALLOWLIST_POLICY_NAME">ExtensionInstallAllowlist</ph>' policy instead.
Setting the policy specifies which extensions are exempt from the list of prohibited extensions. Use a value of <ph name="ALL_EXTENSIONS">*</ph> for <ph name="EXTENSION_INSTALL_BLACKLIST_POLICY_NAME">ExtensionInstallBlacklist</ph> to prohibit all extensions, and users can only install explicitly allowed extensions. By default, all extensions are allowed. But, if you prohibited extensions by policy, use the list of allowed extensions to change that policy.''',
'label': '''Extension IDs to exempt from the blacklist''',
},
{
'name': 'ExtensionInstallForcelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:9-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx', 'abcdefghijklmnopabcdefghijklmnop'],
'id': 34,
'caption': '''Configure the list of force-installed apps and extensions''',
'tags': ['full-admin-access'],
'desc': '''Setting the policy specifies a list of apps and extensions that install silently, without user interaction, and which users can't uninstall or turn off. Permissions are granted implicitly, including for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These 2 APIs aren't available to apps and extensions that aren't force-installed.)
Leaving the policy unset means no apps or extensions are autoinstalled, and users can uninstall any app or extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy superseeds <ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph> policy. If a previously force-installed app or extension is removed from this list, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> automatically uninstalls it.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.
On <ph name="MAC_OS_NAME">macOS</ph> instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, or joined to a domain via MCX.
The source code of any extension may be altered by users through developer tools, potentially rendering the extension dysfunctional. If this is a concern, set the <ph name="DEVELOPER_TOOLS_DISABLED_POLICY_NAME">DeveloperToolsDisabled</ph> policy.
Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on chrome://extensions when in Developer mode. If specified, the "update" URL should point to an Update Manifest XML document ( https://developer.chrome.com/extensions/autoupdate ). By default, the Chrome Web Store's update URL is used. The "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest.
Note: This policy doesn't apply to Incognito mode. Read about hosting extensions ( https://developer.chrome.com/extensions/hosting ).''',
'label': '''Extension/App IDs and update URLs to be silently installed''',
'arc_support': 'Android apps can be force-installed from the Google Admin console using Google Play. They do not use this policy.',
},
{
'name': 'ExtensionInstallSources',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
'id': 'ExtensionInstallSources',
},
'supported_on': ['chrome.*:21-', 'chrome_os:21-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://corp.mycompany.com/*'],
'id': 148,
'caption': '''Configure extension, app, and user script install sources''',
'tags': ['full-admin-access', 'system-security'],
'desc': '''Setting the policy specifies which URLs may install extensions, apps, and themes. Before <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 21, users could click on a link to a *.crx file, and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would offer to install the file after a few warnings. Afterwards, such files must be downloaded and dragged to the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> settings page. This setting allows specific URLs to have the old, easier installation flow.
Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users can easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (the referrer) must be allowed by these patterns.
<ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph> takes precedence over this policy. That is, an extension on the blocklist won't be installed, even if it happens from a site on this list.''',
'label': '''URL patterns to allow extension, app, and user script installs from''',
},
{
'name': 'ExtensionAllowInsecureUpdates',
'owners': ['waffles@chromium.org', 'rdevlin.cronin@chromium.org'],
'type': 'main',
'deprecated': True,
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:73-77', 'chrome_os:73-77'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 516,
'caption': '''Allow insecure algorithms in integrity checks on extension updates and installs''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> permits installation and updates for extensions hosted outside the Chrome Web Store, the content of which might only be minimally protected.
Setting the policy to Disabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't permit fresh installation of (and updates to) such extensions. The policy has no effect in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 78 and later.
Leaving this policy unset means it is Enabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 73 to 75, and Disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 76 and 77.''',
},
{
'name': 'ExtensionAllowedTypes',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'extension',
'theme',
'user_script',
'hosted_app',
'legacy_packaged_app',
'platform_app'
],
},
'id': 'ExtensionAllowedTypes',
},
'supported_on': ['chrome.*:25-', 'chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['hosted_app'],
'id': 168,
'caption': '''Configure allowed app/extension types''',
'tags': [],
'desc': '''Setting the policy controls which apps and extensions may be installed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, which hosts they can interact with, and limits runtime access.
Leaving the policy unset results in no restrictions on the acceptable extension and app types.
Extensions and apps which have a type that's not on the list won't be installed. Each value should be one of these strings:
* "extension"
* "theme"
* "user_script"
* "hosted_app"
* "legacy_packaged_app"
* "platform_app"
See the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extensions documentation for more information on these types.
Versions earlier than 75 that use multiple comma separated extension IDs aren't supported and are skipped. The rest of the policy applies.
Note: This policy also affects extensions and apps to be force-installed using <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph>.''',
'label': '''Types of extensions/apps that are allowed to be installed''',
},
{
'name': 'ExtensionSettings',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'patternProperties': {
'^[a-p]{32}(?:,[a-p]{32})*,?$': {
'type': 'object',
'properties': {
'installation_mode': {
'type': 'string',
'enum': ['blocked', 'allowed', 'force_installed', 'normal_installed', 'removed']
},
'update_url': { 'type': 'string' },
'update_url_enforced': {'type': 'boolean' },
'blocked_permissions': {
'type': 'array',
'items': {
'type': 'string',
'pattern': '^[a-z][a-zA-Z0-9.]*$',
},
'id': 'ListOfPermissions',
},
'allowed_permissions': {
'$ref': 'ListOfPermissions',
},
'minimum_version_required': {
'type': 'string',
'pattern': '^[0-9]+([.][0-9]+)*$',
},
'runtime_blocked_hosts': {
'type': 'array',
'items': {
'type': 'string'
},
'id': 'ListOfUrlPatterns'
},
'runtime_allowed_hosts': {
'$ref': 'ListOfUrlPatterns'
},
'blocked_install_message': {
'type': 'string',
'description': '''text that will be displayed to the user in the chrome webstore if installation is blocked.''',
},
'toolbar_pin': {
'type': 'string',
'enum': ['force_pinned', 'default_unpinned'],
}
},
},
'^update_url:': {
'type': 'object',
'properties': {
'installation_mode': {
'type': 'string',
'enum': ['blocked', 'allowed', 'removed']
},
'blocked_permissions': {
'$ref': 'ListOfPermissions',
},
'allowed_permissions': {
'$ref': 'ListOfPermissions',
},
},
},
},
'properties': {
'*': {
'type': 'object',
'properties': {
'installation_mode': {
'type': 'string',
'enum': ['blocked', 'allowed', 'removed']
},
'blocked_permissions': {
'$ref': 'ListOfPermissions',
},
'install_sources': {
'$ref': 'ExtensionInstallSources',
},
'allowed_types': {
'$ref': 'ExtensionAllowedTypes',
},
'runtime_blocked_hosts': {
'$ref': 'ListOfUrlPatterns'
},
'runtime_allowed_hosts': {
'$ref': 'ListOfUrlPatterns'
},
'blocked_install_message': {
'type': 'string'
}
},
},
},
},
'url_schema': 'https://www.chromium.org/administrators/policy-list-3/extension-settings-full',
'supported_on': ['chrome.*:62-', 'chrome_os:62-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
'abcdefghijklmnopabcdefghijklmnop' : {
'installation_mode': 'allowed',
'blocked_permissions': ['history'],
'minimum_version_required': '1.0.1',
'toolbar_pin': 'force_pinned',
},
'bcdefghijklmnopabcdefghijklmnopa' : {
'installation_mode': 'force_installed',
'update_url': 'https://example.com/update_url',
'allowed_permissions': ['downloads'],
'runtime_blocked_hosts': ['*://*.example.com'],
'runtime_allowed_hosts': ['*://good.example.com'],
},
'cdefghijklmnopabcdefghijklmnopab' : {
'installation_mode': 'blocked',
'blocked_install_message': 'Custom error message.',
},
'defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd' : {
'installation_mode': 'blocked',
'blocked_install_message': 'Custom error message.',
},
'update_url:https://www.example.com/update.xml': {
'blocked_permissions': ['wallpaper'],
'allowed_permissions': ['downloads'],
'installation_mode': 'allowed',
},
'fghijklmnopabcdefghijklmnopabcde' : {
'installation_mode': 'removed',
'blocked_install_message': 'Custom removal message.',
},
'ghijklmnopabcdefghijklmnopabcdef' : {
'installation_mode': 'force_installed',
'update_url': 'https://example.com/update_url',
'update_url_enforced': True,
},
'*': {
'installation_mode': 'blocked',
'blocked_permissions': ['downloads', 'bookmarks'],
'install_sources': ['https://company-intranet/chromeapps'],
'allowed_types': ['hosted_app'],
'runtime_blocked_hosts': ['*://*.example.com'],
'runtime_allowed_hosts': ['*://good.example.com'],
'blocked_install_message': 'Custom error message.',
},
},
'id': 278,
'caption': 'Extension management settings',
'tags': [],
'desc': '''Setting the policy controls extension management settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, including any controlled by existing extension-related policies. The policy supersedes any legacy policies that might be set.
This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID <ph name="DEFAULT_SCOPE">"*"</ph>, which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest ( http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy ). If the 'override_update_url' flag is set to true, the extension is installed and updated using the "update" URL specified in the <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph> policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is a Chrome Web Store url.
Note: For Windows® instances not joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, forced installation is limited to apps and extensions listed in the Chrome Web Store.''',
},
{
'name': 'BlockExternalExtensions',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': True,
'id': 637,
'caption': '''Blocks external extensions from being installed''',
'tags': [],
'desc': '''Controls external extensions installation.
Enabling this setting blocks external extensions from being installed.
Disabling this setting or leaving it unset allows external extensions to be installed.
External extensions and their installation are documented at https://developer.chrome.com/apps/external_extensions.
''',
},
{
'name': 'ShowHomeButton',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 35,
'caption': '''Show Home button on toolbar''',
'tags': [],
'desc': '''Setting the policy to Enabled shows the Home button on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s toolbar. Setting the policy to Disabled keeps the Home button from appearing.
If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, users chooses whether to show the Home button.''',
},
{
'name': 'DeveloperToolsDisabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 36,
'caption': '''Disable Developer Tools''',
'tags': [],
'desc': '''This policy is deprecated in M68, please use DeveloperToolsAvailability instead.
Disables the Developer Tools and the JavaScript console.
If you enable this setting, the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.
Setting this option to disabled or leaving it not set allows the user to use the Developer Tools and the JavaScript console.
If the policy DeveloperToolsAvailability is set, the value of the policy DeveloperToolsDisabled is ignored.''',
'arc_support': 'This policy also controls access to Android Developer Options. If you set this policy to true, users cannot access Developer Options. If you set this policy to false or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.',
},
{
'name': 'DeveloperToolsAvailability',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [0, 1, 2],
},
'items': [
{
'name': 'DeveloperToolsDisallowedForForceInstalledExtensions',
'value': 0,
'caption': '''Disallow usage of the Developer Tools on extensions installed by enterprise policy, allow usage of the Developer Tools in other contexts''',
},
{
'name': 'DeveloperToolsAllowed',
'value': 1,
'caption': '''Allow usage of the Developer Tools''',
},
{
'name': 'DeveloperToolsDisallowed',
'value': 2,
'caption': '''Disallow usage of the Developer Tools''',
},
],
'supported_on': ['chrome.*:68-', 'chrome_os:68-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 443,
'caption': '''Control where Developer Tools can be used''',
'tags': [],
'desc': '''Setting the policy to 0 (the default) means you can access the developer tools and the JavaScript console, but not in the context of extensions installed by enterprise policy. Setting the policy to 1 means you can access the developer tools and the JavaScript console in all contexts, including that of extensions installed by enterprise policy. Setting the policy to 2 means you can't acess developer tools, and you can't inspect website elements.
This setting also turns off keyboard shortcuts and menu or context menu entries to open developer tools or the JavaScript console.''',
'arc_support': '''This policy also controls access to Android Developer Options. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access Developer Options. If you set this policy to another value or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.''',
},
{
'name': 'RestoreOnStartup',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 4, 5 ],
},
'items': [
{
'name': 'RestoreOnStartupIsNewTabPage',
'value': 5,
'caption': '''Open New Tab Page''',
},
{
'name': 'RestoreOnStartupIsLastSession',
'value': 1,
'caption': '''Restore the last session''',
},
{
'name': 'RestoreOnStartupIsURLs',
'value': 4,
'caption': '''Open a list of URLs''',
},
],
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 4,
'id': 37,
'caption': '''Action on startup''',
'tags': [],
'desc': '''Setting the policy lets you specify system behavior on startup. Turning this setting off amounts to leaving it unset as <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> must have specified start up behavior.
If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, users can change it.
Setting this policy to <ph name="POLICY_ENUM_RESTOREONSTARTUP_RESTOREONSTARTUPISLASTSESSION">RestoreOnStartupIsLastSession</ph> turns off some settings that rely on sessions or that perform actions on exit, such as clearing browsing data on exit or session-only cookies.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'RestoreOnStartupURLs',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://example.com', 'https://www.chromium.org'],
'id': 38,
'caption': '''URLs to open on startup''',
'tags': [],
'desc': '''If <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> is set to RestoreOnStartupIsURLs, then setting <ph name="RESTORE_ON_STARTUP_URLS_POLICY_NAME">RestoreOnStartupURLs</ph> to a list of URLs specify which URLs open.
If not set, the New Tab page opens on start up.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'BlockThirdPartyCookies',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:10-', 'chrome_os:11-', 'android:83-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Block 3rd party cookies',
},
{
'value': False,
'caption': 'Allow 3rd party cookies',
},
{
'value': None,
'caption': 'Allow 3rd party cookies, but allow the user to change this setting',
},
],
'example_value': False,
'default': None,
'id': 39,
'caption': '''Block third party cookies''',
'tags': [],
'desc': '''Setting the policy to Enabled prevents webpage elements that aren't from the domain that's in the browser's address bar from setting cookies. Setting the policy to Disabled lets those elements set cookies and prevents users from changing this setting.
Leaving it unset turns third-party cookies on, but users can change this setting.''',
},
{
'name': 'DefaultSearchProviderEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 40,
'caption': '''Enable the default search provider''',
'tags': [],
'desc': '''Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar.
If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the default search provider is on, and users can set the search provider list.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'DefaultSearchProviderContextMenuAccessAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:85-', 'chrome_os:85-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 715,
'caption': '''Allow default search provider context menu search access''',
'tags': [],
'desc': '''Enables the use of a default search provider on the context menu.
If you set this policy to disabled the search context menu item that relies on your default search provider will not be available.
If this policy is set to enabled or not set, the context menu item for your default search provider will be available.
The policy value is only appled when the <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> policy is enabled, and is not applicable otherwise.''',
},
{
'name': 'DefaultSearchProviderName',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'My Intranet Search',
'id': 41,
'caption': '''Default search provider name''',
'tags': ['website-sharing'],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_NAME_POLICY_NAME">DefaultSearchProviderName</ph> specifies the default search provider's name.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_NAME_POLICY_NAME">DefaultSearchProviderName</ph> unset means the hostname specified by the search URL is used.''',
},
{
'name': 'DefaultSearchProviderKeyword',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'mis',
'id': 42,
'caption': '''Default search provider keyword''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_KEYWORD_POLICY_NAME">DefaultSearchProviderKeyword</ph> specifies the keyword or shortcut used in the address bar to trigger the search for this provider.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_KEYWORD_POLICY_NAME">DefaultSearchProviderKeyword</ph> unset means no keyword activates the search provider.''',
},
{
'name': 'DefaultSearchProviderSearchURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/search?q={searchTerms}',
'id': 43,
'caption': '''Default search provider search URL''',
'tags': ['website-sharing'],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SEARCH_URL_POLICY_NAME">DefaultSearchProviderSearchURL</ph> specifies the URL of the search engine used during a default search. The URL should include the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, replaced in the query by the user's search terms.
You can specify Google's search URL as: <ph name="GOOGLE_SEARCH_URL">'{google:baseURL}search?q={searchTerms}&amp;{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'</ph>.''',
},
{
'name': 'DefaultSearchProviderSuggestURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/suggest?q={searchTerms}',
'id': 44,
'caption': '''Default search provider suggest URL''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SUGGEST_URL_POLICY_NAME">DefaultSearchProviderSuggestURL</ph> specifies the URL of the search engine to provide search suggestions. The URL should include the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, replaced in the query by the user's search terms.
You can specify Google's search URL as: <ph name="GOOGLE_SUGGEST_SEARCH_URL">'{google:baseURL}complete/search?output=chrome&amp;q={searchTerms}'</ph>.''',
},
{
'name': 'DefaultSearchProviderInstantURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:10-63', 'chrome_os:11-63', 'android:30-63'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/suggest?q={searchTerms}',
'id': 45,
'caption': '''Default search provider instant URL''',
'tags': [],
'desc': '''Specifies the URL of the search engine used to provide instant results. The URL should contain the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, which will be replaced at query time by the text the user has entered so far.
This policy is optional. If not set, no instant search results will be provided.
Google's instant results URL can be specified as: <ph name="GOOGLE_INSTANT_SEARCH_URL">'{google:baseURL}suggest?q={searchTerms}'</ph>.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderIconURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/favicon.ico',
'id': 46,
'caption': '''Default search provider icon''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_ICON_URL_POLICY_NAME">DefaultSearchProviderIconURL</ph> specifies the default search provider's favorite icon URL.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_ICON_URL_POLICY_NAME">DefaultSearchProviderIconURL</ph> unset means there's no icon for the search provider.''',
},
{
'name': 'DefaultSearchProviderEncodings',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['UTF-8', 'UTF-16', 'GB2312', 'ISO-8859-1'],
'id': 47,
'caption': '''Default search provider encodings''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, setting <ph name="DEFAULT_SEARCH_PROVIDER_ENCODINGS_POLICY_NAME">DefaultSearchProviderEncodings</ph> specifies the character encodings supported by the search provider. Encodings are code page names such as UTF-8, GB2312, and ISO-8859-1. They're tried in the order provided.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_ENCODINGS_POLICY_NAME">DefaultSearchProviderEncodings</ph> unset puts UTF-8 in use.''',
},
{
'name': 'DefaultSearchProviderAlternateURLs',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:24-',
'chrome_os:24-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://search.my.company/suggest#q={searchTerms}', 'https://search.my.company/suggest/search#q={searchTerms}'],
'id': 161,
'caption': '''List of alternate URLs for the default search provider''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_ALTERNATE_URLS_POLICY_NAME">DefaultSearchProviderAlternateURLs</ph> specifies a list of alternate URLs for extracting search terms from the search engine. The URLs should include the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_ALTERNATE_URLS_POLICY_NAME">DefaultSearchProviderAlternateURLs</ph> unset means no alternate URLs are used to extract search terms.''',
},
{
'name': 'DefaultSearchProviderSearchTermsReplacementKey',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:25-63', 'chrome_os:25-63', 'android:30-63'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'espv',
'id': 171,
'caption': '''Parameter controlling search term placement for the default search provider''',
'tags': [],
'desc': '''If this policy is set and a search URL suggested from the omnibox contains this parameter in the query string or in the fragment identifier, then the suggestion will show the search terms and search provider instead of the raw search URL.
This policy is optional. If not set, no search term replacement will be performed.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderImageURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:29-',
'chrome_os:29-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/searchbyimage/upload',
'id': 229,
'caption': '''Parameter providing search-by-image feature for the default search provider''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POLICY_NAME">DefaultSearchProviderImageURL</ph> specifies the URL of the search engine used for image search. (If <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POST_PARMS_POLICY_NAME">DefaultSearchProviderImageURLPostParams</ph> is set, then image search requests use the POST method instead.)
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POLICY_NAME">DefaultSearchProviderImageURL</ph> unset means no image search is used.''',
},
{
'name': 'DefaultSearchProviderNewTabURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:30-',
'chrome_os:30-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/newtab',
'id': 237,
'caption': '''Default search provider new tab page URL''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_NEW_TAB_URL_POLICY_NAME">DefaultSearchProviderNewTabURL</ph> specifies the URL of the search engine used to provide a New Tab page.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_NEW_TAB_URL_POLICY_NAME">DefaultSearchProviderNewTabURL</ph> unset means no new tab page is provided.''',
},
{
'name': 'DefaultSearchProviderSearchURLPostParams',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:29-',
'chrome_os:29-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'q={searchTerms},ie=utf-8,oe=utf-8',
'id': 230,
'caption': '''Parameters for search URL which uses POST''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SEARCH_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSearchURLPostParams</ph> specifies the parameters when searching a URL with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, real search terms data replaces it.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_SEARCH_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSearchURLPostParams</ph> unset means search requests are sent using the GET method.''',
},
{
'name': 'DefaultSearchProviderSuggestURLPostParams',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:29-',
'chrome_os:29-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'q={searchTerms},ie=utf-8,oe=utf-8',
'id': 231,
'caption': '''Parameters for suggest URL which uses POST''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SUGGEST_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSuggestURLPostParams</ph> specifies the parameters during suggestion search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, real search terms data replaces it.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_SUGGEST_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSuggestURLPostParams</ph> unset unset means suggest search requests are sent using the GET method.''',
},
{
'name': 'DefaultSearchProviderInstantURLPostParams',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:29-63', 'chrome_os:29-63', 'android:30-63'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'q={searchTerms},ie=utf-8,oe=utf-8',
'id': 232,
'caption': '''Parameters for instant URL which uses POST''',
'tags': [],
'desc': '''Specifies the parameters used when doing instant search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.
This policy is optional. If not set, instant search request will be sent using the GET method.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderImageURLPostParams',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:29-',
'chrome_os:29-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'content={imageThumbnail},url={imageURL},sbisrc={SearchSource}',
'id': 233,
'caption': '''Parameters for image URL which uses POST''',
'tags': [],
'desc': '''If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POST_PARMS_POLICY_NAME">DefaultSearchProviderImageURLPostParams</ph> specifies the parameters during image search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as {imageThumbnail}, real image thumbnail data replaces it.
Leaving <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POST_PARMS_POLICY_NAME">DefaultSearchProviderImageURLPostParams</ph> unset means image search request is sent using the GET method.''',
},
{
'name': 'DefaultCookiesSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 4 ],
},
'items': [
{
'name': 'AllowCookies',
'value': 1,
'caption': '''Allow all sites to set local data''',
},
{
'name': 'BlockCookies',
'value': 2,
'caption': '''Do not allow any site to set local data''',
},
{
'name': 'SessionOnly',
'value': 4,
'caption': '''Keep cookies for the duration of the session''',
},
],
'supported_on': [
'chrome.*:10-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 48,
'caption': '''Default cookies setting''',
'tags': [],
'desc': '''Unless the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policy is set to permanently restore URLs from previous sessions, then setting <ph name="COOKIES_SESSION_ONLY_FOR_URLS_POLICY_NAME">CookiesSessionOnlyForUrls</ph> lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
Leaving the policy unset results in the use of <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running in Background mode, the session might stay active until the user exits the browser, not just closes the last window. See <ph name="BACKGROUND_MODE_ENABLED_POLICY_NAME">BackgroundModeEnabled</ph> for details about configuring this behavior.
While no specific policy takes precedence, see <ph name="COOKIES_BLOCKED_FOR_URLS_POLICY_NAME">CookiesBlockedForUrls</ph> and <ph name="COOKIES_ALLOWED_FOR_URLS_POLICY_NAME">CookiesAllowedForUrls</ph>. URL patterns among these 3 policies must not conflict.''',
},
{
'name': 'DefaultImagesSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowImages',
'value': 1,
'caption': '''Allow all sites to show all images''',
},
{
'name': 'BlockImages',
'value': 2,
'caption': '''Do not allow any site to show images''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 49,
'caption': '''Default images setting''',
'tags': [],
'desc': '''Setting the policy to 1 lets all websites display images. Setting the policy to 2 denies image display.
Leaving it unset allows images, but users can change this setting.''',
},
{
'name': 'DefaultJavaScriptSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowJavaScript',
'value': 1,
'caption': '''Allow all sites to run JavaScript''',
},
{
'name': 'BlockJavaScript',
'value': 2,
'caption': '''Do not allow any site to run JavaScript''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 50,
'caption': '''Default JavaScript setting''',
'tags': [],
'desc': '''Setting the policy to 1 lets websites run JavaScript. Setting the policy to 2 denies JavaScript.
Leaving it unset allows JavaScript, but users can change this setting.''',
},
{
'name': 'DefaultPluginsSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ],
},
'items': [
{
'name': 'AllowPlugins',
'value': 1,
'caption': '''Allow all sites to automatically run the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin''',
},
{
'name': 'BlockPlugins',
'value': 2,
'caption': '''Block the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin''',
},
{
'name': 'ClickToPlay',
'value': 3,
'caption': '''Click to play''',
},
],
'supported_on': ['chrome.*:10-87', 'chrome_os:11-87'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 51,
'caption': '''Default <ph name="FLASH_PLUGIN_NAME">Flash</ph> setting''',
'tags': [],
'deprecated': True,
'desc': '''This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy to 1 lets you set whether all websites can automatically run the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin. Setting the policy to 2 denies this plugin for all websites. Click to play lets the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin run, but users click on the placeholder to start it.
Leaving the policy unset uses <ph name="BLOCK_PLUGINS_POLICY_NAME">BlockPlugins</ph> and lets users change this setting.
Note: Automatic playback is only for domains explicitly listed in the <ph name="PLUGINS_ALLOWED_FOR_URLS_POLICY_NAME">PluginsAllowedForUrls</ph> policy. To turn automatic playback on for all sites, add http://* and https://* to this list.''',
},
{
'name': 'DefaultPopupsSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowPopups',
'value': 1,
'caption': '''Allow all sites to show pop-ups''',
},
{
'name': 'BlockPopups',
'value': 2,
'caption': '''Do not allow any site to show popups''',
},
],
'supported_on': [
'chrome.*:10-',
'chrome_os:11-',
'android:33-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 52,
'caption': '''Default popups setting''',
'tags': [],
'desc': '''Setting the policy to 1 lets websites display pop-ups. Setting the policy to 2 denies pop-ups.
Leaving it unset means <ph name="BLOCK_POPUPS_POLICY_NAME">BlockPopups</ph> applies, but users can change this setting.''',
},
{
'name': 'DefaultNotificationsSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ],
},
'items': [
{
'name': 'AllowNotifications',
'value': 1,
'caption': '''Allow sites to show desktop notifications''',
},
{
'name': 'BlockNotifications',
'value': 2,
'caption': '''Do not allow any site to show desktop notifications''',
},
{
'name': 'AskNotifications',
'value': 3,
'caption': '''Ask every time a site wants to show desktop notifications''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 53,
'caption': '''Default notification setting''',
'tags': [],
'desc': '''Setting the policy to 1 lets websites display desktop notifications. Setting the policy to 2 denies desktop notifications.
Leaving it unset means <ph name="ASK_NOTIFICATIONS_POLICY_NAME">AskNotifications</ph> applies, but users can change this setting.''',
},
{
'name': 'DefaultGeolocationSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ],
},
'items': [
{
'name': 'AllowGeolocation',
'value': 1,
'caption': '''Allow sites to track the users' physical location''',
},
{
'name': 'BlockGeolocation',
'value': 2,
'caption': '''Do not allow any site to track the users' physical location''',
},
{
'name': 'AskGeolocation',
'value': 3,
'caption': '''Ask whenever a site wants to track the users' physical location''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 54,
'caption': '''Default geolocation setting''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to 1 lets sites track the users' physical location as the default state. Setting the policy to 2 denies this tracking by default. You can set the policy to ask whenever a site wants to track the users' physical location.
Leaving the policy unset means the <ph name="ASK_GEOLOCATION_POLICY_NAME">AskGeolocation</ph> policy applies, but users can change this setting.''',
'arc_support': 'If this policy is set to <ph name="BLOCK_GEOLOCATION_SETTING">BlockGeolocation</ph>, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.',
},
{
'name': 'DefaultMediaStreamSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockAccess',
'value': 2,
'caption': '''Do not allow any site to access the camera and microphone''',
},
{
'name': 'PromptOnAccess',
'value': 3,
'caption': '''Ask every time a site wants to access the camera and/or microphone''',
},
],
'supported_on': ['chrome.*:22-', 'chrome_os:22-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 2,
'id': 149,
'caption': '''Default mediastream setting''',
'tags': ['website-sharing'],
'desc': '''Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.
If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultWebBluetoothGuardSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockWebBluetooth',
'value': 2,
'caption': '''Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API''',
},
{
'name': 'AskWebBluetooth',
'value': 3,
'caption': '''Allow sites to ask the user to grant access to a nearby Bluetooth device''',
},
],
'supported_on': ['chrome_os:50-', 'android:50-', 'chrome.*:50-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'default': None,
'id': 320,
'caption': '''Control use of the Web Bluetooth API''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.
Leaving the policy unset lets sites ask for access, but users can change this setting.''',
},
{
'name': 'DefaultKeygenSetting',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowKeygen',
'value': 1,
'caption': '''Allow all sites to use key generation''',
},
{
'name': 'BlockKeygen',
'value': 2,
'caption': '''Do not allow any site to use key generation''',
},
],
'supported_on': ['chrome.*:49-56', 'chrome_os:49-56', 'android:49-56'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 2,
'id': 313,
'caption': '''Default key generation setting''',
'tags': ['system-security', 'website-sharing', 'local-data-access'],
'desc': '''Allows you to set whether websites are allowed to use key generation. Using key generation can be either allowed for all websites or denied for all websites.
If this policy is left not set, 'BlockKeygen' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultSensorsSetting',
'owners': ['file://third_party/blink/renderer/modules/sensor/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ]
},
'items': [
{
'name': 'AllowSensors',
'value': 1,
'caption': '''Allow sites to access sensors''',
},
{
'name': 'BlockSensors',
'value': 2,
'caption': '''Do not allow any site to access sensors''',
}
],
'supported_on': ['chrome.*:88-', 'chrome_os:88-', 'android:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'default': None,
'id': 754,
'caption': '''Default sensors setting''',
'tags': [],
'desc': '''Setting the policy to 1 lets websites access and use sensors such as motion and light. Setting the policy to 2 denies acess to sensors.
Leaving it unset means <ph name="ALLOW_SENSORS_POLICY_NAME">AllowSensors</ph> applies, but users can change this setting.''',
},
{
'name': 'DefaultWebUsbGuardSetting',
'owners': ['reillyg@chromium.org', 'odejesush@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockWebUsb',
'value': 2,
'caption': '''Do not allow any site to request access to USB devices via the WebUSB API''',
},
{
'name': 'AskWebUsb',
'value': 3,
'caption': '''Allow sites to ask the user to grant access to a connected USB device''',
},
],
'supported_on': ['chrome_os:67-', 'android:67-', 'chrome.*:67-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'default': None,
'id': 434,
'caption': '''Control use of the WebUSB API''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to 3 lets websites ask for access to connected USB devices. Setting the policy to 2 denies access to connected USB devices.
Leaving it unset lets websites ask for access, but users can change this setting.''',
},
{
'name': 'WebUsbAllowDevicesForUrls',
'owners': ['reillyg@chromium.org', 'odejesush@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'devices': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'vendor_id': { 'type': 'integer' },
'product_id': { 'type': 'integer' }
}
}
},
'urls': {
'type': 'array',
'items': { 'type': 'string' }
}
},
'required': ['devices', 'urls']
}
},
'supported_on': ['android:75-', 'chrome_os:74-', 'chrome.*:74-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [{
'devices': [{'vendor_id': 1234, 'product_id': 5678}],
'urls': ['https://google.com', 'https://requesting.com,https://embedded.com'],
}],
'id': 486,
'caption': '''Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.''',
'tags': ['website-sharing'],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs. Each item in the list requires both <ph name="DEVICES_FIELD_NAME">devices</ph> and <ph name="URLS_FIELD_NAME">urls</ph> fields for the policy to be valid. Each item in the <ph name="DEVICES_FIELD_NAME">devices</ph> field can have a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> and <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field. Omitting the <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field will create a policy matching any device. Omitting the <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field will create a policy matching any device with the given vendor ID. A policy which has a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field without a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field is invalid.
The USB permission model uses the requesting and embedding URLs to grant the requesting URL permission to access the USB device. The requesting URL can be different than the embedding URL when the requesting site is loaded in an iframe. So, the <ph name="URLS_FIELD_NAME">urls</ph> field can have up to 2 URL strings delimited by a comma to specify the requesting and embedding URL, respectively. If only one URL is specified, then access to the corresponding USB devices is granted when the requesting site's URL matches this URL, regardless of embedding status. The URLs must be valid, otherwise the policy is ignored.
Leaving the policy unset means <ph name="DEFAULT_WEB_USB_GUARD_SETTING_POLICY_NAME">DefaultWebUsbGuardSetting</ph> applies, if it's set. If not, the user's personal setting applies.
URL patterns in this policy shouldn't conflict with those configured through <ph name="WEB_USB_BLOCKED_FOR_URLS_POLICY_NAME">WebUsbBlockedForUrls</ph>. If they do, this policy takes precedence over <ph name="WEB_USB_BLOCKED_FOR_URLS_POLICY_NAME">WebUsbBlockedForUrls</ph> and <ph name="WEB_USB_ASK_FOR_URLS_POLICY_NAME">WebUsbAskForUrls</ph>.''',
},
{
'name': 'DeviceLoginScreenWebUsbAllowDevicesForUrls',
'owners': ['reillyg@chromium.org', 'odejesush@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'devices': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'vendor_id': { 'type': 'integer' },
'product_id': { 'type': 'integer' }
}
}
},
'urls': {
'type': 'array',
'items': { 'type': 'string' }
}
},
'required': ['devices', 'urls']
}
},
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': [{
'devices': [{'vendor_id': 1234, 'product_id': 5678}],
'urls': ['https://google.com', 'https://requesting.com,https://embedded.com'],
}],
'id': 603,
'caption': '''Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.''',
'tags': ['website-sharing'],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs on the login screen. Each item in the list requires both <ph name="DEVICES_FIELD_NAME">devices</ph> and <ph name="URLS_FIELD_NAME">urls</ph> fields for the policy to be valid. Each item in the <ph name="DEVICES_FIELD_NAME">devices</ph> field can have a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> and <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field. Omitting the <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field will create a policy matching any device. Omitting the <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field will create a policy matching any device with the given vendor ID. A policy which has a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field without a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field is invalid.
The USB permission model uses the requesting and embedding URLs to grant the requesting URL permission to access the USB device. The requesting URL can be different than the embedding URL when the requesting site is loaded in an iframe. So, the <ph name="URLS_FIELD_NAME">urls</ph> field can have up to 2 URL strings delimited by a comma to specify the requesting and embedding URL, respectively. If only one URL is specified, then access to the corresponding USB devices is granted when the requesting site's URL matches this URL, regardless of embedding status. The URLs must be valid, otherwise the policy is ignored.
Leaving the policy unset puts the global default value in use for all sites (no automatic access).''',
},
{
'name': 'WebUsbAskForUrls',
'owners': ['reillyg@chromium.org', 'odejesush@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:68-', 'android:68-', 'chrome.*:68-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 439,
'caption': '''Allow WebUSB on these sites''',
'tags': ['website-sharing'],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a USB device.
Leaving the policy unset means <ph name="DEFAULT_WEB_USB_GUARD_SETTING_POLICY_NAME">DefaultWebUsbGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with <ph name="WEB_USB_ASK_FOR_URLS_POLICY_NAME">WebUsbAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'WebUsbBlockedForUrls',
'owners': ['reillyg@chromium.org', 'odejesush@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:68-', 'android:68-', 'chrome.*:68-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 440,
'caption': '''Block WebUSB on these sites''',
'tags': [],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a USB device.
Leaving the policy unset means <ph name="DEFAULT_WEB_USB_GUARD_SETTING_POLICY_NAME">DefaultWebUsbGuardSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
URL patterns can't conflict with <ph name="WEB_USB_ASK_FOR_URLS_POLICY_NAME">WebUsbAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'DefaultSerialGuardSetting',
'owners': ['reillyg@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockSerial',
'value': 2,
'caption': '''Do not allow any site to request access to serial ports via the Serial API''',
},
{
'name': 'AskSerial',
'value': 3,
'caption': '''Allow sites to ask the user to grant access to a serial port''',
},
],
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'default': None,
'id': 751,
'caption': '''Control use of the Serial API''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.
Leaving it unset lets websites ask for access, but users can change this setting.''',
},
{
'name': 'SerialAskForUrls',
'owners': ['reillyg@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 752,
'caption': '''Allow the Serial API on these sites''',
'tags': ['website-sharing'],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a serial port.
Leaving the policy unset means <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
For URL patterns which do not match the policy <ph name="SERIAL_BLOCKED_FOR_URLS_POLICY_NAME">SerialBlockedForUrls</ph> (if there is a match), <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> (if set), or the users' personal settings take precedence, in that order.
URL patterns must not conflict with <ph name="SERIAL_BLOCKED_FOR_URLS_POLICY_NAME">SerialBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'SerialBlockedForUrls',
'owners': ['reillyg@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 753,
'caption': '''Block the Serial API on these sites''',
'tags': [],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a serial port.
Leaving the policy unset means <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For URL patterns which do not match the policy <ph name="SERIAL_ASK_FOR_URLS_POLICY_NAME">SerialAskForUrls</ph> (if there is a match), <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> (if set), or the users' personal settings take precedence, in that order.
URL patterns can't conflict with <ph name="SERIAL_ASK_FOR_URLS_POLICY_NAME">SerialAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'DefaultFileSystemReadGuardSetting',
'owners': ['mek@chromium.org', 'file://content/browser/file_system_access/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockFileSystemRead',
'value': 2,
'caption': '''Do not allow any site to request read access to files and directories via the File System API''',
},
{
'name': 'AskFileSystemRead',
'value': 3,
'caption': '''Allow sites to ask the user to grant read access to files and directories via the File System API''',
},
],
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'default': None,
'id': 773,
'caption': '''Control use of the File System API for reading''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to 3 lets websites ask for read access to files and directories in the host operating system's file system via the File System API. Setting the policy to 2 denies access.
Leaving it unset lets websites ask for access, but users can change this setting.''',
},
{
'name': 'DefaultFileSystemWriteGuardSetting',
'owners': ['mek@chromium.org', 'file://content/browser/file_system_access/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockFileSystemWrite',
'value': 2,
'caption': '''Do not allow any site to request write access to files and directories''',
},
{
'name': 'AskFileSystemWrite',
'value': 3,
'caption': '''Allow sites to ask the user to grant write access to files and directories''',
},
],
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'default': None,
'id': 774,
'caption': '''Control use of the File System API for writing''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.
Leaving it unset lets websites ask for access, but users can change this setting.''',
},
{
'name': 'FileSystemReadAskForUrls',
'owners': ['mek@chromium.org', 'file://content/browser/file_system_access/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 775,
'caption': '''Allow read access via the File System API on these sites''',
'tags': ['website-sharing'],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_READ_GUARD_SETTING_POLICY_NAME">DefaultFileSystemReadGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with <ph name="FILE_SYSTEM_READ_BLOCKED_FOR_URLS_POLICY_NAME">FileSystemReadBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'FileSystemReadBlockedForUrls',
'owners': ['mek@chromium.org', 'file://content/browser/file_system_access/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 776,
'caption': '''Block read access via the File System API on these sites''',
'tags': [],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_READ_GUARD_SETTING_POLICY_NAME">DefaultFileSystemReadGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with <ph name="FILE_SYSTEM_READ_ASK_FOR_URLS_POLICY_NAME">FileSystemReadAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'FileSystemWriteAskForUrls',
'owners': ['mek@chromium.org', 'file://content/browser/file_system_access/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 777,
'caption': '''Allow write access to files and directories on these sites''',
'tags': ['website-sharing'],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them write access to files or directories in the host operating system's file system.
Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_WRITE_GUARD_SETTING_POLICY_NAME">DefaultFileSystemWriteGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with <ph name="FILE_SYSTEM_WRITE_BLOCKED_FOR_URLS_POLICY_NAME">FileSystemWriteBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'FileSystemWriteBlockedForUrls',
'owners': ['mek@chromium.org', 'file://content/browser/file_system_access/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 778,
'caption': '''Block write access to files and directories on these sites''',
'tags': [],
'desc': '''Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them write access to files or directories in the host operating system's file system.
Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_WRITE_GUARD_SETTING_POLICY_NAME">DefaultFileSystemWriteGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with <ph name="FILE_SYSTEM_WRITE_ASK_FOR_URLS_POLICY_NAME">FileSystemWriteAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'AutoSelectCertificateForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'validation_schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'pattern': { 'type': 'string'},
'filter': {
'type': 'object',
'properties': {
'ISSUER': {
'type': 'object',
'id': 'CertPrincipalFields',
'properties': {
'CN': { 'type': 'string'},
'L': { 'type': 'string'},
'O': { 'type': 'string'},
'OU': { 'type': 'string'},
}
},
'SUBJECT': {
'$ref': 'CertPrincipalFields',
}
}
}
}
}
},
'supported_on': ['chrome.*:15-', 'chrome_os:15-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}'],
'id': 102,
'caption': '''Automatically select client certificates for these sites''',
'tags': ['website-sharing'],
'desc': '''Setting the policy lets you make a list of URL patterns that specify sites for which Chrome can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_EXAMPLE">{ "pattern": "$URL_PATTERN", "filter" : $FILTER }</ph>, where <ph name="URL_PATTERN_PLACEHOLDER">$URL_PATTERN</ph> is a content setting pattern. <ph name="FILTER_PLACEHOLDER">$FILTER</ph> restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.
Examples for the usage of the <ph name="FILTER_PLACEHOLDER">$FILTER</ph> section:
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_FILTER_EXAMPLE">{ "ISSUER": { "CN": "$ISSUER_CN" } }</ph>, only client certificates issued by a certificate with the CommonName <ph name="ISSUER_CN_PLACEHOLDER">$ISSUER_CN</ph> are selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains both the <ph name="ISSUER_STRING_VALUE">"ISSUER"</ph> and the <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> sections, only client certificates that satisfy both conditions are selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with the <ph name="FILTER_STRING_ORGANIZATION">"O"</ph> value, a certificate needs at least one organization matching the specified value to be selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with a <ph name="FILTER_STRING_ORGANIZATIONAL_UNIT">"OU"</ph> value, a certificate needs at least one organizational unit matching the specified value to be selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="EMPTY_DICTIONARY">{}</ph>, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.
Leaving the policy unset means there's no autoselection for any site.''',
},
{
'name': 'DeviceLoginScreenAutoSelectCertificateForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'validation_schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'pattern': { 'type': 'string'},
'filter': {
'type': 'object',
'properties': {
'ISSUER': {
'$ref': 'CertPrincipalFields',
},
'SUBJECT': {
'$ref': 'CertPrincipalFields',
}
}
}
}
}
},
'supported_on': ['chrome_os:65-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': ['{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}'],
'id': 396,
'caption': '''Automatically select client certificates for these sites on the sign-in screen''',
'tags': ['website-sharing'],
'desc': '''Allows you to specify a list of url patterns that specify sites for which a client certificate is automatically selected on the sign-in screen in the frame hosting the SAML flow, if the site requests a certificate. An example usage is to configure a device-wide certificate to be presented to the SAML IdP.
The value is an array of stringified JSON dictionaries, each with the form <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_EXAMPLE">{ "pattern": "$URL_PATTERN", "filter" : $FILTER }</ph>, where <ph name="URL_PATTERN_PLACEHOLDER">$URL_PATTERN</ph> is a content setting pattern. <ph name="FILTER_PLACEHOLDER">$FILTER</ph> restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.
Examples for the usage of the <ph name="FILTER_PLACEHOLDER">$FILTER</ph> section:
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_FILTER_EXAMPLE">{ "ISSUER": { "CN": "$ISSUER_CN" } }</ph>, only client certificates issued by a certificate with the CommonName <ph name="ISSUER_CN_PLACEHOLDER">$ISSUER_CN</ph> are selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains both the <ph name="ISSUER_STRING_VALUE">"ISSUER"</ph> and the <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> sections, only client certificates that satisfy both conditions are selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with the <ph name="FILTER_STRING_ORGANIZATION">"O"</ph> value, a certificate needs at least one organization matching the specified value to be selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with a <ph name="FILTER_STRING_ORGANIZATIONAL_UNIT">"OU"</ph> value, a certificate needs at least one organizational unit matching the specified value to be selected.
* When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="EMPTY_DICTIONARY">{}</ph>, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.
If this policy is left not set, no auto-selection will be done for any site.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
},
{
'name': 'CookiesAllowedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 77,
'caption': '''Allow cookies on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to set cookies.
If this policy is left not set the global default value will be used for all sites either from the <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> policy if it is set, or the user's personal configuration otherwise.
See also policies <ph name="COOKIES_BLOCKED_FOR_URLS_POLICY_NAME">CookiesBlockedForUrls</ph> and <ph name="COOKIES_SESSIONS_ONLY_FOR_URLS">CookiesSessionOnlyForUrls</ph>. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'CookiesBlockedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 67,
'caption': '''Block cookies on these sites''',
'tags': [],
'desc': '''Setting the policy lets you make a list of URL patterns that specify sites that can't set cookies.
Leaving the policy unset results in the use of <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> for all sites, if it's set. If not, the user's personal setting applies.
While no specific policy takes precedence, see <ph name="COOKIES_ALLOWED_FOR_URLS_POLICY_NAME">CookiesAllowedForUrls</ph> and <ph name="COOKIES_SESSION_ONLY_FOR_URLS_POLICY_NAME">CookiesSessionOnlyForUrls</ph>. URL patterns among these 3 policies must not conflict.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'CookiesSessionOnlyForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 68,
'caption': '''Limit cookies from matching URLs to the current session''',
'tags': [],
'desc': '''Unless the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policy is set to permanently restore URLs from previous sessions, then setting <ph name="COOKIES_SESSION_ONLY_FOR_URLS_POLICY_NAME">CookiesSessionOnlyForUrls</ph> lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
Leaving the policy unset results in the use of <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running in Background mode, the session might stay active until the user exits the browser, not just closes the last window. See <ph name="BACKGROUND_MODE_ENABLED_POLICY_NAME">BackgroundModeEnabled</ph> for details about configuring this behavior.
While no specific policy takes precedence, see <ph name="COOKIES_BLOCKED_FOR_URLS_POLICY_NAME">CookiesBlockedForUrls</ph> and <ph name="COOKIES_ALLOWED_FOR_URLS_POLICY_NAME">CookiesAllowedForUrls</ph>. URL patterns among these 3 policies must not conflict.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'ImagesAllowedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 69,
'caption': '''Allow images on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify sites that may display images.
Leaving the policy unset means <ph name="DEFAULT_IMAGES_SETTING_ENABLED_POLICY_NAME">DefaultImagesSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.''',
},
{
'name': 'ImagesBlockedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 70,
'caption': '''Block images on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify sites that can't display images.
Leaving the policy unset means <ph name="DEFAULT_IMAGE_SETTING_ENABLED_POLICY_NAME">DefaultImagesSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.''',
},
{
'name': 'JavaScriptAllowedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 71,
'caption': '''Allow JavaScript on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can run JavaScript.
Leaving the policy unset means <ph name="DEFAULT_JAVA_SCRIPT_SETTING_POLICY_NAME">DefaultJavaScriptSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'JavaScriptBlockedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 72,
'caption': '''Block JavaScript on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can't run JavaScript.
Leaving the policy unset means <ph name="DEFAULT_JAVA_SCRIPT_SETTING_POLICY_NAME">DefaultJavaScriptSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'KeygenAllowedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:49-56', 'chrome_os:49-56', 'android:49-56'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 314,
'caption': '''Allow key generation on these sites''',
'tags': ['system-security', 'website-sharing', 'local-data-access'],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to use key generation. If a url pattern is in 'KeygenBlockedForUrls', that overrides these exceptions.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultKeygenSetting' policy if it is set, or the user's personal configuration otherwise.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'KeygenBlockedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:49-56', 'chrome_os:49-56', 'android:49-56'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 315,
'caption': '''Block key generation on these sites''',
'tags': ['system-security', 'website-sharing', 'local-data-access'],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to use key generation. If a url pattern is in 'KeygenAllowedForUrls', this policy overrides these exceptions.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultKeygenSetting' policy if it is set, or the user's personal configuration otherwise.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'LegacySameSiteCookieBehaviorEnabled',
'owners': [ 'chlily@chromium.org', ],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, ],
},
'items': [
{
'name': 'DefaultToLegacySameSiteCookieBehavior',
'value': 1,
'caption': '''Revert to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior for cookies on all sites''',
},
{
'name': 'DefaultToSameSiteByDefaultCookieBehavior',
'value': 2,
'caption': '''Use <ph name="FEATURE_NAME_SAMESITE_BY_DEFAULT_COOKIES">SameSite-by-default</ph> behavior for cookies on all sites''',
},
],
'supported_on': [
'chrome.*:79-',
'chrome_os:79-',
'android:79-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 623,
'caption': '''Default legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> cookie behavior setting''',
'tags': [],
'desc': '''Allows you to revert all cookies to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior. Reverting to legacy behavior causes cookies that don't specify a <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> attribute to be treated as if they were "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>", removes the requirement for "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>" cookies to carry the "<ph name="ATTRIBUTE_SECURE_NAME">Secure</ph>" attribute, and skips the scheme comparison when evaluating if two sites are same-site. See https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies for full description.
When this policy is not set, the default <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior for cookies will depend on the user's personal configuration for the <ph name="FEATURE_NAME_SAMESITE_BY_DEFAULT_COOKIES">SameSite-by-default</ph> feature, the <ph name="FEATURE_NAME_SAMESITE_NONE_MUST_BE_SECURE">Cookies-without-SameSite-must-be-secure</ph> feature, and the <ph name="FEATURE_NAME_SCHEMEFUL_SAME_SITE">Schemeful Same-Site</ph> feature which may be set by a field trial or by enabling or disabling the <ph name="FLAG_NAME_SAMESITE_BY_DEFAULT_COOKIES">same-site-by-default-cookies</ph> flag, the <ph name="FLAG_NAME_SAMESITE_NONE_MUST_BE_SECURE">cookies-without-same-site-must-be-secure</ph> flag, or the <ph name="FLAG_NAME_SCHEMEFUL_SAME_SITE">schemeful-same-site</ph> flag, respectively.''',
},
{
'name': 'LegacySameSiteCookieBehaviorEnabledForDomainList',
'owners': [ 'chlily@chromium.org', ],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:79-',
'chrome_os:79-',
'android:79-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['www.example.com', '[*.]example.edu'],
'id': 624,
'caption': '''Revert to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior for cookies on these sites''',
'tags': [],
'desc': '''Cookies set for domains matching these patterns will revert to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior. Reverting to legacy behavior causes cookies that don't specify a <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> attribute to be treated as if they were "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>", removes the requirement for "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>" cookies to carry the "<ph name="ATTRIBUTE_SECURE_NAME">Secure</ph>" attribute, and skips the scheme comparison when evaluating if two sites are same-site. See https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies for full description.
For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be used either from the <ph name="LEGACY_SAMESITE_COOKIE_BEHAVIOR_ENABLED_POLICY_NAME">LegacySameSiteCookieBehaviorEnabled</ph> policy, if it is set, or the user's personal configuration otherwise.
Note that patterns you list here are treated as domains, not URLs, so you should not specify a scheme or port.''',
},
{
'name': 'InsecurePrivateNetworkRequestsAllowed',
'owners': [
'titouan@chromium.org',
'clamy@chromium.org',
'mkwst@chromium.org',
],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': [
'chrome.*',
'chrome_os',
'android',
'webview_android',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 766,
'caption': '''Specifies whether to allow insecure websites to make requests to more-private network endpoints''',
'tags': ['system-security'],
'desc': '''Controls whether insecure websites are allowed to make requests to more-private network endpoints.
This policy relates to the CORS-RFC1918 specification. See https://wicg.github.io/cors-rfc1918 for more details.
A network endpoint is more private than another if:
1) Its IP address is localhost and the other is not.
2) Its IP address is private and the other is public.
In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.
A website is deemed secure if it meets the definition of a secure context in https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts. Otherwise, it will be treated as an insecure context.
When this policy is either not set or set to false, the default behavior for requests from insecure contexts to more-private network endpoints will depend on the user's personal configuration for the <ph name="BLOCK_INSECURE_PRIVATE_NETWORK_REQUESTS_FEATURE_NAME">BlockInsecurePrivateNetworkRequests</ph> feature, which may be set by a field trial or on the command line.
When this policy is set to true, insecure websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.''',
},
{
'name': 'InsecurePrivateNetworkRequestsAllowedForUrls',
'owners': [
'titouan@chromium.org',
'clamy@chromium.org',
'mkwst@chromium.org',
],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'future_on': [
'chrome.*',
'chrome_os',
'android',
'webview_android',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['http://www.example.com:8080', '[*.]example.edu'],
'id': 767,
'caption': '''Allow the listed sites to make requests to more-private network endpoints from insecure contexts.''',
'tags': ['system-security'],
'desc': '''List of URL patterns. Private network requests initiated from insecure websites served by matching origins are allowed.
If unset, this policy behaves as if set to the empty list.
For origins not covered by the patterns specified here, the global default value will be used either from the <ph name="INSECURE_PRIVATE_NETWORK_REQUESTS_ALLOWED_POLICY_NAME">InsecurePrivateNetworkRequestsAllowed</ph> policy, if it is set, or the user's personal configuration otherwise.
Note that this policy only affects insecure origins, so secure origins (e.g. https://example.com) included in this list will be ignored.
For detailed information on valid URL patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
},
{
'name': 'PluginsAllowedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-87', 'chrome_os:11-87'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', 'http://example.edu:8080'],
'id': 73,
'caption': '''Allow the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin on these sites''',
'tags': [],
'deprecated': True,
'desc': '''This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy lets you set a list of URL patterns that specify the sites that can run the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin.
Leaving the policy unset means <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. However, starting in M85, patterns with '*' and '[*.]' wildcards in the host are no longer supported for this policy.''',
},
{
'name': 'PluginsBlockedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-87', 'chrome_os:11-87'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', 'http://example.edu:8080'],
'id': 74,
'caption': '''Block the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin on these sites''',
'tags': [],
'deprecated': True,
'desc': '''This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy lets you set a list of URL patterns that specify the sites that can't run the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin.
Leaving the policy unset means <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. However, starting in M85, patterns with '*' and '[*.]' wildcards in the host are no longer supported for this policy.''',
},
{
'name': 'PopupsAllowedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:34-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 75,
'caption': '''Allow popups on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can open pop-ups.
Leaving the policy unset means <ph name="DEFAULT_POPUPS_SETTING_POLICY_NAME">DefaultPopupsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'RegisteredProtocolHandlers',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'default': {
'description': 'A boolean flag indicating if the protocol handler should be set as the default.',
'type': 'boolean'
},
'protocol': {
'description': 'The protocol for the protocol handler.',
'type': 'string'
},
'url': {
'description': 'The URL of the protocol handler.',
'type': 'string'
}
},
'required': ['protocol', 'url']
}
},
'supported_on': ['chrome.*:37-', 'chrome_os:37-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
'can_be_recommended': True,
'can_be_mandatory' : False,
},
'example_value': [{'protocol': 'mailto', 'url': 'https://mail.google.com/mail/?extsrc=mailto&url=%s', 'default': True}],
'id': 268,
'caption': '''Register protocol handlers''',
'tags': [],
'desc': '''Setting the policy (as recommended only) lets you register a list of protocol handlers, which merge with the ones that the user registers, putting both sets in use. Set the property "protocol" to the scheme, such as "mailto", and set the property "URL" to the URL pattern of the application that handles the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.
Users can't remove a protocol handler registered by policy. However, by installing a new default handler, they can change the protocol handlers installed by policy.''',
'arc_support': 'The protocol handlers set via this policy are not used when handling Android intents.',
},
{
'name': 'PopupsBlockedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:34-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 76,
'caption': '''Block popups on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can't open pop-ups.
Leaving the policy unset means <ph name="DEFAULT_POPUPS_SETTING_POLICY_NAME">DefaultPopupsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'NotificationsAllowedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:16-', 'chrome_os:16-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 105,
'caption': '''Allow notifications on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can display notifications.
Leaving the policy unset means <ph name="DEFAULT_JAVA_SCRIPT_SETTING_POLICY_NAME">DefaultJavaScriptSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'NotificationsBlockedForUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:16-', 'chrome_os:16-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 106,
'caption': '''Block notifications on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can't display notifications.
Leaving the policy unset means <ph name="DEFAULT_JAVA_SCRIPT_SETTING_POLICY_NAME">DefaultJavaScriptSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'SensorsAllowedForUrls',
'owners': ['file://third_party/blink/renderer/modules/sensor/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:88-', 'chrome_os:88-', 'android:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 755,
'caption': '''Allow access to sensors on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can access sensors like motion and light sensors.
Leaving the policy unset means <ph name="DEFAULT_SENSORS_SETTING_POLICY_NAME">DefaultSensorsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
If the same URL pattern exists in both this policy and the <ph name="SENSORS_BLOCKED_FOR_URLS_POLICY_NAME">SensorsBlockedForUrls</ph> policy, the latter is prioritized and access to motion or light sensors will be blocked.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'SensorsBlockedForUrls',
'owners': ['file://third_party/blink/renderer/modules/sensor/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:88-', 'chrome_os:88-', 'android:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 756,
'caption': '''Block access to sensors on these sites''',
'tags': [],
'desc': '''Setting the policy lets you set a list of URL patterns that specify the sites that can't access sensors like motion and light sensors.
Leaving the policy unset means <ph name="DEFAULT_SENSORS_SETTING_POLICY_NAME">DefaultSensorsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
If the same URL pattern exists in both this policy and the <ph name="SENSORS_ALLOWED_FOR_URLS_POLICY_NAME">SensorsAllowedForUrls</ph> policy, this policy is prioritized and access to motion or light sensors will be blocked.
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'NativeMessagingBlacklist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:34-'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
'com.native.messaging.host.name1',
'com.native.messaging.host.name2',
],
'id': 251,
'caption': '''Configure native messaging blocklist''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="NATIVE_MESSAGING_BLOCKLIST_POLICY_NAME">NativeMessagingBlocklist</ph>' policy instead.
Setting the policy specifies which native messaging hosts shouldn't be loaded. A deny list value of <ph name="WILDCARD_VALUE">*</ph> means all native messaging hosts are denied, unless they're explicitly allowed.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> loads all installed native messaging hosts.''',
'label': '''Names of the forbidden native messaging hosts (or * for all)''',
},
{
'name': 'NativeMessagingBlocklist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
'com.native.messaging.host.name1',
'com.native.messaging.host.name2',
],
'id': 744,
'caption': '''Configure native messaging blocklist''',
'tags': [],
'desc': '''Setting the policy specifies which native messaging hosts shouldn't be loaded. A deny list value of <ph name="WILDCARD_VALUE">*</ph> means all native messaging hosts are denied, unless they're explicitly allowed.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> loads all installed native messaging hosts.''',
'label': '''Names of the forbidden native messaging hosts (or * for all)''',
},
{
'name': 'NativeMessagingWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:34-'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
'com.native.messaging.host.name1',
'com.native.messaging.host.name2',
],
'id': 252,
'caption': '''Configure native messaging whitelist''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="NATIVE_MESSAGING_ALLOWLIST_POLICY_NAME">NativeMessagingAllowlist</ph>' policy instead.
Setting the policy specifies which native messaging hosts aren't subject to the deny list. A deny list value of <ph name="WILDCARD_VALUE">*</ph> means all native messaging hosts are denied, unless they're explicitly allowed.
All native messaging hosts are allowed by default. But, if all native messaging hosts are denied by policy, the admin can use the allow list to change that policy.''',
'label': '''Names of the native messaging hosts to exempt from the blocklist''',
},
{
'name': 'NativeMessagingAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
'com.native.messaging.host.name1',
'com.native.messaging.host.name2',
],
'id': 745,
'caption': '''Configure native messaging allowlist''',
'tags': [],
'desc': '''Setting the policy specifies which native messaging hosts aren't subject to the deny list. A deny list value of <ph name="WILDCARD_VALUE">*</ph> means all native messaging hosts are denied, unless they're explicitly allowed.
All native messaging hosts are allowed by default. But, if all native messaging hosts are denied by policy, the admin can use the allow list to change that policy.''',
'label': '''Names of the native messaging hosts to exempt from the blocklist''',
},
{
'name': 'NativeMessagingUserLevelHosts',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 253,
'caption': '''Allow user-level Native Messaging hosts (installed without admin permissions)''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can use native messaging hosts installed at the user level.
Setting the policy to Disabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can only use these hosts if installed at the system level.''',
},
{
'name': 'Disable3DAPIs',
'owners': ['kbr@chromium.org', 'zmo@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 55,
'caption': '''Disable support for 3D graphics APIs''',
'tags': [],
'desc': '''Setting the policy to True (or setting <ph name="HARDWARE_ACCELERATION_MODE_ENABLED_POLICY_NAME">HardwareAccelerationModeEnabled</ph> to False) prevents webpages from accessing the WebGL API, and plugins can't use the Pepper 3D API.
Setting the policy to False or leaving it unset lets webpages use the WebGL API and plugins use the Pepper 3D API, but the browser's default settings might still require command line arguments to use these APIs.''',
},
{
'name': 'PolicyRefreshRate',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 1800000, 'maximum': 86400000 },
'supported_on': ['chrome_os:11-', 'chrome.*:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 3600000,
'id': 56,
'caption': '''Refresh rate for user policy''',
'tags': [],
'desc': '''Setting the policy specifies the period in milliseconds at which the device management service is queried for user policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.
Leaving the policy unset uses the default value of 3 hours.
Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).''',
},
{
'name': 'MaxInvalidationFetchDelay',
'owners': ['stepco@chromium.org', 'poromov@chromium.org'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 1000, 'maximum': 300000 },
'supported_on': ['chrome.*:30-', 'chrome_os:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 10000,
'default': 10000,
'id': 228,
'caption': '''Maximum fetch delay after a policy invalidation''',
'tags': [],
'desc': '''Setting the policy specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service. Valid values range from 1,000 (1 second) to 300,000 (5 minutes). Values outside this range will be clamped to the respective boundary.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default value of 10 seconds.''',
},
{
'name': 'ChromeFrameRendererSettings',
'owners': ['tommi@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'RenderInHost',
'value': 0,
'caption': '''Use the host browser by default''',
},
{
'name': 'RenderInChromeFrame',
'value': 1,
'caption': '''Use <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> by default''',
},
],
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': 1,
'id': 57,
'caption': '''Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'tags': [],
'desc': '''Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
The default setting used when this policy is left not set is to allow the host browser do the rendering, but you can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> render HTML pages by default.''',
},
{
'name': 'RenderInChromeFrameList',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': ['https://www.example.com', 'https://www.example.edu'],
'id': 58,
'caption': '''Always render the following URL patterns in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'tags': [],
'desc': '''Customize the list of URL patterns that should always be rendered by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>.
If this policy is not set the default renderer will be used for all sites as specified by the 'ChromeFrameRendererSettings' policy.
For example patterns see https://www.chromium.org/developers/how-tos/chrome-frame-getting-started.''',
},
{
'name': 'RenderInHostList',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': ['https://www.example.com', 'https://www.example.edu'],
'id': 59,
'caption': '''Always render the following URL patterns in the host browser''',
'tags': [],
'desc': '''Customize the list of URL patterns that should always be rendered by the host browser.
If this policy is not set the default renderer will be used for all sites as specified by the 'ChromeFrameRendererSettings' policy.
For example patterns see https://www.chromium.org/developers/how-tos/chrome-frame-getting-started.''',
},
{
'name': 'AdditionalLaunchParameters',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_frame:19-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': '--enable-media-stream --enable-media-source',
'id': 141,
'caption': '''Additional command line parameters for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''Allows you to specify additional parameters that are used when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> launches <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is not set the default command line will be used.''',
},
{
'name': 'SkipMetadataCheck',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_frame:31-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': False,
'id': 238,
'caption': '''Skip the meta tag check in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'tags': [],
'desc': '''Normally pages with X-UA-Compatible set to chrome=1 will be rendered in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> regardless of the 'ChromeFrameRendererSettings' policy.
If you enable this setting, pages will not be scanned for meta tags.
If you disable this setting, pages will be scanned for meta tags.
If this policy is not set, pages will be scanned for meta tags.'''
},
{
'name': 'ChromeFrameContentTypes',
'owners': ['tommi@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': ['text/xml', 'application/xml'],
'id': 60,
'caption': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the listed content types''',
'tags': [],
'desc': '''If this policy is set, the specified content types are handled by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>.
If this policy is not set, the default renderer is used for all sites. (The <ph name="CHROME_FRAME_RENDERER_SETTINGS_POLICY_NAME">ChromeFrameRendererSettings</ph> policy may be used to configure the default renderer.)''',
},
{
'name': 'ChromeOsLockOnIdleSuspend',
'owners': ['xiyuan@chromium.org', 'ultrotter@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:9-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 61,
'caption': '''Enable lock when the device become idle or suspended''',
'tags': [],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> asks users for a password to unlock the device when it becomes idle.
Setting the policy to Disabled means users are not asked for a password to unlock the device from sleep.
Leaving the policy unset lets the user choose whether to be prompted for a password to unlock the device from sleep.''',
},
{
'name': 'ChromeOsMultiProfileUserBehavior',
'owners': ['xiyuan@chromium.org', 'sinhak@chromium.org', 'tellier@google.com', 'rsorokin@chromium.org', 'cros-oac@google.com'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'unrestricted',
'primary-only',
'not-allowed',
],
},
'items': [
{
'name': 'MultiProfileUserBehaviorUnrestricted',
'value': 'unrestricted',
'caption': '''Allow enterprise user to be both primary and secondary (Default behavior for non-managed users)''',
},
{
'name': 'MultiProfileUserBehaviorMustBePrimary',
'value': 'primary-only',
'caption': '''Allow enterprise user to be primary multiprofile user only (Default behavior for enterprise-managed users)''',
},
{
'name': 'MultiProfileUserBehaviorNotAllowed',
'value': 'not-allowed',
'caption': '''Do not allow enterprise user to be part of multiprofile (primary or secondary)''',
},
],
'supported_on': ['chrome_os:31-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'unrestricted',
'default_for_enterprise_users': 'primary-only',
'id': 244,
'caption': '''Control the user behavior in a multiprofile session''',
'tags': [],
'desc': '''Control the user behavior in a multiprofile session on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.
If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.
If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.
If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.
If you set this setting, users cannot change or override it.
If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.
If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.''',
'arc_support': 'When multiple users are logged in, only the primary user can use Android apps.',
},
{
'name': 'SecondaryGoogleAccountSigninAllowed',
'owners': ['sinhak@chromium.org', 'anastasiian@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:65-'],
'features': {
# The case where a user is already signed into an unmanaged account cannot be handled right now and hence this is not dynamic.
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 406,
'caption': '''Allow Sign-in To Additional Google Accounts''',
'tags': [],
'desc': '''This setting allows users to switch between Google Accounts within the content area of their browser window and in Android applications, after they sign into their <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> device.
If this policy is set to false, signing in to a different Google Account from a non-Incognito browser content area and Android applications will not be allowed.
If this policy is unset or set to true, the default behavior will be used: signing in to a different Google Account from the browser content area and Android applications will be allowed, except for child accounts where it will be blocked for non-Incognito content area.
In case signing in to a different account shouldn't be allowed via the Incognito mode, consider blocking that mode using the IncognitoModeAvailability policy.
Note that users will be able to access Google services in an unauthenticated state by blocking their cookies.''',
},
{
'name': 'ForceLogoutUnauthenticatedUserEnabled',
'owners': ['solovey@google.com', 'sinhak@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:81-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 679,
'caption': '''Force logout the user when their account becomes unauthenticated''',
'tags': [],
'desc': '''Force logout the user when their primary account's authentication token becomes invalid.
This policy can protect the user from access to restricted content on Google web properties.
If this policy is set to True, the user will be logged out as soon as their authentication token becomes invalid and attempts to restore this token fail.
If this policy is set to False or unset, the user can continue working in an unauthenticated state.'''
},
{
'name': 'SecurityTokenSessionBehavior',
'owners': ['fabiansommer@chromium.org, emaxx@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [ 'IGNORE', 'LOGOUT', 'LOCK' ],
},
'items': [
{
'name': 'ignore',
'value': 'IGNORE',
'caption': '''No action happens.''',
},
{
'name': 'logout',
'value': 'LOGOUT',
'caption': '''Log the user out.''',
},
{
'name': 'lock',
'value': 'LOCK',
'caption': '''Lock the current session.''',
},
],
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'LOGOUT',
'id': 799,
'caption': '''Action on security token removal (e.g., smart card) for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'tags': [],
'desc': '''Specifies what happens when a user who is authenticating via a security token (e.g., with a smart card) removes that token while in a session. <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_IGNORE">IGNORE</ph>: Nothing happens. <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOCK">LOCK</ph>: The screen is locked until the user authenticates again. <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOGOUT">LOGOUT</ph>: The session is ended and the user is logged out. If this policy is not set, it defaults to <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_IGNORE">IGNORE</ph>.'''
},
{
'name': 'SecurityTokenSessionNotificationSeconds',
'owners': ['fabiansommer@chromium.org, emaxx@chromium.org'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 0, 'maximum': 9999 },
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 10,
'id': 800,
'caption': '''Duration of the notification on smart card removal for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'tags': [],
'desc': '''This policy only takes effect when the policy <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_POLICY_NAME">SecurityTokenSessionBehavior</ph> is set to <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOCK">LOCK</ph> or <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOGOUT">LOGOUT</ph>, and a user who authenticates via a smart card removes that smart card. Then, this policy specifies for how many seconds a notification which informs the user of the impending action is displayed. This notification is blocking the screen. The action will only happen after this notification expires. The user can prevent the action from happening by re-inserting the smart card before the notification expires. If this policy is set to zero, no notification will be displayed and the action happens immediately.'''
},
{
'name': 'TargetBlankImpliesNoOpener',
'owners': ['ericlaw@microsoft.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:88-', 'chrome_os:88-', 'android:88-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Only allow popups opened with a target of <ph name="BLANK_PAGE_NAME">_blank</ph> to interact with the page that opened the popup if the opener page explicitly opts-in to such interaction',
},
{
'value': False,
'caption': 'Allow all popups opened with a target of <ph name="BLANK_PAGE_NAME">_blank</ph> to interact the page that requested to open the popup unless the opener page explicitly opts-out of such interaction ',
},
],
'example_value': False,
'default': True,
'id': 802,
'caption': '''Do not set <ph name="WINDOW_OPENER_PROPERTY">window.opener</ph> for links targeting <ph name="BLANK_PAGE_NAME">_blank</ph>''',
'tags': [],
'desc': '''Setting the policy to Disabled allows popups targeting <ph name="BLANK_PAGE_NAME">_blank</ph> to access (via JavaScript) the page that requested to open the popup.
Setting the policy to Enabled or leaving it unset causes the <ph name="WINDOW_OPENER_PROPERTY">window.opener</ph> property to be set to <ph name="NULL_VALUE">null</ph> unless the anchor specifies <ph name="REL_OPENER_ATTRIBUTE">rel="opener"</ph>.
This policy will be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 95.
See https://chromestatus.com/feature/6140064063029248.''',
},
{
'name': 'InstantEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-28', 'chrome_os:11-28'],
'deprecated': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 62,
'caption': '''Enable Instant''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Instant feature and prevents users from changing this setting.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Instant is enabled.
If you disable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Instant is disabled.
If you enable or disable this setting, users cannot change or override this setting.
If this setting is left not set the user can decide to use this function or not.
This setting has been removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 29 and higher versions.''',
},
{
'name': 'AppRecommendationZeroStateEnabled',
'owners': ['robsc@chromium.org', 'bartfab@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'features': {
'per_profile': True,
'dynamic_refresh': True
},
'example_value': True,
'id': 563,
'caption': '''Enable App Recommendations in Zero State of Search Box''',
'tags': [],
'desc': '''Setting this policy to Enabled will cause recommendations for apps previously installed by the user on other devices. These recommendations will appear in the launcher after the local app recomendations, if no search text has been entered.
Setting this policy as Disabled or leaving it unset means these recommendations do not appear.
If this policy is set, users cannot change it.'''
},
{
'name': 'TranslateEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:12-',
'chrome_os:12-',
'android:30-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 80,
'caption': '''Enable Translate''',
'tags': [],
'desc': '''Setting the policy to True provides translation functionality when it's appropriate for users by showing an integrated translate toolbar in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and a translate option on the right-click context menu. Setting the policy to False shuts off all built-in translate features.
If you set the policy, users can't change this function. Leaving it unset lets them change the setting.''',
},
{
'name': 'AllowOutdatedPlugins',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:12-87', 'chrome_os:12-87'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 81,
'caption': '''Allow running plugins that are outdated''',
'tags': ['system-security'],
'deprecated': True,
'desc': '''This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy to Enabled means outdated plugins are used as normal plugins. Setting the policy to Disabled means outdated plugins aren't used.
Leaving the policy unset means users will be asked for permission to run outdated plugins.''',
},
{
'name': 'AlwaysAuthorizePlugins',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:13-64', 'chrome_os:13-64'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 86,
'caption': '''Always runs plugins that require authorization (deprecated)''',
'tags': ['system-security'],
'desc': '''If you enable this setting, plugins that are not outdated always run.
If this setting is disabled or not set, users will be asked for permission to run plugins that require authorization. These are plugins that can compromise security.''',
},
{
'name': 'RunAllFlashInAllowMode',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:63-', 'chrome_os:63-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 391,
'caption': '''Extend Flash content setting to all content''',
'tags': ['system-security'],
'desc': '''Setting the policy to True runs all <ph name="FLASH_PLUGIN_NAME">Flash</ph> content embedded on websites that allow <ph name="FLASH_PLUGIN_NAME">Flash</ph>, including content from other origins or small content.
Setting the policy to False or leaving it unset might block <ph name="FLASH_PLUGIN_NAME">Flash</ph> content from other origins or small content.
Note: To control which websites can run <ph name="FLASH_PLUGIN_NAME">Flash</ph>, see these policies: <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph>, <ph name="PLUGINS_ALLOWED_FOR_URLS_POLICY_NAME">PluginsAllowedForUrls</ph>, and <ph name="PLUGINS_BLOCKED_FOR_URLS_POLICY_NAME">PluginsBlockedForUrls</ph>.''',
},
{
'name': 'BookmarkBarEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:12-', 'chrome_os:12-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 82,
'caption': '''Enable Bookmark Bar''',
'tags': [],
'desc': '''Setting the policy to True displays a bookmark bar in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Setting the policy to False means users never see the bookmark bar.
If you set the policy, users can't change it. If not set, users decide whether to use this function.''',
},
{
'name': 'EditBookmarksEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:12-',
'chrome_os:12-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 83,
'caption': '''Enable or disable bookmark editing''',
'tags': [],
'desc': '''Setting the policy to True or leaving it unset lets users add, remove, or modify bookmarks.
Setting the policy to False means users can't add, remove, or modify bookmarks. They can still use existing bookmarks.''',
},
{
'name': 'ShowAppsShortcutInBookmarkBar',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:37-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Show the apps shortcut in the bookmark bar',
},
{
'value': False,
'caption': 'Do not show the apps shortcut in the bookmark bar',
},
{
'value': None,
'caption': 'Allow the user to decide',
},
],
'example_value': False,
'default': None,
'id': 267,
'caption': '''Show the apps shortcut in the bookmark bar''',
'tags': [],
'desc': '''Setting the policy to True displays the apps shortcut. Setting the policy to False means this shortcut never appears.
If you set the policy, users can't change it. If not set, users decide to show or hide the apps shortcut from the bookmark bar context menu.''',
},
{
'name': 'AllowFileSelectionDialogs',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:12-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Allow file selection dialogs',
},
{
'value': False,
'caption': 'Prevent file selection dialogs',
},
],
'example_value': True,
'default': True,
'id': 84,
'caption': '''Allow invocation of file selection dialogs''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means Chrome can display, and users can open, file selection dialogs.
Setting the policy to Disabled means that whenever users perform actions provoking a file selection dialog, such as importing bookmarks, uploading files, and saving links, a message appears instead. The user is assumed to have clicked Cancel on the file selection dialog.''',
},
{
'name': 'SecurityKeyPermitAttestation',
'owners': ['agl@chromium.org', 'martinkr@chromium.org'],
'tags': ['website-sharing'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:65-', 'chrome_os:65-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://example.com'],
'id': 402,
'caption': '''URLs/domains automatically permitted direct Security Key attestation''',
'desc': '''Setting the policy specifies URLs and domains for which no prompt appears when attestation certificates from Security Keys are requested. A signal is also sent to the Security Key indicating that individual attestation may be used. Without this, when sites request attestation of Security Keys, users are prompted in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 65 and later.
URLs will only match as U2F appIDs. Domains only match as webauthn RP IDs. So to cover both U2F and webauthn APIs, list the appID URL and domain for a given site.''',
},
{
'name': 'GCFUserDataDir',
'owners': ['grt@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_frame:12-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': '${user_home}/Chrome Frame',
'id': 87,
'caption': '''Set <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> user data directory''',
'tags': [],
'desc': '''Configures the directory that <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> will use for storing user data.
If you set this policy, <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> will use the provided directory.
See https://support.google.com/chrome/a?p=Supported_directory_variables for a list of variables that can be used.
If this setting is left not set the default profile directory will be used.''',
'label': '''Set user data directory''',
},
{
'name': 'DevicePolicyRefreshRate',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:11-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 3600000,
'default': 10800000,
'id': 90,
'caption': '''Refresh rate for Device Policy''',
'tags': [],
'desc': '''Setting the policy specifies the period in milliseconds at which the device management service is queried for device policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.
Leaving the policy unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> uses the default value of 3 hours.
Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).''',
},
{
'name': 'ImportBookmarks',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default': False,
'id': 97,
'caption': '''Import bookmarks from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''Setting the policy to Enabled imports bookmarks from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no bookmarks are imported on first run.
Users can trigger an import dialog and the bookmarks checkbox will be checked or unchecked to match this policy's value.''',
'label': '''Import bookmarks from default browser on first run''',
},
{
'name': 'ImportHistory',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default': False,
'id': 98,
'caption': '''Import browsing history from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''Setting the policy to Enabled imports browsing history from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no browsing history is imported on first run.
Users can trigger an import dialog and the browsing history checkbox will be checked or unchecked to match this policy's value.''',
'label': '''Import browsing history from default browser on first run''',
},
{
'name': 'ImportHomepage',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 99,
'caption': '''Import of homepage from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''Setting the policy to Enabled imports the homepage from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the homepage isn't imported on first run.
Users can trigger an import dialog and the homepage checkbox will be checked or unchecked to match this policy's value.''',
'label': '''Import of homepage from default browser on first run''',
},
{
'name': 'ImportSearchEngine',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 100,
'caption': '''Import search engines from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''Setting the policy to Enabled imports the default search engine from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the default search engine isn't imported on first run.
Users can trigger an import dialog and the default search engine checkbox will be checked or unchecked to match this policy's value.''',
'label': '''Import search engines from default browser on first run''',
},
{
'name': 'ImportSavedPasswords',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 101,
'caption': '''Import saved passwords from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''Setting the policy to Enabled imports saved passwords from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no saved passwords are imported on first run.
Users can trigger an import dialog and the saved passwords checkbox will be checked or unchecked to match this policy's value.''',
'label': '''Import saved passwords from default browser on first run''',
},
{
'name': 'ImportAutofillFormData',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:39-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 277,
'caption': '''Import autofill form data from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''Setting the policy to Enabled imports autofill form data from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no autofill form data is imported on first run.
Users can trigger an import dialog and the autofill form data checkbox will be checked or unchecked to match this policy's value.''',
'label': '''Import autofill form data from default browser on first run''',
},
{
'name': 'MaxConnectionsPerProxy',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:14-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 32,
'default': 32,
'id': 92,
'caption': '''Maximal number of concurrent connections to the proxy server''',
'tags': [],
'desc': '''Setting the policy specifies the maximal number of simultaneous connections to the proxy server. Some proxy servers can't handle a high number of concurrent connections per client, which is solved by setting this policy to a lower value. The value should be lower than 100 and higher than 6. Some web apps are known to consume many connections with hanging GETs, so setting a value below 32 may lead to browser networking hangs if there are too many web apps with hanging connections open. Lower below the default at your own risk.
Leaving the policy unset means a default of 32 is used.''',
},
{
'name': 'HideWebStorePromo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-21', 'chrome_os:15-21'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
},
'example_value': False,
'id': 96,
'caption': '''Prevent app promotions from appearing on the new tab page''',
'tags': [],
'desc': '''When set to True, promotions for Chrome Web Store apps will not appear on the new tab page.
Setting this option to False or leaving it not set will make the promotions for Chrome Web Store apps appear on the new tab page''',
},
{
'name': 'URLBlacklist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:15-',
'chrome_os:15-',
'android:30-',
'webview_android:47-',
],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['example.com', 'https://ssl.server.com', 'hosting.com/bad_path', 'https://server:8080/path', '.exact.hostname.com', 'file://*', 'custom_scheme:*', '*'],
'id': 103,
'caption': '''Block access to a list of URLs''',
'tags': ['filtering'],
'desc': '''This policy is deprecated, please use the '<ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>' policy instead.
Setting the policy prevents webpages with prohibited URLs from loading. It provides a list of URL patterns that specify forbidden URLs. Leaving the policy unset means no URLs are prohibited in the browser. Format the URL pattern according to this format ( https://www.chromium.org/administrators/url-blacklist-filter-format ). Up to 1,000 exceptions can be defined in <ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph>.
From <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 73, you can block javascript://* URLs. However, it affects only JavaScript entered in the address bar (or, for example, bookmarklets). In-page JavaScript URLs with dynamically loaded data aren't subject to this policy. For example, if you block example.com/abc, then example.com can still load example.com/abc using XMLHTTPRequest.
Note: Blocking internal chrome://* URLs can lead to unexpected errors.''',
'arc_support': 'Android apps may voluntarily choose to honor this list. You cannot force them to honor it.',
},
{
'name': 'URLWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:15-',
'chrome_os:15-',
'android:30-',
'webview_android:47-',
],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['example.com', 'https://ssl.server.com', 'hosting.com/good_path', 'https://server:8080/path', '.exact.hostname.com'],
'id': 104,
'caption': '''Allow access to a list of URLs''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph>' policy instead.
Setting the policy provides access to the listed URLs, as exceptions to the URL blocklist. See that policy's description for the format of entries of this list. For example, setting <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> to * will block all requests, and you can use this policy to allow access to a limited list of URLs. Use it to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at ( https://www.chromium.org/administrators/url-blacklist-filter-format ). The most specific filter determines if a URL is blocked or allowed. The allowlist takes precedence over blocklist. This policy is limited to 1,000 entries.
This policy also allows enabling the automatic invocation by the browser of external application registered as protocol handlers for the listed protocols like "tel:" or "ssh:".
Leaving the policy unset allows no exceptions.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
'arc_support': 'Android apps may voluntarily choose to honor this list. You cannot force them to honor it.',
},
{
'name': 'URLBlocklist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:86-',
'chrome_os:86-',
'android:86-',
'webview_android:86-',
],
'future_on': [ 'ios' ],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['example.com', 'https://ssl.server.com', 'hosting.com/bad_path', 'https://server:8080/path', '.exact.hostname.com', 'file://*', 'custom_scheme:*', '*'],
'id': 736,
'caption': '''Block access to a list of URLs''',
'tags': ['filtering'],
'desc': '''Setting the policy prevents webpages with prohibited URLs from loading. It provides a list of URL patterns that specify forbidden URLs. Leaving the policy unset means no URLs are prohibited in the browser. Format the URL pattern according to this format ( https://www.chromium.org/administrators/url-blacklist-filter-format ). Up to 1,000 exceptions can be defined in <ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph>.
From <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 73, you can block javascript://* URLs. However, it affects only JavaScript entered in the address bar (or, for example, bookmarklets). In-page JavaScript URLs with dynamically loaded data aren't subject to this policy. For example, if you block example.com/abc, then example.com can still load example.com/abc using XMLHTTPRequest.
Note: Blocking internal chrome://* URLs can lead to unexpected errors.''',
'arc_support': 'Android apps may voluntarily choose to honor this list. You cannot force them to honor it.',
},
{
'name': 'URLAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:86-',
'chrome_os:86-',
'android:86-',
'webview_android:86-',
],
'future_on': [ 'ios' ],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['example.com', 'https://ssl.server.com', 'hosting.com/good_path', 'https://server:8080/path', '.exact.hostname.com'],
'id': 737,
'caption': '''Allow access to a list of URLs''',
'tags': [],
'desc': '''Setting the policy provides access to the listed URLs, as exceptions to <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>. See that policy's description for the format of entries of this list. For example, setting <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> to * will block all requests, and you can use this policy to allow access to a limited list of URLs. Use it to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at ( https://www.chromium.org/administrators/url-blacklist-filter-format ). The most specific filter determines if a URL is blocked or allowed. The <ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph> policy takes precedence over <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>. This policy is limited to 1,000 entries.
This policy also allows enabling the automatic invocation by the browser of external application registered as protocol handlers for the listed protocols like "tel:" or "ssh:".
Leaving the policy unset allows no exceptions to <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
'arc_support': 'Android apps may voluntarily choose to honor this list. You cannot force them to honor it.',
},
{
'name': 'PolicyAtomicGroupsEnabled',
'owners': ['ydago@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:78-', 'chrome_os:78-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 584,
'caption': '''Enables the concept of policy atomic groups''',
'tags': [],
'desc': '''Setting the policy to Enabled means policies coming from an atomic group that don't share the source with the highest priority from that group get ignored.
Setting the policy to Disabled means no policy is ignored because of its source. Policies are ignored only if there's a conflict, and the policy doesn't have the highest priority.
If this policy is set from a cloud source, it can't target a specific user.''',
},
{
'name': 'PolicyListMultipleSourceMergeList',
'owners': ['ydago@chromium.org', 'pastarmovj@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:75-', 'chrome_os:75-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ExtensionInstallAllowlist', 'ExtensionInstallBlocklist'],
'id': 554,
'caption': '''Allow merging list policies from different sources''',
'tags': [],
'desc': '''Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level.
If a policy is in the list and there's conflict between sources with:
* The same scopes and level: The values merge into a new policy list.
* Different scopes or level: The policy with the highest priority applies.
If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.''',
'label': '''Allow merging list policies from different sources''',
},
{
'name': 'PolicyDictionaryMultipleSourceMergeList',
'owners': ['ydago@chromium.org', 'pastarmovj@chromium.org'],
'type': 'string-enum-list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [ 'ContentPackManualBehaviorURLs', 'ExtensionSettings', 'DeviceLoginScreenPowerManagement', 'KeyPermissions', 'PowerManagementIdleSettings', 'ScreenBrightnessPercent', 'ScreenLockDelays' ],
}
},
'items': [
{
'name': 'ContentPackManualBehaviorURLs',
'value': 'ContentPackManualBehaviorURLs',
'caption': '''Managed user manual exception URLs''',
},
{
'name': 'DeviceLoginScreenPowerManagement',
'value': 'DeviceLoginScreenPowerManagement',
'caption': '''Power management on the login screen''',
},
{
'name': 'ExtensionSettings',
'value': 'ExtensionSettings',
'caption': '''Extension management settings''',
},
{
'name': 'KeyPermissions',
'value': 'KeyPermissions',
'caption': '''Key Permissions''',
},
{
'name': 'PowerManagementIdleSettings',
'value': 'PowerManagementIdleSettings',
'caption': '''Power management settings when the user becomes idle''',
},
{
'name': 'ScreenBrightnessPercent',
'value': 'ScreenBrightnessPercent',
'caption': '''Screen brightness percent''',
},
{
'name': 'ScreenLockDelays',
'value': 'ScreenLockDelays',
'caption': '''Screen lock delays''',
},
],
'supported_on': ['chrome.*:76-', 'chrome_os:76-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ExtensionSettings'],
'id': 565,
'caption': '''Allow merging dictionary policies from different sources''',
'tags': [],
'desc': '''Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level. This merging is in the first level keys of the dictionary from each source. The key coming from the highest priority source takes precedence.
If a policy is in the list and there's conflict between sources with:
* The same scopes and level: The values merge into a new policy dictionary.
* Different scopes or level: The policy with the highest priority applies.
If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.''',
'label': '''Allow merging dictionary policies from different sources''',
},
{
'name': 'EnableExperimentalPolicies',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:85-', 'chrome_os:85-', 'android:85-', 'webview_android:85-', 'ios:85-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ExtensionInstallAllowlist', 'ExtensionInstallBlocklist'],
'id': 711,
'caption': '''Enables experimental policies''',
'tags': [],
'desc': '''Allows <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to load experimental policies.
WARNING: Experimental policies are unsupported and subject to change or be removed without notice in future version of the browser!
An experimental policy may not be finished or still have known or unknown defects. It may be changed or even removed without any notification. By enabling experimental policies, you could lose browser data or compromise your security or privacy.
If a policy is not in the list and it's not officially released, its value will be ignored on Beta and Stable channel.
If a policy is in the list and it's not officially released, its value will be applied.
This policy has no effect on already released policies.''',
},
{
'name': 'OpenNetworkConfiguration',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'url_schema': 'https://chromium.googlesource.com/chromium/src/+/master/components/onc/docs/onc_spec.md',
'supported_on': ['chrome_os:16-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}", "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false, "Security": "None", "AutoConnect": true } } ] }',
'id': 107,
'caption': '''User-level network configuration''',
'tags': ['full-admin-access'],
'desc': '''Setting the policy allows pushing network configuration per-user for each <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> device. The network configuration is a JSON-formatted string, as defined by the Open Network Configuration format.''',
'arc_support': 'Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.',
},
{
'name': 'DeviceOpenNetworkConfiguration',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'url_schema': 'https://chromium.googlesource.com/chromium/src/+/master/components/onc/docs/onc_spec.md',
'supported_on': ['chrome_os:16-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': '{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}", "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false, "Security": "None", "AutoConnect": true } } ] }',
'id': 108,
'caption': '''Device-level network configuration''',
'tags': ['full-admin-access'],
'desc': '''Setting the policy allows pushing network configuration for all users of a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> device. The network configuration is a JSON-formatted string, as defined by the Open Network Configuration format.''',
'arc_support': 'Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.',
},
{
'name': 'DeviceKerberosEncryptionTypes',
'owners': ['file://chrome/browser/chromeos/authpolicy/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'All',
'value': 0,
'caption': '''All (insecure)''',
},
{
'name': 'Strong',
'value': 1,
'caption': '''Strong''',
},
{
'name': 'Legacy',
'value': 2,
'caption': '''Legacy (insecure)''',
},
],
'supported_on': ['chrome_os:66-'],
'supported_chrome_os_management': ['active_directory'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 1,
'id': 415,
'caption': '''Allowed Kerberos encryption types''',
'tags': ['system-security'],
'desc': '''Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> server.
Setting the policy to:
* All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types.
* Strong or leaving it unset allows only the AES types.
* Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption.
Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.''',
},
{
'name': 'DeviceUserPolicyLoopbackProcessingMode',
'owners': ['file://chrome/browser/chromeos/authpolicy/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Default',
'value': 0,
'caption': '''Default''',
},
{
'name': 'Merge',
'value': 1,
'caption': '''Merge''',
},
{
'name': 'Replace',
'value': 2,
'caption': '''Replace''',
},
],
'supported_on': ['chrome_os:66-'],
'supported_chrome_os_management': ['active_directory'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 0,
'id': 416,
'caption': '''User policy loopback processing mode''',
'tags': [],
'desc': '''Setting the policy specifies whether and how user policy from computer Group Policy Object (GPO) is processed.
* Default or leaving it unset has user policy read only from user GPOs. Computer GPOs are ignored.
* Merge will merge user policy in user GPOs with that of computer GPOs. Computer GPOs take precedence.
* Replace will replace user policy in user GPOs with that of computer GPOs. User GPOs are ignored.''',
},
{
'name': 'DeviceMachinePasswordChangeRate',
'owners': ['file://chrome/browser/chromeos/authpolicy/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 0, 'maximum': 9999 },
'supported_on': ['chrome_os:66-'],
'supported_chrome_os_management': ['active_directory'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 0,
'id': 425,
'caption': '''Machine password change rate''',
'tags': ['system-security'],
'desc': '''Setting the policy specifies in days how often a client changes their machine account password. The password is randomly generated by the client and not visible to the user. Disabling this policy or setting a high number of days can negatively impact security, because it gives potential attackers more time to find and use the machine account password.
Leaving the policy unset means the machine account password is changed every 30 days.
Setting the policy to 0 turns off machine account password change.
Note: Passwords might get older than the specified number of days if the client has been offline for a longer period of time.''',
},
{
'name': 'DeviceGpoCacheLifetime',
'owners': ['file://chrome/browser/chromeos/authpolicy/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 0, 'maximum': 9999 },
'supported_on': ['chrome_os:73-'],
'supported_chrome_os_management': ['active_directory'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 0,
'id': 508,
'caption': '''GPO cache lifetime''',
'tags': [],
'desc': '''Setting the policy specifies in hours the Group Policy Object (GPO) cache lifetime—the maximum duration GPOs can be reused before they're redownloaded. Instead of redownloading them on every policy fetch, the system reuses cached GPOs as long as their version doesn't change.
Setting the policy to 0 turns GPO caching off. Doing this increases server load, because GPOs are redownloaded on every policy fetch, even if they didn't change.
Leaving the policy unset means cached GPOs can be reused for up to 25 hours.
Note: Restarting and signing out clears the cache.''',
},
{
'name': 'DeviceAuthDataCacheLifetime',
'owners': ['file://chrome/browser/chromeos/authpolicy/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 0, 'maximum': 9999 },
'supported_on': ['chrome_os:73-'],
'supported_chrome_os_management': ['active_directory'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 0,
'id': 509,
'caption': '''Authentication data cache lifetime''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy specifies in hours the authentication data cache lifetime. The cache has data about realms trusted by the machine realm (affiliated realms). So, authentication data caching helps speed up sign-in. User-specific data and data for unaffiliated realms isn't cached.
Setting the policy to 0 turns authentication data caching off. Realm-specific data is fetched on every sign-in, so turning off authentication data caching can significantly slow down user sign-in.
Leaving the policy unset means cached authentication data can be reused for up to 73 hours.
Note: Restarting the device clears the cache. Even ephemeral users' realm data is cached. Turn off the cache to prevent the tracing of an ephemeral user's realm.''',
},
{
'name': 'CloudPrintSubmitEnabled',
'owners': ['file://printing/OWNERS', 'weili@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 109,
'caption': '''Enable submission of documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can submit documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> for printing. This doesn't prevent users from submitting print jobs on websites.
Setting the policy to Disabled means users can't print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog.
In order to keep <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> destinations discoverable, this policy must be set to Enabled and <ph name="POLICY_ENUM_PRINTERTYPEDENYLIST_CLOUD">cloud</ph> must not be included in the <ph name="PRINTER_TYPE_DENY_LIST_POLICY_NAME">PrinterTypeDenyList</ph> policy.''',
},
{
'name': 'EnterpriseWebStoreURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:17-28', 'chrome_os:17-28'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 'https://company-intranet/chromeapps',
'id': 112,
'caption': '''Enterprise web store URL (deprecated)''',
'tags': [],
'desc': '''This setting has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 29. The recommended way to set up organization-hosted extension/app collections is to include the site hosting the CRX packages in ExtensionInstallSources and put direct download links to the packages on a web page. A launcher for that web page can be created using the ExtensionInstallForcelist policy.''',
},
{
'name': 'EnterpriseWebStoreName',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:17-28', 'chrome_os:17-28'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 'WidgCo Chrome Apps',
'id': 113,
'caption': '''Enterprise web store name (deprecated)''',
'tags': [],
'desc': '''This setting has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 29. The recommended way to set up organization-hosted extension/app collections is to include the site hosting the CRX packages in ExtensionInstallSources and put direct download links to the packages on a web page. A launcher for that web page can be created using the ExtensionInstallForcelist policy.''',
},
{
'name': 'DisablePrintPreview',
'owners': ['file://printing/OWNERS', 'rbpotter@chomium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:18-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 117,
'caption': '''Disable Print Preview''',
'tags': [],
'desc': '''Setting the policy to Enabled has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> open the system print dialog instead of the built-in print preview when users request a printout.
Setting the policy to Disabled or leaving it unset has print commands trigger the print preview screen.''',
},
{
'name': 'PrintHeaderFooter',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:70-', 'chrome.*:70-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 480,
'caption': '''Print Headers and Footers''',
'tags': [],
'desc': '''Setting the policy to Enabled turns headers and footers on in print preview. Setting the policy to Disabled turns them off in print preview.
If you set the policy, users can't change it. If unset, users decides whether headers and footers appear.''',
},
{
'name': 'DefaultPrinterSelection',
'owners': ['file://printing/OWNERS', 'thestig@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'validation_schema': {
'type': 'object',
'properties': {
'kind': {
'description': 'Whether to limit the search of the matching printer to a specific set of printers.',
'type': 'string',
'enum': [ 'local', 'cloud' ]
},
'idPattern': {
'description': 'Regular expression to match printer id.',
'type': 'string'
},
'namePattern': {
'description': 'Regular expression to match printer display name.',
'type': 'string'
}
}
},
'supported_on': ['chrome.*:48-', 'chrome_os:48-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '{ "kind": "cloud", "idPattern": ".*public", "namePattern": ".*Color" }',
'id': 308,
'caption': '''Default printer selection rules''',
'tags': [],
'desc': '''Setting the policy sets the rules for selecting the default printer in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, overriding the default rules. Printer selection occurs the first time users try to print, when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> seeks a printer matching the specified attributes. In case of a less than perfect match, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can be set to select any matching printer, depending on the order printers are discovered.
Leaving the policy unset or set to attributes for which there's no match means the built-in PDF printer is the default. If there's no PDF printer, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> defaults to none.
Printers connected to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> are considered <ph name="PRINTER_TYPE_CLOUD">"cloud"</ph>, the rest of the printers are classified as <ph name="PRINTER_TYPE_LOCAL">"local"</ph>.
Note: Omitting a field means all values match. For example, not specifying connectivity causes Print Preview to start discovery of all kinds of printers, <ph name="PRINTER_TYPE_LOCAL">"local"</ph> and <ph name="PRINTER_TYPE_CLOUD">"cloud"</ph>. Regular expression patterns must follow the JavaScript RegExp syntax, and matches are case sensistive.''',
'arc_support': 'This policy has no effect on Android apps.',
},
{
'name': 'DisableSSLRecordSplitting',
'owners': ['file://crypto/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:18-46', 'chrome_os:18-46'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 118,
'caption': '''Disable TLS False Start''',
'tags': [],
'desc': '''Specifies whether the <ph name="TLS_FALSE_START">TLS False Start</ph> optimization should be disabled. For historical reasons, this policy is named DisableSSLRecordSplitting.
If the policy is not set, or is set to false, then <ph name="TLS_FALSE_START">TLS False Start</ph> will be enabled. If it is set to true, <ph name="TLS_FALSE_START">TLS False Start</ph> will be disabled.''',
},
{
'name': 'EnableOnlineRevocationChecks',
'owners': ['file://net/cert/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:19-', 'chrome_os:19-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 129,
'caption': '''Enable online OCSP/CRL checks''',
'tags': ['website-sharing'],
'desc': '''Setting the policy to True means online <ph name="OCSP_CRL_LABEL">OCSP/CRL</ph> checks are performed.
Setting the policy to False or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't perform online revocation checks in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 19 and later.
Note: <ph name="OCSP_CRL_LABEL">OCSP/CRL</ph> checks provide no effective security benefit.''',
},
{
'name': 'RequireOnlineRevocationChecksForLocalAnchors',
'owners': ['file://net/cert/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:30-', 'chrome.linux:30-', 'chrome.win:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Perform revocation checks for successfully validated server certificates signed by locally installed CA certificates',
},
{
'value': False,
'caption': 'Use existing online revocation-checking settings',
},
],
'example_value': False,
'default': False,
'id': 235,
'caption': '''Require online OCSP/CRL checks for local trust anchors''',
'tags': [],
'desc': '''Setting the policy to True means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> always performs revocation checking for successfully validated server certificates signed by locally installed CA certificates. If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can't get revocation status information, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> treats these certificates as revoked (hard-fail).
Setting the policy to False or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses existing online revocation-checking settings.''',
},
{
'name': 'EnableSha1ForLocalAnchors',
'owners': ['mattm@chromium.org', 'rsleevi@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:54-71', 'chrome_os:54-71', 'android:54-71'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 340,
'caption': '''Allow SHA-1 signed certificates issued by local trust anchors''',
'tags': ['system-security'],
'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> allows SHA-1 signed certificates as long as they successfully validate and chain to a locally-installed CA certificates.
Note that this policy depends on the operating system certificate verification stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy may no longer have effect. Further, this policy is intended as a temporary workaround to give enterprises more time to move away from SHA-1. This policy will be removed on or around January 1st 2019.
If this policy is not set, or it is set to false, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> follows the publicly announced SHA-1 deprecation schedule.''',
},
{
'name': 'EnableCommonNameFallbackForLocalAnchors',
'owners': ['file://net/cert/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:58-65', 'chrome_os:58-65', 'android:58-65'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 366,
'caption': '''Allow certificates issued by local trust anchors without subjectAlternativeName extension''',
'tags': ['system-security'],
'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates.
Note that this is not recommended, as this may allow bypassing the nameConstraints extension that restricts the hostnames that a given certificate can be authorized for.
If this policy is not set, or is set to false, server certificates that lack a subjectAlternativeName extension containing either a DNS name or IP address will not be trusted.''',
},
{
'name': 'EnableSymantecLegacyInfrastructure',
'owners': ['file://net/cert/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:66-75', 'chrome_os:66-75', 'android:66-75'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 413,
'caption': '''Enable trust in Symantec Corporation's Legacy PKI Infrastructure''',
'tags': ['system-security'],
'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate.
Note that this policy depends on the operating system still recognizing certificates from Symantec's legacy infrastructure. If an OS update changes the OS handling of such certificates, this policy no longer has effect. Further, this policy is intended as a temporary workaround to give enterprises more time to transition away from legacy Symantec certificates. This policy will be removed on or around January 1st 2019.
If this policy is not set, or it is set to false, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> follows the publicly announced deprecation schedule.
See https://g.co/chrome/symantecpkicerts for more details on this deprecation.''',
},
{
'name': 'BuiltinCertificateVerifierEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:77-83', 'chrome.linux:79-83', 'chrome.mac:83-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 575,
'caption': '''Determines whether the built-in certificate verifier will be used to verify server certificates''',
'tags': [],
'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will perform verification of server certificates using the built-in certificate verifier.
When this setting is disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will perform verification of server certificates using the legacy certificate verifier provided by the platform.
When this setting is not set, the built-in or the legacy certificate verifier may be used.
This policy is planned to be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 81, when support for the legacy certificate verifier on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> is planned to be removed.
This policy is planned to be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for Linux version 83, when support for the legacy certificate verifier on Linux is planned to be removed.
This policy is planned to be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for Mac OS X version 91, when support for the legacy certificate verifier on Mac OS X is planned to be removed.
''',
},
{
'name': 'ForceEphemeralProfiles',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:32-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': True,
'id': 245,
'caption': '''Ephemeral profile''',
'tags': [],
'desc': '''If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.
In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.
If the user has enabled sync all this data is preserved in their sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.
If the policy is set to disabled or left not set signing in leads to regular profiles.'''
},
{
'name': 'SAMLOfflineSigninTimeLimit',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': -1 },
'supported_on': ['chrome_os:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 32,
'id': 254,
'caption': '''Limit the time for which a user authenticated via SAML can log in offline''',
'tags': [],
'desc': '''During login, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can authenticate against a server (online) or using a cached password (offline).
When this policy is set to a value of -1, the user can authenticate offline indefinitely. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again.
Leaving this policy not set will make <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> use a default time limit of 14 days after which the user must use online authentication again.
This policy affects only users who authenticated using SAML.
The policy value should be specified in seconds.''',
},
{
'name': 'AutoCleanUpStrategy',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [ 'remove-lru', 'remove-lru-if-dormant' ],
},
'items': [
{
'name': 'RemoveLRU',
'value': 'remove-lru',
'caption': '''Least recently used users are removed until there is enough free space''',
},
{
'name': 'RemoveLRUIfDormant',
'value': 'remove-lru-if-dormant',
'caption': '''Least recently used users who have not logged in within last 3 months are removed until there is enough free space''',
},
],
'supported_on': ['chrome_os:32-35'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': 'remove-lru',
'id': 246,
'caption': '''Select the strategy used to free up disk space during automatic clean-up (deprecated)''',
'tags': [],
'desc': '''This policy is deprecated. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will always use the 'RemoveLRU' clean-up strategy.
Controls the automatic clean-up behavior on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices. Automatic clean-up is triggered when the amount of free disk space reaches a critical level to recover some disk space.
If this policy is set to 'RemoveLRU', the automatic clean-up will keep removing users from the device in least-recently-logged-in order until there is enough free space.
If this policy is set to 'RemoveLRUIfDormant', the automatic clean-up will keep removing users who have not logged in for at least 3 months in least-recently-logged-in order until there is enough free space.
If this policy is not set, automatic clean-up uses the default built-in strategy. Currently, it is the 'RemoveLRUIfDormant' strategy.'''
},
{
'name': 'ReportDeviceVersionInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:18-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 119,
'caption': '''Report OS and firmware version''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset has enrolled devices periodically report their OS and firmware version.
Setting the policy to Disabled means enrolled devices don't report version info.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceActivityTimes',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:18-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 120,
'caption': '''Report device activity times''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset has enrolled devices report time periods when a user is active on the device.
Setting the policy to Disabled means enrolled devices don't record or report activity times.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceBootMode',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:18-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 121,
'caption': '''Report device boot mode''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset has enrolled devices report the state of the device's dev switch when the machine booted.
Setting the policy to Disabled means enrolled devices don't report the state of the dev switch.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceLocation',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 143,
'caption': '''Report device location''',
'tags': ['admin-sharing'],
'desc': '''Report the geographic location of the device.
If the policy is not set, or set to false, the location will not be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceNetworkInterfaces',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 224,
'caption': '''Report device network interfaces''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset has enrolled devices report the list of network interfaces with their types and hardware addresses.
Setting the policy to Disabled means enrolled devices don't report the network interface.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceUsers',
'owners': ['stepco@chromium.org', 'poromov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:32-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 248,
'caption': '''Report device users''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset has enrolled devices report the list of device users that signed in recently.
Setting the policy to Disabled means enrolled devices don't report the list of users.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceHardwareStatus',
'owners': ['antrim@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:42-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 290,
'caption': '''Report hardware status''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset has enrolled devices report hardware statistics such as CPU/RAM usage.
Setting the policy to Disabled means enrolled devices don't report the hardware statistics.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceSessionStatus',
'owners': ['antrim@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:42-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 291,
'caption': '''Report information about active kiosk sessions''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset has enrolled devices report the active kiosk session information such as application ID and version.
Setting the policy to Disabled means enrolled devices don't report kiosk session information.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceGraphicsStatus',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:81-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 660,
'caption': '''Report display and graphics statuses''',
'tags': ['admin-sharing'],
'desc': '''Report information related to display, such as refresh rate, and
information related to graphics, such as driver version.
If the policy is set to false or left unset, the display and graphics
statuses will not be reported. If set to true, display and graphics
statuses will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceCrashReportInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:83-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 665,
'caption': '''Report information about crash reports.''',
'tags': ['admin-sharing'],
'desc': '''Report information related to crash reports, such as remote id,
capture timestamp and cause.
If the policy is set to false or left unset, the crash report information
will not be reported. If set to true, crash report information will be
reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceOsUpdateStatus',
'owners': ['anqing@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 602,
'caption': '''Report OS update status''',
'tags': ['admin-sharing'],
'desc': '''Report OS update information such as update status, platform version,
last update check and last reboot.
If the policy is set to false or left unset, the OS update information will not be
reported. If set to true, OS update information will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDevicePowerStatus',
'owners': ['antrim@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:73-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 512,
'caption': '''Report power status''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled has enrolled devices report hardware statistics and identifiers related to power.
Setting the policy to Disabled or leaving it unset means enrolled devices don't report power statistics.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceStorageStatus',
'owners': ['antrim@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:73-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 513,
'caption': '''Report storage status''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled has enrolled devices report hardware statistics and identifiers for storage devices.
Setting the policy to Disabled or leaving it unset means enrolled devices don't report storage statistics.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceBoardStatus',
'owners': ['antrim@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:73-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 514,
'caption': '''Report board status''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled has enrolled devices report hardware statistics for SoC components.
Setting the policy to Disabled or leaving it unset means enrolled devices don't report the statistics.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceCpuInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:81-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 656,
'caption': '''Report CPU info''',
'tags': ['admin-sharing'],
'desc': '''Report information for a device's CPU(s).
If the policy is set to false or left unset, the information will not be reported.
If set to true, the CPU model name, architecture, and maximum clock speed will be
reported for each CPU.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceTimezoneInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:83-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 671,
'caption': '''Report Timezone info''',
'tags': ['admin-sharing'],
'desc': '''Report information for a device's timezone.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's currently set timezone will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceMemoryInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:83-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 682,
'caption': '''Report memory info''',
'tags': ['admin-sharing'],
'desc': '''Report information about a device's memory.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's memory information will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceBacklightInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:83-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 686,
'caption': '''Report backlight info''',
'tags': ['admin-sharing'],
'desc': '''Report information about a device's backlights.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's backlight information will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceAppInfo',
'owners': ['mattme@google.com', 'file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 702,
'caption': '''Report applications information''',
'tags': ['admin-sharing'],
'desc': '''Report information for a device's application inventory and usage.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's applications and usage will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceBluetoothInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 708,
'caption': '''Report Bluetooth info''',
'tags': ['admin-sharing'],
'desc': '''Report a device's Bluetooth information.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's Bluetooth information will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceFanInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 709,
'caption': '''Report fan info''',
'tags': ['admin-sharing'],
'desc': '''Report a device's fan information.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's fan information will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceVpdInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 710,
'caption': '''Report VPD info''',
'tags': ['admin-sharing'],
'desc': '''Report a device's VPD information.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's VPD information will be reported.
Vital Product Data (VPD) is a collection of configuration and informational data (such as part and serial numbers) associated with the device.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportDeviceSystemInfo',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:86-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 741,
'caption': '''Report system info''',
'tags': ['admin-sharing'],
'desc': '''Report a device's system information.
If the policy is set to false or left unset, the information will not be reported.
If set to true, the device's system information will be reported.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportUploadFrequency',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 60000 },
'supported_on': ['chrome_os:42-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 10800000,
'id': 292,
'caption': '''Frequency of device status report uploads''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy determines how frequently to send device status uploads, in milliseconds. The minimum allowed is 60 seconds.
If not set, the default interval of 3 hours applies.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'ReportArcStatusEnabled',
'owners': ['phweiss@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:55-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 349,
'caption': '''Report information about status of Android''',
'tags': ['admin-sharing'],
'desc': '''If Android apps are on, then setting the policy to True has enrolled devices report Android status information.
Setting the policy to Disabled or leaving it unset means enrolled devices don't report Android status information''',
},
{
'name': 'ReportCrostiniUsageEnabled',
'owners': ['aoldemeier@chromium.org', 'okalitova@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:70-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 484,
'caption': '''Report information about usage of Linux apps''',
'tags': ['admin-sharing'],
'desc': '''If <ph name="LINUX_OS_NAME">Linux</ph> app support is on, setting the policy to Enabled sends information about <ph name="LINUX_OS_NAME">Linux</ph> apps usage back to the server.
Setting the policy to Disabled or leaving it unset means no usage information is reported.''',
},
{
'name': 'HeartbeatEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:43-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 293,
'caption': '''Send network packets to the management server to monitor online status''',
'tags': ['admin-sharing'],
'desc': '''Setting the policy to Enabled sends monitoring network packets (<ph name="HEARTBEATS_TERM">heartbeats</ph>) to the management server to monitor online status, to allow the server to detect if the device is offline.
Setting the policy to Disabled or leaving it unset sends no packets.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'HeartbeatFrequency',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 30000 },
'supported_on': ['chrome_os:43-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 180000,
'id': 294,
'caption': '''Frequency of monitoring network packets''',
'tags': [],
'desc': '''Setting the policy determines how frequently to send monitoring network packets, in milliseconds. Intervals range from 30 seconds to 24 hours. Values outside this range are clamped to this range.
If not set, the default interval of 3 minutes applies.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'LogUploadEnabled',
'owners': ['poromov@chromium.org', 'pbond@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:46-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 306,
'caption': '''Send system logs to the management server''',
'tags': [],
'desc': '''Setting the policy to Enabled sends system logs to the management server, to allow admins to monitor system logs.
Setting the policy to Disabled or leaving it unset reports no system logs.''',
'arc_support': 'This policy has no effect on the logging done by Android.',
},
{
'name': 'DeviceUserWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
'sensitiveValue': True,
},
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': [ 'madmax@managedchrome.com' ],
'id': 122,
'caption': '''Login user white list''',
'tags': [],
'desc': '''Defines the list of users that are allowed to login to the device. Entries are of the form <ph name="USER_ALLOWLIST_ENTRY_FORMAT">user@domain</ph>, such as <ph name="USER_ALLOWLIST_ENTRY_EXAMPLE">madmax@managedchrome.com</ph>. To allow arbitrary users on a domain, use entries of the form <ph name="USER_ALLOWLIST_ENTRY_WILDCARD">*@domain</ph>.
If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the <ph name="DEVICE_ALLOW_NEW_USERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy to be configured appropriately.
This policy is deprecated, please use <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph> instead.
''',
'arc_support': 'This policy controls who may start a <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph> session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific <ph name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph> policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.',
},
{
'name': 'DeviceUserAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
'sensitiveValue': True,
},
'supported_on': ['chrome_os:87-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ 'madmax@managedchrome.com' ],
'id': 764,
'caption': '''Login user allow list''',
'tags': [],
'desc': '''Defines the list of users that are allowed to login to the device. Entries are of the form <ph name="USER_ALLOWLIST_ENTRY_FORMAT">user@domain</ph>, such as <ph name="USER_WHITELIST_ENTRY_EXAMPLE">madmax@managedchrome.com</ph>. To allow arbitrary users on a domain, use entries of the form <ph name="USER_ALLOWLIST_ENTRY_WILDCARD">*@domain</ph>.
If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the <ph name="DEVICE_ALLOW_NEW_USERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy to be configured appropriately.
If <ph name="DEVICE_FAMILY_LINK_ACCOUNTS_ALLOWED_POLICY_NAME">DeviceFamilyLinkAccountsAllowed</ph> is enabled, Family Link users will be allowed additionally to the accounts defined in this policy.''',
'arc_support': 'This policy controls who may start a <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph> session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific <ph name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph> policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.',
},
{
'name': 'DeviceAllowNewUsers',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 123,
'caption': '''Allow creation of new user accounts''',
'tags': [],
'desc': '''Controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> allows new user accounts to be created. If this policy is set to false, users that do not have an account already will not be able to login.
If this policy is set to true or not configured, new user accounts will be allowed to be created provided that <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph> does not prevent the user from logging in.''',
'arc_support': 'This policy controls whether new users can be added to <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph>. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific <ph name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph> policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.',
},
{
'name': 'DeviceGuestModeEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 124,
'caption': '''Enable guest mode''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will enable guest logins. Guest logins are anonymous user sessions and do not require a password.
If this policy is set to false, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will not allow guest sessions to be started.''',
},
{
'name': 'DeviceShowUserNamesOnSignin',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 125,
'caption': '''Show usernames on login screen''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will show existing users on the login screen and allow to pick one.
If this policy is set to false, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will not show existing users on the login screen. The normal sign-in screen (prompting for the user email and password or phone) or the SAML interstitial screen (if enabled via the <ph name="LOGIN_AUTHENTICATION_BEHAVIOR_POLICY_NAME">LoginAuthenticationBehavior</ph> policy) will be shown, unless a Managed Session is configured. When a Managed Session is configured, only the Managed Session accounts will be shown, allowing to pick one of them.
Note that this policy does not affect whether the device keeps or discards the local user data.''',
},
{
'name': 'DeviceDataRoamingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 126,
'caption': '''Enable data roaming''',
'tags': [],
'desc': '''Setting the policy to Enabled allows data roaming for the device.
Setting the policy to Disabled or leaving it unset renders data roaming unavailable.''',
},
{
'name': 'DeviceMetricsReportingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:14-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 127,
'caption': '''Enable metrics reporting''',
'tags': [
'admin-sharing',
'google-sharing',
],
'desc': '''Setting the policy to Enabled has <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> report usage metrics and diagnostic data, including crash reports, back to Google. Setting the policy to Disabled turns off metrics and diagnostic data reporting.
Leaving the policy unset keeps metrics and diagnostic data reporting off on unmanaged devices and on for managed devices.''',
'arc_support': 'This policy also controls Android usage and diagnostic data collection.',
},
{
'name': 'ChromeOsReleaseChannel',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [ 'stable-channel', 'beta-channel', 'dev-channel' ],
},
'items': [
{
'name': 'StableChannel',
'value': 'stable-channel',
'caption': '''Stable channel''',
},
{
'name': 'BetaChannel',
'value': 'beta-channel',
'caption': '''Beta channel''',
},
{
'name': 'DevChannel',
'value': 'dev-channel',
'caption': '''Dev channel (may be unstable)''',
},
],
'supported_on': ['chrome_os:11-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'stable-channel',
'id': 91,
'caption': '''Release channel''',
'tags': [],
'desc': '''Specifies the release channel that this device should be locked to.
Setting <ph name="CHROME_OS_RELEASE_CHANNEL_POLICY_NAME">ChromeOsReleaseChannel</ph> only has an effect if <ph name="CHROME_OS_RELEASE_CHANNEL_DELEGATED_POLICY_NAME">ChromeOsReleaseChannelDelegated</ph> is set to False.''',
},
{
'name': 'ChromeOsReleaseChannelDelegated',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 134,
'caption': '''Users may configure the Chrome OS release channel''',
'tags': [],
'desc': '''Users are only allowed to change the release channel of the device if this policy is set to True. If this policy is False or not set, users are not allowed to change the channel.
Setting <ph name="CHROME_OS_RELEASE_CHANNEL_POLICY_NAME">ChromeOsReleaseChannel</ph> only has an effect if <ph name="CHROME_OS_RELEASE_CHANNEL_DELEGATED_POLICY_NAME">ChromeOsReleaseChannelDelegated</ph> is set to False.''',
},
{
'name': 'DeviceReleaseLtsTag',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:86-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'lts',
'id': 771,
'caption': '''Allow device to receive LTS updates''',
'tags': [],
'desc': '''If this policy is set to <ph name="DEVICE_LTS_TAG_VALUE">"lts"</ph> it allows the device to receive LTS (long term support) updates.''',
},
{
'name': 'DeviceChannelDowngradeBehavior',
'owners': ['mpolzer@google.com'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [1, 2, 3],
},
'items': [
{
'name': 'WaitForVersionCatchUp',
'value': 1,
'caption': '''Wait for the target channel to catch up on channel downgrade''',
},
{
'name': 'Rollback',
'value': 2,
'caption': '''Roll back and reset the device on channel downgrade, try to preserve enrollment''',
},
{
'name': 'AllowUserToConfigure',
'value': 3,
'caption': '''User decides on channel downgrade behavior''',
},
],
'future_on': ['chrome_os'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'default': 1,
'example_value': 1,
'id': 757,
'caption': '''Channel downgrade behavior''',
'tags': [],
'desc': '''This policy specifies channel downgrade behavior on enrolled devices. With channel downgrade we mean switching to a more stable channel, e.g. beta to stable.
The value of this policy affects user-initiated channel downgrades as well as admin initiated channel downgrades.
On a channel downgrade, the device can either roll back its version and reset or wait for its current (or a higher) version to become available on the channel and receive no update until then.
If an enrolled user initiates a channel downgrade, they can decide to reset or wait, or the choice is made for them depending on this policy's value. If an admin initiates a channel downgrade via setting <ph name="CHROME_OS_RELEASE_CHANNEL_POLICY_NAME">ChromeOsReleaseChannel</ph>, the device is rolled back on the next update check only if rollback was selected. Otherwise, the device will wait for the target channel to catch up with its current version.
If unset or invalid, the behavior is the same as for "Wait for target channel to catch up on channel downgrade".''',
},
{
'name': 'DeviceEphemeralUsersEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 128,
'caption': '''Wipe user data on sign-out''',
'tags': [],
'desc': '''Determines whether <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> keeps local account data after logout. If set to true, no persistent accounts are kept by <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> and all data from the user session will be discarded after logout. If this policy is set to false or not configured, the device may keep (encrypted) local user data.''',
},
{
'name': 'DeviceStartUpUrls',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': [ 'https://google.com', 'chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaa/' ],
'id': 137,
'caption': '''Load specified urls on demo login''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Determines the set of URLs to be loaded when the demo session is started. This policy will override any other mechanisms for setting the initial URL and thus can only be applied to a session not associated with a particular user.''',
},
{
'name': 'DeviceIdleLogoutTimeout',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': 60000,
'id': 130,
'caption': '''Timeout until idle user log-out is executed''',
'tags': [],
'desc': '''This policy is active in retail mode only.
When the value of this policy is set and is not 0 then the currently logged in demo user will be logged out automatically after an inactivity time of the specified duration has elapsed.
The policy value should be specified in milliseconds.''',
},
{
'name': 'DeviceIdleLogoutWarningDuration',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': 15000,
'id': 131,
'caption': '''Duration of the idle log-out warning message''',
'tags': [],
'desc': '''This policy is active in retail mode only.
When DeviceIdleLogoutTimeout is specified this policy defines the duration of the warning box with a count down timer that is shown to the user before the logout is executed.
The policy value should be specified in milliseconds.''',
},
{
'name': 'DeviceLoginScreenSaverId',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': 'fhblcfnmnbehmifidkddcenilbpddlfk',
'id': 132,
'caption': '''Screen saver to be used on the sign-in screen in retail mode''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Determines the id of the extension to be used as a screen saver on the sign-in screen. The extension must be part of the AppPack that is configured for this domain through the DeviceAppPack policy.''',
},
{
'name': 'DeviceLoginScreenSaverTimeout',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': 120000,
'id': 133,
'caption': '''Duration of inactivity before the screen saver is shown on the sign-in screen in retail mode''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Determines the duration before the screen saver is shown on the sign-in screen for devices in retail mode.
The policy value should be specified in milliseconds.''',
},
{
'name': 'DeviceAppPack',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': [ '{ "extension-id": "khgabmflimjjbclkmljlpmgaleanedem", "update-url": "https://clients2.google.com/service/update2/crx" }' ],
'id': 135,
'caption': '''List of AppPack extensions''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Lists extensions that are automatically installed for the Demo user, for devices in retail mode. These extensions are saved in the device and can be installed while offline, after the installation.
Each list entry contains a dictionary that must include the extension ID in the 'extension-id' field, and its update URL in the 'update-url' field.''',
},
{
'name': 'DeviceAutoUpdateDisabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 136,
'caption': '''Disable Auto Update''',
'tags': ['system-security'],
'desc': '''Disables automatic updates when set to True.
<ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices automatically check for updates when this setting is not configured or set to False.
Warning: It is recommended to keep auto-updates enabled so that users receive software updates and critical security fixes. Turning off auto-updates might leave users at risk.''',
},
{
'name': 'DeviceAutoUpdateP2PEnabled',
'owners': ['zeuthen@chromium.org', 'poromov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:31-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 242,
'caption': '''Auto update p2p enabled''',
'tags': [],
'desc': '''Specifies whether p2p is to be used for OS update payloads. If set to True, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device will fall back to downloading from an update server. If set to False or not configured, p2p will not be used.''',
},
{
'name': 'DeviceRollbackAllowedMilestones',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0,
'maximum': 4,
},
'supported_on': ['chrome_os:67-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 4,
'id': 426,
'caption': '''Number of milestones rollback is allowed''',
'tags': ['system-security'],
'desc': '''Specifies the minimum number of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> milestones rollback should be allowed starting from the stable version at any time.
Default is 0 for consumer, 4 (approx. half a year) for enterprise enrolled devices.
Setting this policy prevents rollback protection to apply for at least this number of milestones.
Setting this policy to a lower value has a permanent effect: the device MAY not be able to roll back to earlier versions even after the policy is reset to a larger value.
Actual rollback possibilities may also depend on the board and critical vulnerability patches.''',
},
{
'name': 'DeviceRollbackToTargetVersion',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ],
},
'items': [
{
'name': 'RollbackDisabled',
'value': 1,
'caption': '''Do not roll back to target version if OS version is newer than target. Updates are also disabled.''',
},
{
'name': 'RollbackAndPowerwash',
'value': 2,
'caption': '''Roll back and stay on target version if OS version is newer than target. Do a powerwash during the process.''',
},
{
'name': 'RollbackAndRestoreIfPossible',
'value': 3,
'caption': '''Roll back and stay on target version if OS version is newer than target. Try to carry over device-level configuration (including network credentials) through the rollback process, if possible, but do the rollback with full powerwash even if restoring the data is not possible (because the target version doesn't support restoring data or because of a backward-incompatible change).
Supported on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 75 and higher. For older clients, this value means that rollback is disabled.''',
},
],
'supported_on': ['chrome_os:67-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 1,
'id': 427,
'caption': '''Rollback to target version''',
'tags': ['system-security'],
'desc': '''Specifies whether the device should roll back to the version set by <ph name="DEVICE_TARGET_VERSION_PREFIX_POLICY_NAME">DeviceTargetVersionPrefix</ph> if it's already running a later version.
Default is RollbackDisabled.''',
},
{
'name': 'DeviceTargetVersionPrefix',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': '1412.',
'id': 142,
'caption': '''Target Auto Update Version''',
'tags': ['system-security'],
'desc': '''Sets a target version for Auto Updates.
Specifies the prefix of a target version <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> should update to. If the device is running a version that's before the specified prefix, it will update to the latest version with the given prefix. If the device is already on a later version, effects depend on the value of <ph name="DEVICE_ROLLBACK_TO_TARGET_VERSION_POLICY_NAME">DeviceRollbackToTargetVersion</ph>. The prefix format works component-wise as is demonstrated in the following example:
"" (or not configured): update to latest version available.
"1412.": update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2)
"1412.2.": update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2)
"1412.24.34": update to this specific version only
Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version prefix might leave users at risk.''',
},
{
'name': 'DeviceUpdateScatterFactor',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:20-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 7200,
'id': 145,
'caption': '''Auto update scatter factor''',
'tags': ['system-security'],
'desc': '''Specifies the number of seconds up to which a device may randomly delay its download of an update from the time the update was first pushed out to the server. The device may wait a portion of this time in terms of wall-clock-time and the remaining portion in terms of the number of update checks. In any case, the scatter is upper bounded to a constant amount of time so that a device does not ever get stuck waiting to download an update forever.''',
},
{
'name': 'DeviceUpdateAllowedConnectionTypes',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:21-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ 'ethernet' ],
'id': 146,
'caption': '''Connection types allowed for updates''',
'tags': [],
'desc': ''' The types of connections that are allowed to use for OS updates. OS updates potentially put heavy strain on the connection due to their size and may incur additional cost. Therefore, they are by default not enabled for connection types that are considered expensive (currently only "cellular").
The recognized connection type identifiers are <ph name="CONNECTION_TYPE_ETHERNET_NAME">"ethernet"</ph>, <ph name="CONNECTION_TYPE_WIFI_NAME">"wifi"</ph>, and <ph name="CONNECTION_TYPE_CELLULAR_NAME">"cellular"</ph>.''',
},
{
'name': 'DeviceUpdateHttpDownloadsEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 243,
'caption': '''Allow autoupdate downloads via HTTP''',
'tags': [],
'desc': '''Auto-update payloads on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can be downloaded via HTTP instead of HTTPS. This allows transparent HTTP caching of HTTP downloads.
If this policy is set to true, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will attempt to download auto-update payloads via HTTP. If the policy is set to false or not set, HTTPS will be used for downloading auto-update payloads.''',
},
{
'name': 'DeviceLocalAccounts',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:25-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ "demo@example.com" ],
'id': 163,
'caption': '''Device-local accounts''',
'tags': [],
'desc': '''Setting the policy specifies the list of device-local accounts to display on the sign-in screen. Identifiers tell the different device-local accounts apart.
If the policy is unset or an empty list, there are no device-local accounts.''',
},
{
'name': 'DeviceLocalAccountAutoLoginId',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:26-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': "public@example.com",
'id': 194,
'caption': '''Device-local account for auto-login''',
'tags': [],
'desc': '''Setting the policy means the specified session is automatically signed if there is no user interaction at the sign-in screen within the time specified in <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_DELAY_POLICY_NAME">DeviceLocalAccountAutoLoginDelay</ph>. The device-local account must already be set up (see <ph name="DEVICE_LOCAL_ACCOUNTS_POLICY_NAME">DeviceLocalAccounts</ph>).
Leaving it unset means there's no automatic sign-in.''',
},
{
'name': 'DeviceLocalAccountAutoLoginDelay',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:26-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 180000,
'id': 195,
'caption': '''Device-local account auto-login timer''',
'tags': [],
'desc': '''Setting the policy determines the amount of time in milliseconds without user activity before automatically signing in to the device-local account specified by the <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_ID_POLICY_NAME">DeviceLocalAccountAutoLoginId</ph> policy.
Leaving it unset means 0 milliseconds is used as the timeout.
If the <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_ID_POLICY_NAME">DeviceLocalAccountAutoLoginId</ph> policy is unset, this policy has no effect.'''
},
{
'name': 'DeviceLocalAccountAutoLoginBailoutEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 202,
'caption': '''Enable bailout keyboard shortcut for auto-login''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means a device-local account is set up for zero-delay, automatic sign-in. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> honors the keyboard shortcut Ctrl+Alt+S for bypassing automatic sign-in and showing the sign-in screen.
Setting the policy to Disabled means users can't bypass zero-delay automatic sign-in (if configured).'''
},
{
'name': 'DeviceLocalAccountPromptForNetworkWhenOffline',
'owners': ['xiyuan@chromium.org', 'poromov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:33-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 250,
'caption': '''Enable network configuration prompt when offline''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means when a device is offline, if a device-local account is set for zero-delay, automatic sign-in, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows a network-configuration prompt.
Setting the policy to Disabled has an error message displayed instead.'''
},
{
'name': 'DeviceLocalAccountManagedSessionEnabled',
'owners': ['isandrk@chromium.org', 'file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:70-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 463,
'caption': '''Allow managed session on device''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 88. Public sessions are no longer supported. Please use <ph name="DEVICE_LOCAL_ACCOUNTS_POLICY_NAME">DeviceLocalAccounts</ph> to configure managed-guest sessions instead.
If this policy is set to false, managed guest session will behave as documented in https://support.google.com/chrome/a/answer/3017014 - the standard "Public Session".
If this policy is set to true or left unset, managed guest session will take on "Managed Session" behaviour which lifts many of the restrictions that are in place for regular "Public Sessions".
If this policy is set, the user cannot change or override it.''',
},
{
'name': 'DeviceBlockDevmode',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:37-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 266,
'caption': '''Block developer mode''',
'tags': [],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> stops the device from going into Developer mode.
Setting the policy to Disabled or leaving it unset keeps Developer mode available for the device.''',
'arc_support': 'This policy controls <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> developer mode only. If you want to prevent access to Android Developer Options, you need to set the <ph name="DEVELOPER_TOOLS_DISABLED_POLICY_NAME">DeveloperToolsDisabled</ph> policy.',
}, {
'name': 'ManagedGuestSessionAutoLaunchNotificationReduced',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:83-88'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 688,
'caption': '''Reduce Managed-guest session auto-launch notifications''',
'tags': [],
'desc': ''' Note that this policy is deprecated in M87 and removed in M89. Please use <ph name="MANAGED_GUEST_SESSION_PRIVACY_WARNINGS_POLICY_NAME">ManagedGuestSessionPrivacyWarningsEnabled</ph> to configure the privacy warnings of managed-guest sessions instead.
Control the auto launch notification of the managed guest session on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
If this policy is set to True, the privacy warning notification will be closed after some seconds.
If the policy is set to False or not set, the privacy warning notification will be pinned until the user dismisses it.''',
},
{
'name': 'ManagedGuestSessionPrivacyWarningsEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'ayaelattar@chromium.org'],
'device_only': True,
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os: 84-' ],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 723,
'caption': '''Reduce Managed-guest session auto-launch notifications''',
'tags': [],
'desc': ''' Controls the privacy warning of the managed-guest session on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
If this policy is set to False, the privacy warnings on the login screen and the auto-launch notification inside the managed-guest session will get deactivated.
This policy should not be used for devices used by the general public.
If the policy is set to True or not set, the privacy warning notification in the auto-launched managed-guest session will be pinned until the user dismisses it.''',
},
{
'name': 'BackgroundModeEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:19-', 'chrome.linux:19-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 138,
'caption': '''Continue running background apps when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is closed''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled turns background mode on. In backgroudn mode, a <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> process is started on OS sign-in and keeps running when the last browser window is closed, allowing background apps and the browsing session to remain active, including any session cookies. The background process displays an icon in the system tray and can always be closed from there.
Setting the policy to Disabled turns background mode off.
If you set the policy, users can't change it in the browser settings. If unset, background mode is off at first, but users can change it.''',
},
{
'name': 'DriveDisabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 139,
'caption': '''Disable Drive in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app''',
'tags': [],
'desc': '''Setting the policy to Enabled turns off <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> syncing in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app. No data is uploaded to Drive.
Setting the policy to Disabled or leaving it unset lets users transfer files to Drive.''',
'arc_support': 'This policy does not prevent the user from using the Android Google Drive app. If you want to prevent access to Google Drive, you should disallow installation of the Android Google Drive app as well.',
},
{
'name': 'DriveDisabledOverCellular',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 140,
'caption': '''Disable Google Drive over cellular connections in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app''',
'tags': [],
'desc': '''Setting the policy to Enabled turns off <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> syncing in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app when on a cellular connection. Data is only synced to Drive when connected through Wi-Fi or Ethernet.
Setting the policy to Disabled or leaving it unset lets users transfer files to Drive on cellular connections.''',
'arc_support': 'This policy has no effect on the Android Google Drive app. If you want to prevent use of Google Drive over cellular connections, you should disallow installation of the Android Google Drive app.',
},
{
'name': 'PinnedLauncherApps',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:20-' ],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['pjkljhegncpnkpknbcohdijeoejaedia', 'com.google.android.gm', 'https://google.com/maps'],
'id': 144,
'caption': '''List of pinned apps to show in the launcher''',
'tags': [],
'desc': '''Setting the policy fixes which application identifiers <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows as pinned apps in the launcher bar, and users can't change them.
Specify Chrome apps by their ID, such as pjkljhegncpnkpknbcohdijeoejaedia; Android apps by their package name, such as com.google.android.gm; and web apps by the URL used in <ph name="WEB_APP_INSTALL_FORCE_LIST_POLICY_NAME">WebAppInstallForceList</ph>, such as https://google.com/maps.
Leaving it unset lets users change the list of pinned apps in the launcher.''',
'arc_support': 'This policy can also be used to pin Android apps.',
},
{
'name': 'RestrictSigninToPattern',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:21-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '.*@example.com',
'id': 147,
'caption': '''Restrict which Google accounts are allowed to be set as browser primary accounts in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''Contains a regular expression which is used to determine which Google accounts can be set as browser primary accounts in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> (i.e. the account that is chosen during the Sync opt-in flow).
An appropriate error is displayed if a user tries to set a browser primary account with a username that does not match this pattern.
If this policy is left not set or blank, then the user can set any Google account as a browser primary account in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
},
{
'name': 'DisableSafeBrowsingProceedAnyway',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:22-',
'chrome_os:22-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 150,
'caption': '''Disable proceeding from the Safe Browsing warning page''',
'tags': [],
'desc': '''Setting the policy to Enabled prevents users from proceeding past the warning page the Safe Browsing service shows to the malicious site. This policy only prevents users from proceeding on Safe Browsing warnings such as malware and phishing, not for SSL certificate-related issues such as invalid or expired certificates.
Setting the policy to Disabled or leaving it unset means users can choose to proceed to the flagged site after the warning appears.
See more about Safe Browsing ( https://developers.google.com/safe-browsing ).''',
},
{
'name': 'SafeBrowsingExtendedReportingOptInAllowed',
'owners': ['estark@chromium.org', 'meacer@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:44-84', 'chrome_os:44-84'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 299,
'caption': '''Allow users to opt in to Safe Browsing extended reporting''',
'tags': [],
'desc': '''This policy is deprecated in M82 and removed in M85, use <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph> instead. Disabling <ph name="SAFE_BROWSING_EXTENDED_REPORTING_OPT_IN_ALLOWED_POLICY_NAME">SafeBrowsingExtendedReportingOptInAllowed</ph> is equivalent to disabling <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>. Enabling <ph name="SAFE_BROWSING_EXTENDED_REPORTING_OPT_IN_ALLOWED_POLICY_NAME">SafeBrowsingExtendedReportingOptInAllowed</ph> or leaving this setting unset is equivalent to leaving <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph> unset.
Setting this policy to false stops users from choosing to send some system information and page content to Google servers. If this setting is true or not configured, then users will be allowed to send some system information and page content to Safe Browsing to help detect dangerous apps and sites.
See https://developers.google.com/safe-browsing for more info on Safe Browsing.''',
},
{
'name': 'SpellCheckServiceEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:22-', 'chrome_os:22-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Use a Google web service to help resolve spelling errors',
},
{
'value': False,
'caption': 'Do not use any Google web services to help resolve spelling errors',
},
{
'value': None,
'caption': 'Allow the user to choose if Google web services are used to resolve spelling errors',
},
],
'example_value': False,
'default': None,
'id': 151,
'caption': '''Enable or disable spell checking web service''',
'tags': [],
'desc': '''Setting the policy to Enabled puts a Google web service in use to help resolve spelling errors. This policy only controls the use of the online service. Setting the policy to Disabled means this service is never used.
Leaving the policy unset lets users choose whether to use the spellcheck service.
The spell check can always use a downloaded dictionary locally unless the feature is disabled by <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> in which case this policy will have no effect.''',
},
{
'name': 'ExternalStorageDisabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:22-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 152,
'caption': '''Disable mounting of external storage''',
'tags': [],
'desc': '''Setting the policy to True makes all types of external storage media (USB flash drives, external hard drives, SD and other memory cards, optical storage) unavailable in the file browser. Setting the policy to False or leaving it unset means users can use external storage on their device.
Note: The policy doesn't affect Google Drive and internal storage. Users can still access files saved in the Downloads folder.''',
},
{
'name': 'ExternalStorageReadOnly',
'owners': ['yamaguchi@chromium.org'],
'id': 343,
'type': 'main',
'schema': { 'type': 'boolean' },
'tags': [],
'supported_on': ['chrome_os:54-'],
'caption': '''Treat external storage devices as read-only''',
'desc': '''Setting the policy to True prevents users from writing to external storage devices.
Unless external storage is blocked, if you set ExternalStorageReadOnly to False or leave it unset, users can create and modify files of physically writable, external storage devices. (You can block external storage by setting ExternalStorageDisable to True.)''',
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True
},
{
'name': 'AudioOutputAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:23-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 159,
'caption': '''Allow playing audio''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset allows all supported audio outputs on the users' devices.
Setting the policy to Disabled allows no audio output while users are signed in.
Note: The policy affects all audio output, including audio accessibility features. Do not turn the policy off if a user requires a screen reader.''',
},
{
'name': 'AudioCaptureAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-', 'chrome_os:23-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 160,
'caption': '''Allow or deny audio capture''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the AudioCaptureAllowedUrls list, users get prompted for audio capture access.
Setting the policy to Disabled turns off prompts, and audio capture is only available to URLs set in the AudioCaptureAllowedUrls list.
Note: The policy affects all audio input (not just the built-in microphone).''',
'arc_support': 'For Android apps, this policy affects the microphone only. When this policy is set to true, the microphone is muted for all Android apps, with no exceptions.',
},
{
'name': 'AudioCaptureAllowedUrls',
'owners': ['guidou@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:29-', 'chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com/', 'https://[*.]example.edu/'],
'id': 208,
'caption': '''URLs that will be granted access to audio capture devices without prompt''',
'tags': ['website-sharing'],
'desc': '''Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to audio capture devices without prompt
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
},
{
'name': 'VideoCaptureAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-', 'chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 167,
'caption': '''Allow or deny video capture''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the VideoCaptureAllowedUrls list, users get prompted for video capture access.
Setting the policy to Disabled turns off prompts, and video capture is only available to URLs set in the VideoCaptureAllowedUrls list.
Note: The policy affects all video input (not just the built-in camera).''',
},
{
'name': 'VideoCaptureAllowedUrls',
'owners': ['guidou@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:29-', 'chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com/', 'https://[*.]example.edu/'],
'id': 209,
'caption': '''URLs that will be granted access to video capture devices without prompt''',
'tags': ['website-sharing'],
'desc': '''Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to video capture devices without prompt
For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
},
{
'name': 'DisableScreenshots',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:22-', 'chrome.*:22-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 153,
'caption': '''Disable taking screenshots''',
'tags': [],
'desc': '''Setting the policy to True disallows screenshots taken with keyboard shortcuts or extension APIs. Setting the policy to False allows screenshots.'''
},
{
'name': 'SystemTimezone',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:22-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'America/Los_Angeles',
'id': 158,
'caption': '''Timezone''',
'tags': [],
'desc': '''Setting the policy specifies a device's time zone and turns off location-based automatic time zone adjustment while overriding the <ph name="SYSTEM_TIMEZONE_AUTOMATIC_DETECTION_POLICY_NAME">SystemTimezoneAutomaticDetection</ph> policy. Users can't change the time zone.
New devices start with the time zone set to US Pacific. Value format follows the names in the IANA Time Zone Database ( https://en.wikipedia.org/wiki/Tz_database ). Entering an invalid value activates the policy using GMT.
If not set or if you enter an empty string, the device uses the currently active time zone, but users can change it.''',
},
{
'name': 'SystemUse24HourClock',
'owners': ['alemate@chromium.org', 'michaelpg@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:30-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 236,
'caption': '''Use 24 hour clock by default''',
'tags': [],
'desc': '''Setting the policy to True gives a device's sign-in screen a 24-hour clock format.
Setting the policy to False gives a device's sign-in screen a 12-hour clock format.
Leaving the policy unset makes a device use the format from the current locale.
User sessions also default to the device format, but users can change an account's clock format.''',
},
{
'name': 'TouchVirtualKeyboardEnabled',
'owners': ['rsadam@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:37-' ],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': False,
'id': 269,
'caption': '''Enable virtual keyboard''',
'tags': [],
'desc': '''Setting the policy to Enabled keeps the on-screen virtual keyboard (a Chrome OS input device) on. Setting the policy to Disabled keeps this keyboard off.
If you set the policy, users can't change it. (They can turn an accessibility on-screen keyboard that takes precedence over the virtual keyboard on or off. See the VirtualKeyboardEnabled policy.)
If not set, the keyboard is off, but users can change it.
Note: Heuristic rules might also factor into keyboard display.''',
},
{
'name': 'ShowLogoutButtonInTray',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 164,
'caption': '''Add a logout button to the system tray''',
'tags': [],
'desc': '''Setting the policy to True displays a big, red sign-out button in the system tray during active sessions while the screen isn't locked.
Setting the policy to False or leaving it unset means no button appears.''',
},
{
'name': 'BuiltInDnsClientEnabled',
'owners': ['szym@chromium.org', 'pmarko@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'android:73-',
'chrome.*:25-',
'chrome_os:73-',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 165,
'caption': '''Use built-in DNS client''',
'tags': [],
'desc': '''This policy controls which software stack is used to communicate with the DNS server: the Operating System DNS client, or <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s built-in DNS client. This policy does not affect which DNS servers are used: if, for example, the operating system is configured to use an enterprise DNS server, that same server would be used by the built-in DNS client. It also does not control if DNS-over-HTTPS is used; <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always use the built-in resolver for DNS-over-HTTPS requests. Please see the <ph name="DNS_OVER_HTTPS_MODE_POLICY_NAME">DnsOverHttpsMode</ph> policy for information on controlling DNS-over-HTTPS.
If this policy is set to Enabled, the built-in DNS client will be used, if available.
If this policy is set to Disabled, the built-in DNS client will only be used when DNS-over-HTTPS is in use.
If this policy is left unset, the built-in DNS client will be enabled by default on <ph name="MAC_OS_NAME">macOS</ph>, <ph name="ANDROID_NAME">Android</ph> (when neither Private DNS nor VPN are enabled) and <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
},
{
'name': 'DnsOverHttpsMode',
'owners': ['dalyk@chromium.org', 'ericorth@chromium.org', 'bingler@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'off',
'automatic',
'secure',
],
},
'items': [
{
'name': 'off',
'value': 'off',
'caption': '''Disable DNS-over-HTTPS''',
},
{
'name': 'automatic',
'value': 'automatic',
'caption': '''Enable DNS-over-HTTPS with insecure fallback''',
},
{
'name': 'secure',
'value': 'secure',
'caption': '''Enable DNS-over-HTTPS without insecure fallback''',
}
],
'supported_on': [
'android:85-',
'chrome_os:78-',
'chrome.*:78-',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'off',
'id': 582,
'default_for_enterprise_users': 'off',
'caption': '''Controls the mode of DNS-over-HTTPS''',
'tags': [],
'desc': '''Controls the mode of the DNS-over-HTTPS resolver. Please note that this policy will only set the default mode for each query. The mode may be overridden for special types of queries such as requests to resolve a DNS-over-HTTPS server hostname.
The <ph name="SECURE_DNS_MODE_OFF">"off"</ph> mode will disable DNS-over-HTTPS.
The <ph name="SECURE_DNS_MODE_AUTOMATIC">"automatic"</ph> mode will send DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available and may fallback to sending insecure queries on error.
The <ph name="SECURE_DNS_MODE_SECURE">"secure"</ph> mode will only send DNS-over-HTTPS queries and will fail to resolve on error.
On <ph name="ANDROID_VERSION">Android Pie</ph> and above, if DNS-over-TLS is active, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not send insecure DNS requests.
If this policy is unset the browser may send DNS-over-HTTPS requests to a resolver associated with the user's configured system resolver.''',
},
{
'name': 'DnsOverHttpsTemplates',
'owners': ['dalyk@chromium.org', 'ericorth@chromium.org', 'bingler@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'android:85-',
'chrome_os:80-',
'chrome.*:80-',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'https://dns.example.net/dns-query{?dns}',
'id': 642,
'caption': '''Specify URI template of desired DNS-over-HTTPS resolver''',
'tags': [],
'desc': '''The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.
If the DnsOverHttpsMode is set to <ph name="SECURE_DNS_MODE_SECURE">"secure"</ph> then this policy must be set and not empty.
If the DnsOverHttpsMode is set to <ph name="SECURE_DNS_MODE_AUTOMATIC">"automatic"</ph> and this policy is set then the URI templates specified will be used; if this policy is unset then hardcoded mappings will be used to attempt to upgrade the user's current DNS resolver to a DoH resolver operated by the same provider.
If the URI template contains a <ph name="HTTP_VARIABLE_DNS">dns</ph> variable, requests to the resolver will use <ph name="HTTP_METHOD_GET">GET</ph>; otherwise requests will use <ph name="HTTP_METHOD_POST">POST</ph>.
Incorrectly formatted templates will be ignored.''',
},
{
'name': 'ShelfAutoHideBehavior',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'Always',
'Never'
],
},
'items': [
{
'name': 'AlwaysAutoHideShelf',
'value': 'Always',
'caption': '''Always auto-hide the shelf''',
},
{
'name': 'NeverAutoHideShelf',
'value': 'Never',
'caption': '''Never auto-hide the shelf''',
},
],
'supported_on': ['chrome_os:25-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'Always',
'id': 166,
'caption': '''Control shelf auto-hiding''',
'tags': [],
'desc': '''Setting the policy to Always will autohide the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shelf. Setting the policy to Never ensures the shelf never autohides.
If you set the policy, users can't change it. If not set, users decide whether the shelf autohides.''',
},
{
'name': 'ShelfAlignment',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string-enum',
# In shelf_prefs.cc, there are 3 const char[] defining kShelfAlignmentLocal values:
# ash::kShelfAlignmentBottom = "Bottom", ash::kShelfAlignmnetLeft = "Left",
# ash::kShelfAlignmnetRight = "Right"
# If any of them changed, this policy should be updated.
'schema': {
'type': 'string',
'enum': [
'Left',
'Bottom',
'Right'
],
},
'items': [
{
'name': 'Left',
'value': 'Left',
'caption': '''Position the shelf on the left side of the screen''',
},
{
'name': 'Bottom',
'value': 'Bottom',
'caption': '''Position the shelf at the bottom of the screen''',
},
{
'name': 'Right',
'value': 'Right',
'caption': '''Position the shelf on the right side of the screen''',
},
],
'supported_on': ['chrome_os:79-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'Bottom',
'id': 620,
'caption': '''Control the shelf position''',
'tags': [],
'desc': '''Control the position of the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shelf.
If this policy is set to 'Bottom', the shelf will be placed at the bottom of the screen.
If this policy is set to 'Left', the shelf will be placed on the left side of the screen.
If this policy is set to 'Right', the shelf will be placed on the right side of the screen.
If you set this policy as mandatory, users cannot change or override it.
If the policy is left not set, the shelf will be be positioned at the bottom of the screen by default and the user can change the shelf's position.''',
},
{
'name': 'SystemFeaturesDisableList',
'owners': ['file://components/policy/resources/OWNERS', 'ayaelattar@chromium.org'],
'type': 'string-enum-list',
'schema': {
'type': 'array',
'items' : {
'type': 'string',
'enum': [
'browser_settings',
'os_settings',
'camera',
'scanning',
],
},
},
'items': [
{
'name': 'browser_settings',
'value': 'browser_settings',
'caption': '''Browser Settings''',
},
{
'name': 'os_settings',
'value': 'os_settings',
'caption': '''OS Settings''',
},
{
'name': 'camera',
'value': 'camera',
'caption': '''Camera''',
},
{
'name': 'scanning',
'value': 'scanning',
'caption': '''Scanning (supported since version 87)''',
},
],
'supported_on': ['chrome_os:84-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': ['camera', 'browser_settings', 'os_settings', 'scanning'],
'id': 689,
'caption': '''Configure the camera, browser settings, os settings, and scanning features to be disabled''',
'tags': [],
'desc': '''Allows you to set a list of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> features to be disabled.
Disabling any of these features means that the user can't access it from the UI and will see it as "disabled by admin". The user experience of disabled features is decided by <ph name="SYSTEM_FEATURES_DISABLE_MODE">SystemFeaturesDisableMode</ph>
If the policy is left not set, all <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> features will be enabled by default and the user can use any of them.
Note: The scanning feature is currently disabled by default via a feature flag. If the user enables the feature via the feature flag, the feature can still be disabled by this policy.''',
},
{
'name': 'SystemFeaturesDisableMode',
'owners': ['anqing@chromium.org'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'blocked',
'hidden',
],
},
'items': [
{
'name': 'blocked',
'value': 'blocked',
'caption': '''Block the disabled features''',
},
{
'name': 'hidden',
'value': 'hidden',
'caption': '''Hide and block the disabled features''',
},
],
'future_on': ['chrome_os'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'blocked',
'default': 'blocked',
'id': 807,
'caption': '''Set the user experience of disabled features''',
'tags': [],
'desc': '''Controls the user experience of disabled features listed in <ph name="SYSTEM_FEATURES_DISABLE_LIST">SystemFeaturesDisableList</ph>.
If this policy is set to "blocked", the disabled features will become unusable but still visible to users.
If this policy is set to "hidden", the disabled features will become unusable and invisible to users.
If this policy is left unset or has an invalid value, the disable mode of system features will be "blocked".''',
},
{
'name': 'FloatingAccessibilityMenuEnabled',
'owners': ['apotapchuk@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:84-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 691,
'caption': '''Enables the floating accessibility menu''',
'tags': [],
'desc': '''In kiosk mode, controls whether the floating accessibility menu is being shown.
If this policy is set to enabled, the floating accessibility menu will be always shown.
If this policy is set to disabled or left unset, the floating accessibility menu will never be shown.''',
},
{
'name': 'UserDisplayName',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'Policy User',
'id': 169,
'caption': '''Set the display name for device-local accounts''',
'tags': [],
'desc': '''Controls the account name <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows on the login screen for the corresponding device-local account.
If this policy is set, the login screen will use the specified string in the picture-based login chooser for the corresponding device-local account.
If the policy is left not set, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will use the device-local account's email account ID as the display name on the login screen.
This policy is ignored for regular user accounts.''',
},
{
'name': 'SessionLengthLimit',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 3600000,
'id': 170,
'caption': '''Limit the length of a user session''',
'tags': [],
'desc': '''When this policy is set, it specifies the length of time after which a user is automatically logged out, terminating the session. The user is informed about the remaining time by a countdown timer shown in the system tray.
When this policy is not set, the session length is not limited.
If you set this policy, users cannot change or override it.
The policy value should be specified in milliseconds. Values are clamped to a range of 30 seconds to 24 hours.''',
},
{
'name': 'FullscreenAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:31-', 'chrome.linux:31-', 'chrome_os:31-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 240,
'caption': '''Allow fullscreen mode''',
'tags': [],
'desc': '''Setting the policy to True or leaving it unset means that, with appropriate permissions, users, apps, and extensions can enter Fullscreen mode (in which only web content appears).
Setting the policy to False means users, apps, and extensions can't enter Fullscreen mode.''',
'arc_support': 'This policy has no effect on the Android apps. They will be able to enter fullscreen mode even if this policy is set to <ph name="FALSE">False</ph>.',
},
{
'id': 804,
'name': 'FullscreenAlertEnabled',
'caption': '''Enable fullscreen alert''',
'owners': ['zxdan@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean'},
'supported_on': ['chrome_os:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Enable fullscreen alert',
},
{
'value': False,
'caption': 'Disable show fullscreen alert',
},
{
'value': None,
'caption': 'Enable fullscreen alert',
},
],
'default': None,
'example_value': False,
'tags': [],
'desc': '''Specifies whether the fullscreen alert should be shown when the device returns from sleep or dark screen.
When the policy is unset or set to True, an alert will be shown to remind the users to exit fullscreen before entering password. When the policy is set to False, no alert would be shown.''',
},
{
'name': 'ScreenDimDelayAC',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 420000,
'id': 172,
'caption': '''Screen dim delay when running on AC power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which the screen is dimmed when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> dims the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not dim the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.''',
},
{
'name': 'ScreenOffDelayAC',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 480000,
'id': 173,
'caption': '''Screen off delay when running on AC power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which the screen is turned off when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> turns off the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not turn off the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.''',
},
{
'name': 'ScreenLockDelayAC',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 600000,
'id': 174,
'caption': '''Screen lock delay when running on AC power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="SCREEN_LOCK_DELAYS_POLICY_NAME">ScreenLockDelays</ph> instead.
Specifies the length of time without user input after which the screen is locked when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> locks the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not lock the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The recommended way to lock the screen on idle is to enable screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.''',
},
{
'name': 'IdleWarningDelayAC',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:27-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 545000,
'id': 197,
'caption': '''Idle warning delay when running on AC power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which a warning dialog is shown when running on AC power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows a warning dialog telling the user that the idle action is about to be taken.
When this policy is unset, no warning dialog is shown.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
The warning message is only shown if the idle action is to logout or shut down.''',
},
{
'name': 'IdleDelayAC',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 1800000,
'id': 175,
'caption': '''Idle delay when running on AC power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which the idle action is taken when running on AC power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes the idle action, which can be configured separately.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds.''',
},
{
'name': 'ScreenDimDelayBattery',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 300000,
'id': 176,
'caption': '''Screen dim delay when running on battery power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which the screen is dimmed when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> dims the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not dim the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.''',
},
{
'name': 'ScreenOffDelayBattery',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 360000,
'id': 177,
'caption': '''Screen off delay when running on battery power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which the screen is turned off when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> turns off the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not turn off the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.''',
},
{
'name': 'ScreenLockDelayBattery',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 600000,
'id': 178,
'caption': '''Screen lock delay when running on battery power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="SCREEN_LOCK_DELAYS_POLICY_NAME">ScreenLockDelays</ph> instead.
Specifies the length of time without user input after which the screen is locked when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> locks the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not lock the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The recommended way to lock the screen on idle is to enable screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.''',
},
{
'name': 'IdleWarningDelayBattery',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:27-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 545000,
'id': 198,
'caption': '''Idle warning delay when running on battery power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which a warning dialog is shown when running on battery power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows a warning dialog telling the user that the idle action is about to be taken.
When this policy is unset, no warning dialog is shown.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
The warning message is only shown if the idle action is to logout or shut down.''',
},
{
'name': 'IdleDelayBattery',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 600000,
'id': 179,
'caption': '''Idle delay when running on battery power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
Specifies the length of time without user input after which the idle action is taken when running on battery power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes the idle action, which can be configured separately.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds.''',
},
{
'name': 'IdleAction',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'IdleActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'IdleActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'IdleActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'IdleActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 0,
'id': 180,
'caption': '''Action to take when the idle delay is reached''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
This policy provides a fallback value for the more-specific <ph name="IDLE_ACTION_AC_POLICY_NAME">IdleActionAC</ph> and <ph name="IDLE_ACTION_BATTERY_POLICY_NAME">IdleActionBattery</ph> policies. If this policy is set, its value gets used if the respective more-specific policy is not set.
When this policy is unset, behavior of the more-specific policies remains unaffected.''',
},
{
'name': 'IdleActionAC',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'IdleActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'IdleActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'IdleActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'IdleActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 0,
'id': 226,
'caption': '''Action to take when the idle delay is reached while running on AC power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
When this policy is set, it specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
When this policy is unset, the default action is taken, which is suspend.
If the action is suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can separately be configured to either lock or not lock the screen before suspending.''',
},
{
'name': 'IdleActionBattery',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'IdleActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'IdleActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'IdleActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'IdleActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
# TODO(https://crbug.com/1016253): Remove this policy in M85.
'supported_on': ['chrome_os:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 0,
'id': 222,
'caption': '''Action to take when the idle delay is reached while running on battery power''',
'tags': [],
'desc': '''Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
When this policy is set, it specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
When this policy is unset, the default action is taken, which is suspend.
If the action is suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can separately be configured to either lock or not lock the screen before suspending.''',
},
{
'name': 'LidCloseAction',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'LidCloseActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'LidCloseActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'LidCloseActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'LidCloseActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 0,
'id': 181,
'caption': '''Action to take when the user closes the lid''',
'tags': [],
'desc': '''Setting the policy specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes when the user closes the device's lid.
Leaving the policy unset means the Suspend action is taken.
Note: If the action is Suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can separately be set up to lock or not lock the screen before suspending.''',
},
{
'name': 'PowerManagementUsesAudioActivity',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 182,
'caption': '''Specify whether audio activity affects power management''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means the user is not considered idle while audio plays. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off, and screen lock will still occur after their configured timeouts despite audio activity.
Setting the policy to Disabled means the system can consider users idle despite audio activity.''',
},
{
'name': 'PowerManagementUsesVideoActivity',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 183,
'caption': '''Specify whether video activity affects power management''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means the user is not considered idle while video plays. This prevents the idle delay, screen dim delay, screen off delay, and screen lock delay from being reached and the corresponding actions from being taken.
Setting the policy to Disabled means the system can consider users idle despite video activity.''',
'arc_support': 'Video playing in Android apps is not taken into consideration, even if this policy is set to <ph name="TRUE">True</ph>.',
},
{
'name': 'PresentationIdleDelayScale',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:26-28'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 200,
'id': 184,
'caption': '''Percentage by which to scale the idle delay in presentation mode (deprecated)''',
'tags': [],
'desc': '''This policy has been retired as of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 29. Please use the PresentationScreenDimDelayScale policy instead.''',
},
{
'name': 'PresentationScreenDimDelayScale',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 200,
'id': 220,
'caption': '''Percentage by which to scale the screen dim delay in presentation mode''',
'tags': [],
'desc': '''If <ph name="POWER_SMART_DIM_ENABLED_POLICY_NAME">PowerSmartDimEnabled</ph> is Disabled, then setting <ph name="PRESENTATION_SCREEN_DIM_DELAY_SCALE_POLICY_NAME">PresentationScreenDimDelayScale</ph> specifies the percent that the screen dim delay scales when the device is presenting. When the screen dim delay scales, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
Leaving the policy unset puts a default scale factor in use.
Note: The scale factor must be 100% or more.''',
},
{
'name': 'AllowWakeLocks',
'owners': ['file://chrome/browser/chromeos/login/demo_mode/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:71-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Allow wake locks for power management',
},
{
'value': False,
'caption': 'Ignore requests for wake locks for power management',
},
],
'example_value': False,
'default': True,
'id': 491,
'caption': '''Allow wake locks''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset allows wake locks for power management. Extensions can request wake locks through the power management extension API and ARC apps.
Setting the policy to Disabled means wake lock requests are ignored.''',
},
{
'name': 'AllowScreenWakeLocks',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Allow screen wake locks for power management',
},
{
'value': False,
'caption': 'Demote screen wake lock requests to system wake lock requests',
},
],
'example_value': False,
'default': True,
'id': 203,
'caption': '''Allow screen wake locks''',
'tags': [],
'desc': '''Unless <ph name="ALLOW_WAKE_LOCKS_POLICY_NAME">AllowWakeLocks</ph> is set to Disabled, setting <ph name="ALLOW_SCREEN_WAKE_LOCKS_POLICY_NAME">AllowScreenWakeLocks</ph> to Enabled or leaving it unset allows screen wake locks for power management. Extensions can request screen wake locks through the power management extension API and ARC apps.
Setting the policy to Disabled demotes screen wake lock requests to system wake lock requests.''',
},
{
'name': 'UserActivityScreenDimDelayScale',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 200,
'id': 210,
'caption': '''Percentage by which to scale the screen dim delay if the user becomes active after dimming''',
'tags': [],
'desc': '''If <ph name="POWER_SMART_DIM_ENABLED_POLICY_NAME">PowerSmartDimEnabled</ph> is Disabled, then setting <ph name="USER_ACTIVITY_SCREEN_DIM_DELAY_SCALE_POLICY_NAME">UserActivityScreenDimDelayScale</ph> specifies the percent that the screen dim delay scales when there's user activity while the screen dims or soon after the screen turns off. When the dim delay scales, the screen off, screen lock and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
Leaving the policy unset puts a default scale factor in use.
Note: The scale factor must be 100% or more.''',
},
{
'name': 'WaitForInitialUserActivity',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:32-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 247,
'caption': '''Wait for initial user activity''',
'tags': [],
'desc': '''Setting the policy to Enabled means that power management delays and session length limits don't start until after the first user activity occurs in a session.
Setting the policy to Disabled or leaving it unset means power management delays and the time limit begin immediately at session start.''',
},
{
'name': 'PowerManagementIdleSettings',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'AC': {
'description': 'Delays and actions to take when the device is idle and running on AC power',
'type': 'object',
'id': 'PowerManagementDelays',
'properties': {
'Delays': {
'type': 'object',
'properties': {
'ScreenDim': {
'description': 'The length of time without user input after which the screen is dimmed, in milliseconds',
'type': 'integer',
'minimum': 0
},
'ScreenOff': {
'description': 'The length of time without user input after which the screen is turned off, in milliseconds',
'type': 'integer',
'minimum': 0
},
'IdleWarning': {
'description': 'The length of time without user input after which a warning dialog is shown, in milliseconds',
'type': 'integer',
'minimum': 0
},
'Idle': {
'description': 'The length of time without user input after which the idle action is taken, in milliseconds',
'type': 'integer',
'minimum': 0
}
}
},
'IdleAction': {
'description': 'Action to take when the idle delay is reached',
'type': 'string',
'enum': [ 'Suspend', 'Logout', 'Shutdown', 'DoNothing' ]
}
}
},
'Battery': {
'description': 'Delays and actions to take when the device is idle and running on battery',
'$ref': 'PowerManagementDelays'
}
}
},
'supported_on': ['chrome_os:35-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'AC': {
'IdleAction': 'DoNothing'
},
'Battery': {
'IdleAction': 'DoNothing',
'Delays': {
'ScreenDim': 10000,
'ScreenOff': 20000,
'IdleWarning': 5000,
'Idle': 30000
}
}
},
'id': 258,
'caption': '''Power management settings when the user becomes idle''',
'tags': [],
'desc': '''Setting the policy controls the power management strategy when the user idles.
There are 4 actions:
* The screen dims if the user is idle for the time specified by <ph name="SCREEN_DIM_FIELD_NAME">ScreenDim</ph>.
* The screen turns off if the user is idle for the time specified by <ph name="SCREEN_OFF_FIELD_NAME">ScreenOff</ph>.
* A warning dialog appears if the user remains idle for the time specified by <ph name="IDLE_WARNING_FIELD_NAME">IdleWarning</ph>. It warns the user that the idle action will be taken and only appears if the idle action is to sign out or shut down.
* The action specified by <ph name="IDLE_ACTION_FIELD_NAME">IdleAction</ph> is taken if the user is idle for the time specified by <ph name="IDLE_FIELD_NAME">Idle</ph>.
For each of the above actions, the delay should be specified in milliseconds and must be set to a value greater than zero to trigger the corresponding action. If the delay is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> won't take the corresponding action.
For each of the above delays, when the time is unset, a default value is used.
<ph name="SCREEN_DIM_FIELD_NAME">ScreenDim</ph> values will be clamped to be less than or equal to <ph name="SCREEN_OFF_FIELD_NAME">ScreenOff</ph>. <ph name="SCREEN_OFF_FIELD_NAME">ScreenOff</ph> and <ph name="IDLE_WARNING_FIELD_NAME">IdleWarning</ph> will be clamped to be less than or equal to <ph name="IDLE_FIELD_NAME">Idle</ph>.
<ph name="IDLE_ACTION_FIELD_NAME">IdleAction</ph> can be one of 4 actions:
* <ph name="IDLE_ACTION_ENUM_SUSPEND">Suspend</ph>
* <ph name="IDLE_ACTION_ENUM_LOGOUT">Logout</ph>
* <ph name="IDLE_ACTION_ENUM_SHUTDOWN">Shutdown</ph>
* <ph name="IDLE_ACTION_ENUM_DO_NOTHING">DoNothing</ph>
If the <ph name="IDLE_ACTION_FIELD_NAME">IdleAction</ph> is not set, <ph name="IDLE_ACTION_ENUM_SUSPEND">Suspend</ph> is taken.
Note: There are separate settings for AC power and battery.'''
},
{
'name': 'ScreenLockDelays',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'AC': {
'description': 'The length of time without user input after which the screen is locked when running on AC power, in milliseconds',
'type': 'integer',
'minimum': 0
},
'Battery': {
'description': 'The length of time without user input after which the screen is locked when running on battery, in milliseconds',
'type': 'integer',
'minimum': 0
}
}
},
'supported_on': ['chrome_os:35-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'AC': 600000,
'Battery': 300000
},
'id': 259,
'caption': '''Screen lock delays''',
'tags': [],
'desc': '''Setting the policy specifies the length of time in milliseconds without user input after which the screen locks when running on AC power or battery. Values are clamped to be less than the idle delay in <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph>.
When set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> doesn't lock the screen when the user becomes idle. If unset, a default time is used.
Recommendation: Lock the screen on idle by turning on screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> suspend after the idle delay. Only use this policy when screen locking should occur a significant amount of time sooner than suspend or when you don't want suspend on idle.''',
},
{
'name': 'DeviceLoginScreenPowerManagement',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'AC': {
'description': 'Power management settings applicable only when running on AC power',
'type': 'object',
'id': 'DeviceLoginScreenPowerSettings',
'properties': {
'Delays': {
'type': 'object',
'properties': {
'ScreenDim': {
'description': 'The length of time without user input after which the screen is dimmed, in milliseconds',
'type': 'integer',
'minimum': 0
},
'ScreenOff': {
'description': 'The length of time without user input after which the screen is turned off, in milliseconds',
'type': 'integer',
'minimum': 0
},
'Idle': {
'description': 'The length of time without user input after which the idle action is taken, in milliseconds',
'type': 'integer',
'minimum': 0
}
}
},
'IdleAction': {
'description': 'Action to take when the idle delay is reached',
'type': 'string',
'enum': [ 'Suspend', 'Shutdown', 'DoNothing' ]
}
}
},
'Battery': {
'description': 'Power management settings applicable only when running on battery power',
'$ref': 'DeviceLoginScreenPowerSettings'
},
'LidCloseAction': {
'description': 'Action to take when the lid is closed',
'type': 'string',
'enum': [ 'Suspend', 'Shutdown', 'DoNothing' ]
},
'UserActivityScreenDimDelayScale': {
'description': 'Percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off',
'type': 'integer',
'minimum': 100
}
}
},
'supported_on': ['chrome_os:30-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': {
'AC': {
'IdleAction': 'DoNothing'
},
'Battery': {
'IdleAction': 'DoNothing',
'Delays': {
'ScreenDim': 10000,
'ScreenOff': 20000,
'Idle': 30000
}
},
'LidCloseAction': 'Suspend',
'UserActivityScreenDimDelayScale': 110
},
'id': 225,
'caption': '''Power management on the login screen''',
'tags': [],
'desc': '''Setting the policy lets you set how <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> behaves when there is no user activity for some amount of time while the sign-in screen appears. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session.
The deviations from these policies are:
* The actions to take on idle or lid close cannot be to end the session.
* The default action taken on idle when running on AC power is to shut down.
Leaving the policy or any of its settings unset results in the use of the default values for the various power settings.''',
},
{
'name': 'DeviceAllowRedeemChromeOsRegistrationOffers',
'owners': ['oscarpan@google.com', 'rsorokin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:26-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'items': [
{
'value': True,
'caption': 'Allow users to redeem offers through Chrome OS Registration',
},
{
'value': False,
'caption': 'Prevent users from redeeming offers through Chrome OS Registration',
},
],
'example_value': True,
'default': True,
'id': 185,
'caption': '''Allow users to redeem offers through Chrome OS Registration''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets enterprise device users redeem offers through <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Registration.
Setting the policy to Disabled means users can't redeem these offers.''',
},
{
'name': 'TermsOfServiceURL',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'https://www.example.com/terms_of_service.txt',
'id': 186,
'caption': '''Set the Terms of Service for a device-local account''',
'tags': [],
'desc': '''Setting the policy means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> downloads the Terms of Service and presents them to users whenever a device-local account session starts. Users can only sign in to the session after accepting the Terms of Service.
Leaving the policy unset means no Terms of Service appear.
The policy should be set to a URL from which <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can download the Terms of Service. The Terms of Service must be plain text, served as MIME type text/plain. No markup is allowed.''',
},
{
'name': 'ShowAccessibilityOptionsInSystemTrayMenu',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:27-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 188,
'caption': '''Show accessibility options in system tray menu''',
'tags': [],
'desc': '''Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.
If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.
If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.'''
},
{
'name': 'DeviceLoginScreenShowOptionsInSystemTrayMenu',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:80-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 646,
'caption': '''Show accessibility options in system tray menu in the login screen''',
'tags': [],
'desc': '''Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.
If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.
If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.'''
},
{
'name': 'LargeCursorEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 211,
'caption': '''Enable large cursor''',
'tags': [],
'desc': '''Setting the policy to True keeps the large cursor on. Setting the policy to False keeps the large cursor off.
If you set the policy, users can't change the feature. If not set, the large cursor is off at first, but users can turn it on any time.'''
},
{
'name': 'SpokenFeedbackEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 212,
'caption': '''Enable spoken feedback''',
'tags': [],
'desc': '''Setting the policy to True keeps spoken feedback on. Setting the policy to False keeps spoken feedback off.
If you set the policy, users can't change it. If not set, spoken feedback is off at first, but users can turn it on any time.'''
},
{
'name': 'HighContrastEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 213,
'caption': '''Enable high contrast mode''',
'tags': [],
'desc': '''Setting the policy to True keeps High-contrast mode on. Setting the policy to False keeps High-contrast mode off.
If you set the policy, users can't change it. If not set, High-contrast mode is off, but users can turn it on any time.'''
},
{
'name': 'DeviceLoginScreenAccessibilityShortcutsEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:81-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 661,
'caption': '''Enable accessibility features shortcuts on the login screen''',
'tags': [],
'desc': '''Enable accessibility features shortcuts on the login screen.
If this policy is set to true, accessibility features shortcuts will always be enabled on the login screen.
If this policy is set to false, accessibility features shortcuts will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, accessibility features shortcuts will be enabled by default on the login screen.'''
},
{
'name': 'AccessibilityShortcutsEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:81-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 659,
'caption': '''Enable accessibility features shortcuts''',
'tags': [],
'desc': '''Enable accessibility features shortcuts.
If this policy is set to true, accessibility features shortcuts will always be enabled.
If this policy is set to false, accessibility features shortcuts will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, accessibility features shortcuts will be enabled by default.'''
},
{
'name': 'VirtualKeyboardEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:34-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 255,
'caption': '''Enable on-screen keyboard''',
'tags': [],
'desc': '''Setting the policy to True keeps the on-screen keyboard on. Setting the policy to False keeps the on-screen keyboard off.
If you set the policy, users can't change it. If not set, the on-screen keyboard is off at first, but users can turn it on any time.'''
},
{
'name': 'VirtualKeyboardFeatures',
'owners': ['anqing@chromium.org'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'auto_complete_enabled': {
'description': 'A boolean flag indicating if the on-screen keyboard can provide auto-complete.',
'type': 'boolean'
},
'auto_correct_enabled': {
'description': 'A boolean flag indicating if the on-screen keyboard can provide auto-correct.',
'type': 'boolean'
},
'handwriting_enabled': {
'description': 'A boolean flag indicating if the on-screen keyboard can provide input via handwriting recognition.',
'type': 'boolean'
},
'spell_check_enabled': {
'description': 'A boolean flag indicating if the on-screen keyboard can provide spell-check.',
'type': 'boolean'
},
'voice_input_enabled': {
'description': 'A boolean flag indicating if the on-screen keyboard can provide voice input.',
'type': 'boolean'
}
}
},
'supported_on': ['chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
"auto_complete_enabled": True,
"auto_correct_enabled": True,
"handwriting_enabled": False,
"spell_check_enabled": False,
"voice_input_enabled": False
},
'id': 717,
'caption': '''Enable or disable various features on the on-screen keyboard''',
'tags': [],
'desc': '''Enable or disable various features on the on-screen keyboard. This policy takes effect only when "VirtualKeyboardEnabled" policy is enabled.
If one feature in this policy is set to True, it will be enabled on the on-screen keyboard.
If one feature in this policy is set to False or left unset, it will be disabled on the on-screen keyboard.
NOTE: this policy is only supported in PWA Kiosk mode.'''
},
{
'name': 'StickyKeysEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:76-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 561,
'caption': '''Enable sticky keys''',
'tags': [],
'desc': '''Setting the policy to True keeps sticky keys on. Setting the policy to False keeps sticky keys off.
If you set the policy, users can't change it. If not set, sticky keys is off at first, but users can turn it on any time.'''
},
{
'name': 'SelectToSpeakEnabled',
'owners': ['amraboelkher@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:77-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 573,
'caption': '''Enable select to speak''',
'tags': [],
'desc': '''Enable the select to speak accessibility feature.
If this policy is set to true, the select to speak will always be enabled.
If this policy is set to false, the select to speak will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the select to speak is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'DictationEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:78-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 592,
'caption': '''Enable the dictation accessibility feature''',
'tags': [],
'desc': '''Enable the dictation accessibility feature.
If this policy is set to enabled, the dictation will always be enabled.
If this policy is set to disabled, the dictation will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the dictation is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'KeyboardFocusHighlightEnabled',
'owners': ['amraboelkher@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:78-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 593,
'caption': '''Enable the keyboard focus highlighting accessibility feature''',
'tags': [],
'desc': '''Enable the keyboard focus highlighting accessibility feature.
This feature is responsible for highlighting the object that has the focus by the keyboard.
If this policy is set to enabled, the keyboard focus highlighting will always be enabled.
If this policy is set to disabled, the keyboard focus highlighting will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'CursorHighlightEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:78-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 594,
'caption': '''Enable the cursor highlight accessibility feature''',
'tags': [],
'desc': '''Enable the cursor highlight accessibility feature.
This feature is responsible for highlighting the area that surrounds the mouse cursor while moving it.
If this policy is set to enabled, the cursor highlight will always be enabled.
If this policy is set to disabled, the cursor highlight will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the cursor highlight is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'CaretHighlightEnabled',
'owners': ['amraboelkher@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:78-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 595,
'caption': '''Enable the caret highlight accessibility feature''',
'tags': [],
'desc': '''Enable the caret highlight accessibility feature.
This feature is responsible for highlighting the area that surrounds the caret while editing.
If this policy is set to enabled, the caret highlight will always be enabled.
If this policy is set to disabled, the caret highlight will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the caret highlight is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'MonoAudioEnabled',
'owners': ['amraboelkher@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:78-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 596,
'caption': '''Enable the mono audio accessibility feature''',
'tags': [],
'desc': '''Enable the mono audio accessibility feature.
This feature is responsible for outputing stereo audio which includes different left and right channels, so different ears get different sounds.
If this policy is set to enabled, the mono audio will always be enabled.
If this policy is set to disabled, the mono audio will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the mono audio is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'AutoclickEnabled',
'owners': ['amraboelkher@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:78-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 597,
'caption': '''Enable the autoclick accessibility feature''',
'tags': [],
'desc': '''Enable the autoclick accessibility feature.
This feature is responsible to click without physically pressing your mouse or touchpad, hover over the object you'd like to click.
If this policy is set to enabled, the autoclick will always be enabled.
If this policy is set to disabled, the autoclick will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the autoclick is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'KeyboardDefaultToFunctionKeys',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:35-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 260,
'caption': '''Media keys default to function keys''',
'tags': [],
'desc': '''Setting the policy to True makes the top row of keys on the keyboard act as function key commands. Pressing the Search key changes their behavior back to media keys.
If set to False or not set, the keyboard defaults to producing media key commands. Pressing the Search key changes them to function keys.'''
},
{
'name': 'ScreenMagnifierType',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'None',
'value': 0,
'caption': '''Screen magnifier disabled''',
},
{
'name': 'Full-screen',
'value': 1,
'caption': '''Full-screen magnifier enabled''',
},
{
'name': 'Docked',
'value': 2,
'caption': '''Docked magnifier enabled''',
},
],
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 214,
'caption': '''Set screen magnifier type''',
'tags': [],
'desc': '''Setting the policy to None turns the screen magnifier off.
If you set the policy, users can't change it. If not set, the screen magnifier is off at first, but users can turn it on any time.''',
},
{
'name': 'DeviceLoginScreenDefaultLargeCursorEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 215,
'caption': '''Set default state of the large cursor on the login screen''',
'tags': [],
'desc': '''Setting the policy to True turns the large cursor on at the sign-in screen. Setting the policy to False turns the large cursor off at the sign-in screen.
If you set the policy, users can temporarily turn the large cursor on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, the large cursor is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: <ph name="DEVICE_LOGIN_SCREEN_LARGE_CURSOR_ENABLED">DeviceLoginScreenLargeCursorEnabled</ph> overrides this policy if the former is specified.''',
},
{
'name': 'DeviceLoginScreenLargeCursorEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:78-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 599,
'caption': '''Enable the large cursor on the login screen''',
'tags': [],
'desc': '''Enable the large cursor accessibility feature on the login screen.
If this policy is set to true, the large cursor will always be enabled on the login screen.
If this policy is set to false, the large cursor will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the large cursor is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenDefaultSpokenFeedbackEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 216,
'caption': '''Set the default state of spoken feedback on the login screen''',
'tags': [],
'desc': '''Setting the policy to True turns spoken feedback on at the sign-in screen. Setting the policy to False turns spoken feedback off at the screen.
If you set the policy, users can temporarily turn spoken feedback on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, spoken feedback is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: <ph name="DEVICE_LOGIN_SCREEN_SPOKEN_FEEDBACK_ENABLED_POLICY_NAME">DeviceLoginScreenSpokenFeedbackEnabled</ph> overrides this policy if the former is specified.''',
},
{
'name': 'DeviceLoginScreenSpokenFeedbackEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 605,
'caption': '''Enable the spoken feedback on the login screen''',
'tags': [],
'desc': '''Enable the spoken feedback accessibility feature on the login screen.
If this policy is set to true, the spoken feedback will always be enabled on the login screen.
If this policy is set to false, the spoken feedback will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the spoken feedback is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenDefaultHighContrastEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 217,
'caption': '''Set the default state of high contrast mode on the login screen''',
'tags': [],
'desc': '''Setting the policy to True turns High-contrast mode on at the sign-in screen. Setting the policy to False turns High-contrast mode off at the screen.
If you set the policy, users can temporarily change High-contrast mode, turning it on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, High-contrast mode is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: <ph name="DEVICE_LOGIN_SCREEN_HIGH_CONTRAST_ENABLED_POLICY_NAME">DeviceLoginScreenHighContrastEnabled</ph> overrides this policy if the former is specified.''',
},
{
'name': 'DeviceLoginScreenHighContrastEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 606,
'caption': '''Enable the high contrast on the login screen''',
'tags': [],
'desc': '''Enable the high contrast accessibility feature on the login screen.
If this policy is set to true, the high contrast will always be enabled on the login screen.
If this policy is set to false, the high contrast will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the high contrast is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenDefaultVirtualKeyboardEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:34-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': True,
'id': 256,
'caption': '''Set default state of the on-screen keyboard on the login screen''',
'tags': [],
'desc': '''This policy is deprecated, please use the <ph name="DEVICE_LOGIN_SCREEN_VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">DeviceLoginScreenVirtualKeyboardEnabled</ph> policy instead.
Setting the policy to True turns the on-screen keyboard on at sign-in. Setting the policy to False turns the on-screen keyboard off at sign-in.
If you set the policy, users can temporarily turn the on-screen keyboard on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, the on-screen keyboard is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: <ph name="DEVICE_LOGIN_SCREEN_VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">DeviceLoginScreenVirtualKeyboardEnabled</ph> overrides this policy if the former is specified.''',
},
{
'name': 'DeviceLoginScreenVirtualKeyboardEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 607,
'caption': '''Enable the virtual keyboard on the login screen''',
'tags': [],
'desc': '''Enable the virtual keyboard accessibility feature on the login screen.
If this policy is set to true, the virtual keyboard will always be enabled on the login screen.
If this policy is set to false, the virtual keyboard will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the virtual keyboard is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'PrimaryMouseButtonSwitch',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:81-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 655,
'caption': '''Switch the primary mouse button to the right button''',
'tags': [],
'desc': '''Switch the primary mouse button to the right button.
If this policy is set to enabled, the right button of the mouse will always be the primary key.
If this policy is set to disabled, the left button of the mouse will always be the primary key.
If you set this policy, users cannot change or override it.
If this policy is left unset, the left button of the mouse will be the primary key initially, but can be switched by the user anytime.'''
},
{
'name': 'DeviceLoginScreenPrimaryMouseButtonSwitch',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:81-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 657,
'caption': '''Switch the primary mouse button to the right button on the login screen''',
'tags': [],
'desc': '''Switch the primary mouse button to the right button on the login screen.
If this policy is set to enabled, the right button of the mouse will always be the primary key on the login screen.
If this policy is set to disabled, the left button of the mouse will always be the primary key on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the left button of the mouse will be the primary key on the login screen initially, but can be switched by the user anytime.'''
},
{
'name': 'SharedClipboardEnabled',
'owners': ['mvanouwerkerk@chromium.org', 'yasmo@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:79-', 'chrome_os:79-', 'android:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 610,
'caption': '''Enable the Shared Clipboard Feature''',
'tags': [],
'desc': '''Enable the Shared Clipboard feature which allows users to send text between Chrome Desktops and an Android device when Sync is enabled and the user is Signed-in.
If this policy is set to true, the capability of sending text, cross device, for chrome user is enabled.
If this policy is set to false, the capability of sending text, cross device, for chrome user is disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the shared clipboard feature is enabled by default.
It is up to the admins to set policies in all platforms they care about. It's recommended to set this policy to one value in all platforms.''',
},
{
'name': 'DeviceLoginScreenDefaultScreenMagnifierType',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'None',
'value': 0,
'caption': '''Screen magnifier disabled''',
},
{
'name': 'Full-screen',
'value': 1,
'caption': '''Full-screen magnifier enabled''',
},
{
'name': 'Docked',
'value': 2,
'caption': '''Docked magnifier enabled''',
},
],
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 1,
'id': 218,
'caption': '''Set the default screen magnifier type enabled on the login screen''',
'tags': [],
'desc': '''Setting the policy to None turns screen magnification off at the sign-in screen.
If you set the policy, users can temporarily turn the screen magnifier on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, the screen magnifier is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Valid values: 0 = Off 1 = On 2 = Docked magnifier on
Note: <ph name="DEVICE_LOGIN_SCREEN_SCREEN_MAGNIFIER_TYPE_POLICY_NAME">DeviceLoginScreenScreenMagnifierType</ph> overrides this policy if the former is specified.''',
},
{
'name': 'DeviceLoginScreenScreenMagnifierType',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'None',
'value': 0,
'caption': '''Screen magnifier disabled''',
},
{
'name': 'Full-screen',
'value': 1,
'caption': '''Full-screen magnifier enabled''',
},
{
'name': 'Docked',
'value': 2,
'caption': '''Docked magnifier enabled''',
},
],
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 628,
'caption': '''Set the screen magnifier type on the login screen''',
'tags': [],
'desc': '''If this policy is set, it controls the type of screen magnifier that is enabled.
If this policy is set to "Full-screen", the screen magnifier will always be enabled in full-screen magnifier mode on the login screen.
If this policy is set to "Docked", the screen magnifier will always be enabled in docked magnifier mode on the login screen.
If this policy is set to "None", the screen magnifier will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenDictationEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 611,
'caption': '''Enable the dictation on the login screen''',
'tags': [],
'desc': '''Enable the dictation accessibility feature on the login screen.
If this policy is set to true, the dictation will always be enabled on the login screen.
If this policy is set to false, the dictation will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenSelectToSpeakEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 612,
'caption': '''Enable the select to speak on the login screen''',
'tags': [],
'desc': '''Enable the select to speak accessibility feature on the login screen.
If this policy is set to true, the select to speak will always be enabled on the login screen.
If this policy is set to false, the select to speak will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the select to speak is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenCursorHighlightEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 613,
'caption': '''Enable the cursor highlight on the login screen''',
'tags': [],
'desc': '''Enable the cursor highlight accessibility feature on the login screen.
If this policy is set to true, the cursor highlight will always be enabled on the login screen.
If this policy is set to false, the cursor highlight will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the cursor highlight is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenCaretHighlightEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 614,
'caption': '''Enable the caret highlight on the login screen''',
'tags': [],
'desc': '''Enable the caret highlight accessibility feature on the login screen.
If this policy is set to true, the caret highlight will always be enabled on the login screen.
If this policy is set to false, the caret highlight will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the caret highlight is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenMonoAudioEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 615,
'caption': '''Enable the mono audio on the login screen''',
'tags': [],
'desc': '''Enable the mono audio accessibility feature on the login screen.
This feature allows to switch the device mode from the default stereo audio to the mono audio.
If this policy is set to true, the mono audio will always be enabled on the login screen.
If this policy is set to false, the mono audio will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the mono audio is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenAutoclickEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 617,
'caption': '''Enable the autoclick on the login screen''',
'tags': [],
'desc': '''Enable the autoclick accessibility feature on the login screen.
This feature allows to automatically click when the mouse cursor stops, without requiring the user to physically press the mouse or touchpad buttons.
If this policy is set to true, the autoclick will always be enabled on the login screen.
If this policy is set to false, the autoclick will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the autoclick is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenStickyKeysEnabled',
'owners': ['amraboelkher@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'device_only': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
},
'example_value': True,
'id': 618,
'caption': '''Enable the sticky keys on the login screen''',
'tags': [],
'desc': '''Enable the sticky keys accessibility feature on the login screen.
If this policy is set to true, the sticky keys will always be enabled on the login screen.
If this policy is set to false, the sticky keys will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the sticky keys is disabled on the login screen initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenKeyboardFocusHighlightEnabled',
'owners': ['amraboelkher@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 619,
'caption': '''Enable the keyboard focus highlighting accessibility feature''',
'tags': [],
'desc': '''Enable the keyboard focus highlighting accessibility feature on the login screen.
This feature is responsible for highlighting the object that is focused by the keyboard.
If this policy is set to enabled, the keyboard focus highlighting will always be enabled.
If this policy is set to disabled, the keyboard focus highlighting will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'HideWebStoreIcon',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:26-', 'chrome_os:68-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 189,
'caption': '''Hide the web store from the New Tab Page and app launcher''',
'tags': [],
'desc': '''Hide the Chrome Web Store app and footer link from the New Tab Page and <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> app launcher.
When this policy is set to true, the icons are hidden.
When this policy is set to false or is not configured, the icons are visible.''',
},
{
'name': 'DeviceStartUpFlags',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:27-65'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': [ "enable-managed-mode", "my-cool-flag" ],
'id': 191,
'caption': '''System wide flags to be applied on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> start-up''',
'tags': [],
'desc': '''This policy is deprecated and removed in M66, because it was used only for internal testing and it is a security liability.
Specifies the flags that should be applied to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when it starts. The specified flags are applied on the login screen only. Flags set via this policy do not propagate into user sessions.''',
},
{
'name': 'UptimeLimit',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:29-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 86400,
'id': 192,
'caption': '''Limit device uptime by automatically rebooting''',
'tags': [],
'desc': '''Setting the policy limits the device uptime by scheduling automatic restarts, which you can delay by up to 24 hours if a user is on the device. The policy value should be specified in seconds. Values are clamped to be at least 3,600 (one hour).
If you set the policy, users can't change it. If not set, the device uptime isn't limited.
Note: Automatic restarts are only on while the sign-in screen appears or during a kiosk app session.''',
},
{
'name': 'RebootAfterUpdate',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 193,
'caption': '''Automatically reboot after update''',
'tags': [],
'desc': '''Schedule an automatic reboot after a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> update has been applied.
When this policy is set to true, an automatic reboot is scheduled when a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> update has been applied and a reboot is required to complete the update process. The reboot is scheduled immediately but may be delayed on the device by up to 24 hours if a user is currently using the device.
When this policy is set to false, no automatic reboot is scheduled after applying a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> update. The update process is completed when the user next reboots the device.
If you set this policy, users cannot change or override it.
Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.''',
},
{
'name': 'VariationsRestrictParameter',
'owners': ['file://components/variations/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:27-', 'android:34-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'internal_only': True,
},
'example_value': 'restricted',
'id': 196,
'caption': '''Set the restriction on the fetching of the Variations seed''',
'tags': [],
'desc': '''Add a parameter to the fetching of the Variations seed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If specified, will add a query parameter called 'restrict' to the URL used to fetch the Variations seed. The value of the parameter will be the value specified in this policy.
If not specified, will not modify the Variations seed URL.''',
},
{
'name': 'DeviceVariationsRestrictParameter',
'owners': ['file://components/variations/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': False,
'internal_only': True,
},
'device_only': True,
'example_value': 'restricted',
'id': 199,
'caption': '''Set the restriction on the fetching of the Variations seed''',
'tags': [],
'desc': '''Add a parameter to the fetching of the Variations seed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
If specified, will add a query parameter called 'restrict' to the URL used to fetch the Variations seed. The value of the parameter will be the value specified in this policy.
If not specified, will not modify the Variations seed URL.''',
},
{
'name': 'ChromeVariations',
'owners': ['pastarmovj@chromium.org', 'asvitkine@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [0,1,2],
},
'items': [
{
'name': 'VariationsEnabled',
'value': 0,
'caption': '''Enable all variations''',
},
{
'name': 'CriticalFixesOnly',
'value': 1,
'caption': '''Enable variations concerning critical fixes only''',
},
{
'name': 'VariationsDisabled',
'value': 2,
'caption': '''Disable all variations''',
},
],
'supported_on': [
'chrome.*:83-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'id': 663,
'caption': '''Determine the availability of variations''',
'tags': [],
'desc': '''Configuring this policy allows to specify which variations are allowed to be applied in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Variations provide a means for offering modifications to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> without shipping a new version of the browser by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.
Setting the <ph name="VARIATIONS_ENABLED_OPTION_NAME">VariationsEnabled</ph> (value 0), or leaving the policy not set allows all variations to be applied to the browser.
Setting the <ph name="CRITICAL_VARIATIONS_ONLY_OPTION_NAME">CriticalFixesOnly</ph> (value 1), allows only variations considered critical security or stability fixes to be applied to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting the <ph name="VARIATIONS_DISABLED_OPTION_NAME">VariationsDisabled</ph> (value 2), prevent all variations from being applied to the browser. Please note that this mode can potentially prevent the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> developers from providing critical security fixes in a timely manner and is thus not recommended.'''
},
{
'name': 'DeviceChromeVariations',
'owners': ['pastarmovj@chromium.org', 'asvitkine@chromium.org', 'amraboelkher@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [0,1,2],
},
'device_only': True,
'items': [
{
'name': 'VariationsEnabled',
'value': 0,
'caption': '''Enable all variations''',
},
{
'name': 'CriticalFixesOnly',
'value': 1,
'caption': '''Enable variations concerning critical fixes only''',
},
{
'name': 'VariationsDisabled',
'value': 2,
'caption': '''Disable all variations''',
},
],
'supported_on': ['chrome_os:83-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'id': 674,
'caption': '''Determine the availability of variations on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>''',
'tags': [],
'desc': '''Configuring this policy allows to specify which variations are allowed to be applied on an enterprise-managed <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> device.
Variations provide a means for offering modifications to <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> without shipping a new version by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.
Setting the <ph name="VARIATIONS_ENABLED_OPTION_NAME">VariationsEnabled</ph> (value 0), or leaving the policy not set allows all variations to be applied to <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
Setting the <ph name="CRITICAL_VARIATIONS_ONLY_OPTION_NAME">CriticalFixesOnly</ph> (value 1), allows only variations considered critical security or stability fixes to be applied to <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
Setting the <ph name="VARIATIONS_DISABLED_OPTION_NAME">VariationsDisabled</ph> (value 2), will prevent all variations from being applied to the browser on the login screen. Please note that this mode can potentially prevent the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> developers from providing critical security fixes in a timely manner and is thus not recommended.'''
},
{
'name': 'AttestationEnabledForDevice',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
},
'device_only': True,
'example_value': True,
'id': 207,
'caption': '''Enable remote attestation for the device''',
'tags': [],
'desc': '''Setting the policy to Enabled allows remote attestation for the device. A certificate is automatically generated and uploaded to the Device Management Server.
Setting the policy to Disabled or leaving it unset means no certificate is generated and calls to the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> fail.''',
},
{
'name': 'AttestationEnabledForUser',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 200,
'caption': '''Enable remote attestation for the user''',
'tags': [],
'desc': '''Setting the policy to Enabled lets users use the hardware on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices to remotely attest its identity to the privacy CA through the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> using <ph name="CHALLENGE_USER_KEY_FUNCTION">chrome.enterprise.platformKeys.challengeUserKey()</ph>.
Setting the policy to Disabled or leaving it unset has calls to the API fail with an error code.''',
},
{
'name': 'AttestationExtensionAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:87-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ghdilpkmfbfdnomkmaiogjhjnggaggoi'],
'id': 785,
'caption': '''Extensions allowed to to use the remote attestation API''',
'tags': [],
'desc': '''Setting the policy specifies the allowed extensions to use the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> functions for remote attestation. Extensions must be on this list to use the API.
If an extension is not in the list, or the list is not set, the call to the API fails with an error code.''',
},
{
'name': 'AttestationExtensionWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:28-'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ghdilpkmfbfdnomkmaiogjhjnggaggoi'],
'id': 201,
'caption': '''Extensions allowed to to use the remote attestation API''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="ATTESTATION_EXTENSION_ALLOWLIST_POLICY_NAME">AttestationExtensionAllowlist</ph> instead.
Setting the policy specifies the allowed extensions to use the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> function <ph name="CHALLENGE_USER_KEY_FUNCTION">chrome.enterprise.platformKeys.challengeUserKey()</ph> for remote attestation. Extensions must be on this list to use the API.
If an extension is not in the list, or the list is not set, the call to the API fails with an error code.''',
},
{
'name': 'AttestationForContentProtectionEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:31-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
},
'device_only': True,
'example_value': True,
'id': 239,
'caption': '''Enable the use of remote attestation for content protection for the device''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices use remote attestation (Verified Access) to get a certificate issued by the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> CA which uniquely identifies the device.
Setting the policy to Disabled means the device won't use remote attestation for content protection, and the device may not play protected content.''',
},
{
'name': 'SuppressChromeFrameTurndownPrompt',
'owners': ['file://components/policy/resources/OWNERS'],
'caption': '''Suppress the <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> turndown prompt''',
'tags': [],
'desc': '''Suppresses the turndown prompt that appears when a site is rendered by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>.''',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_frame:29-32'],
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': True,
'id': 221,
},
{
'name': 'SupervisedUsersEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'deprecated': True,
'supported_on': ['chrome_os:29-70'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': True,
'default_for_managed_devices_doc_only': False,
'id': 219,
'caption': '''Enable supervised users''',
'tags': [],
'desc': '''If set to true, supervised users can be created and used.
If set to false or not configured, supervised-user creation and login will be disabled. All existing supervised users will be hidden.
NOTE: The default behavior for consumer and enterprise devices differs: on consumer devices supervised users are enabled by default, but on enterprise devices they are disabled by default.'''
},
{
'name': 'SupervisedUserCreationEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'deprecated': True,
'supported_on': ['chrome.*:29-70'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 223,
'caption': '''Enable creation of supervised users''',
'tags': [],
'desc': '''If set to false, supervised-user creation by this user will be disabled. Any existing supervised users will still be available.
If set to true or not configured, supervised users can be created and managed by this user.'''
},
{
# SupervisedUserContentProviderEnabled is never accessed through the policy framework, but is
# instead directly accessed as an Android App Restriction (see SupervisedUserContentProvider.java).
# It, however, needs to be here both because this is the source of the list of Chrome's App
# Restrictions on Android, and to avoid possible future naming conflicts with policies.
'name': 'SupervisedUserContentProviderEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'deprecated': True,
'supported_on': ['android:49-70'],
'features': {
'dynamic_refresh': True,
'per_profile' : True,
},
'example_value': True,
'id': 312,
'caption': '''Enable the supervised user content provider''',
'tags': [],
'desc': '''If true and the user is a supervised user then other Android apps can query the user's web restrictions through a content provider.
If false or unset then the content provider returns no information.'''
},
{
'name': 'ManagedBookmarks',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'id': 'BookmarkType',
'properties': {
'name': { 'type': 'string' },
'url': { 'type': 'string' },
'toplevel_name': { 'type': 'string' },
'children': {
'type': 'array',
'items': { '$ref': 'BookmarkType' },
},
},
},
},
'supported_on': [
'android:30-',
'chrome.*:37-',
'chrome_os:37-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
{
"toplevel_name": "My managed bookmarks folder"
}, {
"name": "Google",
"url": "google.com"
}, {
"name": "Youtube",
"url": "youtube.com"
}, {
"name": "Chrome links",
"children": [
{
"name": "Chromium",
"url": "chromium.org"
},
{
"name": "Chromium Developers",
"url": "dev.chromium.org"
}
]
}
],
'id': 227,
'caption': '''Managed Bookmarks''',
'tags': [],
'desc': '''Setting the policy sets up a list of bookmarks where each one is a dictionary with the keys "<ph name="NAME">name</ph>" and "<ph name="URL_LABEL">url</ph>". These keys hold the bookmark's name and target. Admins can set up a subfolder by defining a bookmark without a "<ph name="URL_LABEL">url</ph>" key, but with an additional "<ph name="CHILDREN">children</ph>" key. This key also has a list of bookmarks, some of which can also be folders. Chrome amends incomplete URLs as if they were submitted through the address bar. For example, "<ph name="GOOGLE_COM">google.com</ph>" becomes "<ph name="HTTPS_GOOGLE_COM">https://google.com/</ph>".
Users can't change the folders the bookmarks are placed in (though they can hide it from the bookmark bar). The default folder name for managed bookmarks is "Managed bookmarks" but it can be changed by adding a new sub-dictionary to the policy with a single key named "<ph name="TOPLEVEL_NAME">toplevel_name</ph>" with the desired folder name as its value. Managed bookmarks are not synced to the user account and extensions can't modify them.''',
},
{
'name': 'DataCompressionProxyEnabled',
'owners': ['bolian@chromium.org', 'pmarko@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:31-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 241,
'caption': '''Enable the data compression proxy feature''',
'tags': [],
'desc': '''Setting the policy to Enabled allows the data compression proxy. Setting the policy to Disabled disallows the proxy.
If you set the policy, users can't change it. If unset, users can choose to use the feature.''',
},
{
'name': 'UserAvatarImage',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': {
'description': 'The URL from which the avatar image can be downloaded.',
'type': 'string'
},
'hash': {
'description': 'The SHA-256 hash of the avatar image.',
'type': 'string'
}
},
},
'supported_on': ['chrome_os:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': { "url": "https://example.com/avatar.jpg", "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" },
'max_size': 524288,
'id': 249,
'caption': '''User avatar image''',
'tags': [],
'desc': '''This policy allows you to configure the avatar image representing the user on the login screen. The policy is set by specifying the URL from which <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can download the avatar image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its size must not exceed 512kB. The URL must be accessible without any authentication.
The avatar image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
If this policy is set, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will download and use the avatar image.
If you set this policy, users cannot change or override it.
If the policy is left not set, the user can choose the avatar image representing them on the login screen.''',
},
{
'name': 'WallpaperImage',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': {
'description': 'The URL from which the wallpaper image can be downloaded.',
'type': 'string'
},
'hash': {
'description': 'The SHA-256 hash of the wallpaper image.',
'type': 'string'
}
},
},
'supported_on': ['chrome_os:35-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': { "url": "https://example.com/wallpaper.jpg", "hash": "baddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecaf" },
'max_size': 16777216,
'id': 262,
'caption': '''Wallpaper image''',
'tags': [],
'desc': '''If you set the policy, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>
downloads and uses the wallpaper image you set for the user's desktop and sign-in screen background, and users can't change it. Specify the URL (that's accessible without authentication) which <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>
can download the wallpaper image from, as well as a cryptographic hash (in JPEG format with a file size up to 16 MB) to verify its integrity.
If not set, users choose the image for the desktop and sign-in screen background.''',
},
{
'name': 'EnableDeprecatedWebPlatformFeatures',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string-enum-list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'ExampleDeprecatedFeature_EffectiveUntil20080902'
],
},
},
'items': [
{
'name': 'ExampleDeprecatedFeature',
'value': 'ExampleDeprecatedFeature_EffectiveUntil20080902',
'caption': '''Enable ExampleDeprecatedFeature API through 2008/09/02''',
}
],
'supported_on': ['chrome.*:37-87', 'chrome_os:37-87', 'android:37-87'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ExampleDeprecatedFeature_EffectiveUntil20080902'],
'id': 270,
'caption': '''Enable deprecated web platform features for a limited time''',
'tags': ['system-security'],
'desc': '''Specify a list of deprecated web platform features to re-enable temporarily.
This policy gives administrators the ability to re-enable deprecated web platform features for a limited time. Features are identified by a string tag and the features corresponding to the tags included in the list specified by this policy will get re-enabled.
If this policy is left not set, or the list is empty or does not match one of the supported string tags, all deprecated web platform features will remain disabled.
While the policy itself is supported on the above platforms, the feature it is enabling may be available on fewer platforms. Not all deprecated Web Platform features can be re-enabled. Only the ones explicitly listed below can be for a limited period of time, which is different per feature. The general format of the string tag will be [DeprecatedFeatureName]_EffectiveUntil[yyyymmdd]. As reference, you can find the intent behind the Web Platform feature changes at https://bit.ly/blinkintents.
''',
},
{
'name': 'DeviceTransferSAMLCookies',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:38-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 271,
'caption': '''Transfer SAML IdP cookies during login''',
'tags': [],
'desc': '''Specifies whether authentication cookies set by a SAML IdP during login should be transferred to the user's profile.
When a user authenticates via a SAML IdP during login, cookies set by the IdP are written to a temporary profile at first. These cookies can be transferred to the user's profile to carry forward the authentication state.
When this policy is set to true, cookies set by the IdP are transferred to the user's profile every time they authenticate against the SAML IdP during login.
When this policy is set to false or unset, cookies set by the IdP are transferred to the user's profile during their first login on a device only.
This policy affects users whose domain matches the device's enrollment domain only. For all other users, cookies set by the IdP are transferred to the user's profile during their first login on the device only.''',
'arc_support': 'Cookies transferred to the user\'s profile are not accessible to Android apps.',
},
{
'name': 'EasyUnlockAllowed',
'owners': ['file://chrome/browser/chromeos/login/easy_unlock/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:38-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 272,
'caption': '''Allow Smart Lock to be used''',
'tags': [],
'desc': '''If you enable this setting, users will be allowed to use Smart Lock if the requirements for the feature are satisfied.
If you disable this setting, users will not be allowed to use Smart Lock.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.''',
},
{
'name': 'SessionLocales',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:38-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['de', 'fr'],
'id': 274,
'caption': '''Set the recommended locales for a managed session''',
'tags': [],
'desc': '''Setting the policy (as recommended only) moves recommended locales for a managed session to the top of the list, in the order in which they appear in the policy. The first recommended locale is preselected.
If not set, the current UI locale is preselected.
For more than one recommended locale, the assumption is that users want to choose among these locales. Locale and keyboard layout selection is prominent when starting a managed session. Otherwise, the assumption is that most users want the preselected locale. Locale and keyboard layout selection is less prominent when starting a managed session.
If you set the policy and turn automatic sign-in on (see the <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_ID_POLICY_NAME">DeviceLocalAccountAutoLoginId</ph> and <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_DELAY_POLICY_NAME">DeviceLocalAccountAutoLoginDelay</ph> policies), the managed session uses the first recommended locale and the most popular matching keyboard layout.
The preselected keyboard layout is always the most popular layout matching the preselected locale. Users can always choose any locale supported by <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> for their session.''',
},
{
'name': 'BrowserGuestModeEnabled',
'owners': ['mlerman@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:38-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 275,
'caption': '''Enable guest mode in browser''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will enable guest logins. Guest logins are <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles where all windows are in incognito mode.
If this policy is set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not allow guest profiles to be started.''',
},
{
'name': 'BrowserGuestModeEnforced',
'owners': ['mlerman@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:77-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 574,
'caption': '''Enforce browser guest mode''',
'tags': [],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> enforces guest sessions and prevents profile sign-ins. Guest sign-ins are <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles where windows are in Incognito mode.
Setting the policy to Disabled, leaving it unset, or disabling browser Guest mode (through <ph name="BROWSER_GUEST_MODE_ENABLED_POLICY_NAME">BrowserGuestModeEnabled</ph>) allows the use of new and existing profiles.''',
},
{
'name': 'BrowserAddPersonEnabled',
'owners': ['mlerman@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:39-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 276,
'caption': '''Enable add person in user manager''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will allow Add Person from the user manager.
If this policy is set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not allow creation of new profiles from the user manager.''',
},
{
'name': 'ForceBrowserSignin',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'deprecated': True,
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:64-', 'chrome.mac:66-', 'android:65-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 346,
'caption': '''Enable force sign in for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''This policy is deprecated, consider using BrowserSignin instead.
If this policy is set to true, user has to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> with their profile before using the browser. And the default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article.
If this policy is set to false or not configured, user can use the browser without sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
},
{
'name': 'BrowserSignin',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Disable',
'value': 0,
'caption': '''Disable browser sign-in''',
},
{
'name': 'Enable',
'value': 1,
'caption': '''Enable browser sign-in''',
},
{
'name': 'Force',
'value': 2,
'caption': '''Force users to sign-in to use the browser''',
'supported_on': ['chrome.win:70-', 'chrome.mac:70-'],
},
],
'supported_on': ['chrome.*:70-', 'android:70-'],
'future_on': [ 'ios' ],
'features': {
'dynamic_refresh': False,
'per_profile': False
},
'example_value': 2,
'id': 487,
'caption': '''Browser sign in settings''',
'tags': [],
'desc': '''This policy controls the sign-in behavior of the browser. It allows you to specify if the user can sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> with their account and use account related services like Chrome sync.
If the policy is set to "Disable browser sign-in" then the user can not sign in to the browser and use account based services. In this case browser level features like Chrome sync can not be used and will be unavailable. If the user was signed in and the policy is set "Disabled" they will be signed out the next time they run Chrome but their local profile data like bookmarks, passwords etc. will stay preserved. The user will still be able to sign into and use Google web services like Gmail.
If the policy is set to "Enable browser sign-in," then the user is allowed to sign in to the browser and is automatically signed in to the browser when signed in to Google web services like Gmail. Being signed in to the browser means the user's account information will be kept by the browser. However, it does not mean that Chrome sync will be turned on per default; the user must separately opt-in to use this feature. Enabling this policy will prevent the user from turning off the setting that allows browser sign-in. To control the availability of Chrome sync, use the "SyncDisabled" policy.
If the policy is set to "Force browser sign-in" the user is presented with an account selection dialog and has to choose and sign in to an account to use the browser. This ensures that for managed accounts the policies associated with the account are applied and enforced. By default this turns on Chrome sync for the account, except for the case when sync was disabled by the domain admin or via the "SyncDisabled" policy. The default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article: https://support.google.com/chrome/a/answer/7572556. This option does not support Linux and Android, it will fallback to "Enable browser sign-in" if used.
If this policy is not set then the user can decide if they want to enable the browser sign in option and use it as they see fit.''',
},
{
'name': 'SSLVersionMin',
'owners': ['file://crypto/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'tls1',
'tls1.1',
'tls1.2',
],
},
'items': [
{
'name': 'TLSv1',
'value': 'tls1',
'caption': 'TLS 1.0',
},
{
'name': 'TLSv1.1',
'value': 'tls1.1',
'caption': 'TLS 1.1',
},
{
'name': 'TLSv1.2',
'value': 'tls1.2',
'caption': 'TLS 1.2',
},
],
'supported_on': [
'chrome.*:66-',
'chrome_os:66-',
'android:66-',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'tls1',
'id': 279,
'caption': '''Minimum SSL version enabled''',
'tags': [],
'desc': '''Warning: Support for suppressing the TLS 1.0/1.1 warning will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> starting in version 91 (around May 2021) and this policy will stop working then.
Setting the policy to a valid value means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't use SSL/TLS versions less than the specified version. Unrecognized values are ignored.
If this policy is not set, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will show an error for TLS 1.0 and TLS 1.1, but the user will be able to bypass it.''',
},
{
'name': 'SSLVersionFallbackMin',
'owners': ['file://crypto/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'tls1.1',
'tls1.2',
],
},
'items': [
{
'name': 'TLSv1.1',
'value': 'tls1.1',
'caption': 'TLS 1.1',
},
{
'name': 'TLSv1.2',
'value': 'tls1.2',
'caption': 'TLS 1.2',
},
],
'supported_on': [
'chrome.*:50-52',
'chrome_os:50-52',
'android:50-52',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 'tls1.1',
'id': 280,
'caption': '''Minimum TLS version to fallback to''',
'tags': ['system-security'],
'desc': '''Warning: The TLS version fallback will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then.
When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would previously retry the connection with a lesser version of TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't apply. Regardless, the resulting connection must still comply with SSLVersionMin.
If this policy is not configured or if it is set to "tls1.2" then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback. Note this does not disable support for older TLS versions, only whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers which cannot negotiate versions correctly.
Otherwise, if compatibility with a buggy server must be maintained, this policy may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.''',
},
{
'name': 'SSLVersionMax',
'owners': ['file://crypto/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'tls1.2',
'tls1.3',
],
},
'items': [
{
'name': 'TLSv1.2',
'value': 'tls1.2',
'caption': 'TLS 1.2',
},
{
'name': 'TLSv1.3',
'value': 'tls1.3',
'caption': 'TLS 1.3',
},
],
'supported_on': [
'chrome.*:58-74',
'chrome_os:58-74',
'android:58-74',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 'tls1.2',
'id': 361,
'caption': '''Maximum SSL version enabled''',
'tags': ['system-security'],
'desc': '''Warning: The max TLS version policy will be entirely removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> around version 75 (around June 2019).
If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default maximum version.
Otherwise it may be set to one of the following values: "tls1.2" or "tls1.3". When set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use SSL/TLS versions greater than the specified version. An unrecognized value will be ignored.''',
},
{
'name': 'CertificateTransparencyEnforcementDisabledForUrls',
'owners': ['file://components/certificate_transparency/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:53-',
'chrome_os:53-',
'android:53-',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': ['example.com', '.example.com'],
'id': 335,
'caption': '''Disable Certificate Transparency enforcement for a list of URLs''',
'tags': ['system-security'],
'desc': '''Setting the policy turns off Certificate Transparency disclosure requirements for the hostnames in the specified URLs. While making it harder to detect misissued certificates, hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed).
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.
A URL pattern follows this format ( https://www.chromium.org/administrators/url-blacklist-filter-format ). However, because the validity of certificates for a given hostname is independent of the scheme, port, or path, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> only considers the hostname portion of the URL. Wildcard hosts aren't supported.''',
},
{
'name': 'CertificateTransparencyEnforcementDisabledForCas',
'owners': ['file://components/certificate_transparency/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:67-',
'chrome_os:67-',
'android:67-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['sha256/AAAAAAAAAAAAAAAAAAAAAA==', 'sha256//////////////////////w=='],
'id': 435,
'caption': '''Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes''',
'tags': ['system-security'],
'desc': '''Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hashes. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the hash must meet one of these conditions:
* It's of the server certificate's <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph>.
* It's of a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> that appears in a Certificate Authority (CA) certificate in the certificate chain. That CA certificate is constrained through the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName has an organizationName attribute.
* It's of a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate has the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.
Specify a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash by linking the hash algorithm name, a slash, and the Base64 encoding of that hash algorithm applied to the DER-encoded <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.''',
},
{
'name': 'CertificateTransparencyEnforcementDisabledForLegacyCas',
'owners': ['file://components/certificate_transparency/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:67-',
'chrome_os:67-',
'android:67-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['sha256/AAAAAAAAAAAAAAAAAAAAAA==', 'sha256//////////////////////w=='],
'id': 436,
'caption': '''Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities''',
'tags': ['system-security'],
'desc': '''Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of Legacy Certificate Authorities (CA) for certificate chains with a specified <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash must appear in a CA certificate recognized as a Legacy CA. A Legacy CA is publicly trusted by one or more operating systems supported by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, but not Android Open Source Project or <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
Specify a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash by linking the hash algorithm name, a slash and the Base64 encoding of that hash algorithm applied to the DER-encoded <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.''',
},
{
'name': 'RC4Enabled',
'owners': ['file://crypto/OWNERS'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'supported_on': [
'chrome.*:48-52',
'chrome_os:48-52',
'android:48-52',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 310,
'caption': '''Enable RC4 cipher suites in TLS''',
'tags': ['system-security'],
'desc': '''Warning: RC4 will be completely removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then.
If the policy is not set, or is set to false, then RC4 cipher suites in TLS will not be enabled. Otherwise it may be set to true to retain compatibility with an outdated server. This is a stopgap measure and the server should be reconfigured.''',
},
{
'name': 'DHEEnabled',
'owners': ['file://crypto/OWNERS'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'supported_on': [
'chrome.*:53-57',
'chrome_os:53-57',
'android:53-57',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 334,
'caption': '''Enable DHE cipher suites in TLS''',
'tags': ['system-security'],
'desc': '''Warning: DHE will be completely removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 57 (around March 2017) and this policy will stop working then.
If the policy is not set, or is set to false, then DHE cipher suites in TLS will not be enabled. Otherwise it may be set to true to enable DHE cipher suites and retain compatibility with an outdated server. This is a stopgap measure and the server should be reconfigured.
Servers are encouraged to migrated to ECDHE cipher suites. If these are unavailable, ensure a cipher suite using RSA key exchange is enabled.''',
},
{
'name': 'ContextualSearchEnabled',
'owners': ['donnd@chromium.org', 'twellington@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'android:40-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Allow users to use Touch to Search',
},
{
'value': False,
'caption': 'Prevent users from using Touch to Search',
},
],
'example_value': True,
'default': True,
'id': 281,
'caption': '''Enable Touch to Search''',
'tags': [],
'desc': '''Setting the policy to True or leaving it unset makes Touch to Search available to the user, and they can turn the feature on or off.
Setting the policy to False turns Touch to Search off completely.''',
},
{
'name': 'DeviceRebootOnShutdown',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:41-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 284,
'caption': '''Automatic reboot on device shutdown''',
'tags': [],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> triggers a restart when users shut down the device. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> replaces all shutdown buttons in the UI with restart buttons. If the users shut down devices using the power button, they won't automatically restart, even if the policy is on.
Setting the policy to Disabled or leaving it unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> lets them shut down the device.''',
},
{
'name': 'ExtensionCacheSize',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:43-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': 104857600,
'default': 268435456,
'id': 296,
'caption': '''Set Apps and Extensions cache size (in bytes)''',
'tags': [],
'desc': '''Setting to lower than 1 MB or leaving it unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> uses the default size of 256 MiB for caching apps and extensions for installation by multiple users of a single device, avoiding the need to redownload each one for every user.''',
'arc_support': 'The cache is not used for Android apps. If multiple users install the same Android app, it will be downloaded anew for each user.',
},
{
'name': 'DeviceLoginScreenDomainAutoComplete',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [ 'chrome_os:44-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'students.school.edu',
'id': 297,
'caption': '''Enable domain name autocomplete during user sign in''',
'tags': [],
'desc': '''If this policy is set to a blank string or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will not show an autocomplete option during user sign-in flow.
If this policy is set to a string representing a domain name, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will show an autocomplete option during user sign-in allowing the user to type in only their user name without the domain name extension. The user will be able to overwrite this domain name extension.
If the value of the policy is not a valid domain, the policy will not be applied.''',
},
{
'name': 'ForceMaximizeOnFirstRun',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:43-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': True,
'id': 298,
'caption': '''Maximize the first browser window on first run''',
'tags': [],
'desc': '''Setting the policy to True means Chrome maximizes the first window shown on first run.
Setting the policy to False or leaving it unset means that Chrome might maximize the first window, depending on the screen size.''',
},
{
'name': 'SSLErrorOverrideAllowed',
'owners': ['agl@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:44-', 'chrome_os:44-', 'android:44-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 300,
'caption': '''Allow proceeding from the SSL warning page''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users click through warning pages <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> shows when users navigate to sites that have SSL errors.
Setting the policy to Disabled prevent users from clicking through any warning pages.''',
},
{
'name': 'QuicAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:43-', 'chrome_os:43-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 301,
'caption': '''Allow QUIC protocol''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset allows the use of QUIC protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting the policy to Disabled disallows the use of QUIC protocol.''',
},
{
'name': 'KeyPermissions',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'additionalProperties': {
'type': 'object',
'properties': {
'allowCorporateKeyUsage': {
'description': '''If set to true, this extension can use all keys that are designated for corporate usage to sign arbitrary data. If set to false, it cannot access any such keys and the user cannot grant such permission either.''',
'type': 'boolean',
},
},
},
},
'supported_on': ['chrome_os:45-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
'extension1': {
'allowCorporateKeyUsage': True
},
'extension2': {
'allowCorporateKeyUsage': False
}
},
'id': 302,
'caption': 'Key Permissions',
'tags': [],
'desc': '''Setting the policy grants access to corporate keys to extensions. Keys are designated for corporate usage only if they're generated using the chrome.enterprise.platformKeys API on a managed account. Users can't grant or withdraw access to corporate keys to or from extensions.
By default, an extension can't use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to False for that extension. Only if allowCorporateKeyUsage is set to True for an extension can it use any platform key marked for corporate usage to sign arbitrary data. Only grant this permission if the extension is trusted to secure access to the key against attackers.''',
'arc_support': 'Android apps cannot get access to corporate keys. This policy has no effect on them.',
},
{
'name': 'WelcomePageOnOSUpgradeEnabled',
'owners': ['grt@chromium.org'],
'supported_on': ['chrome.win:45-62'],
'type': 'main',
'schema': { 'type': 'boolean' },
'id': 303,
'caption': 'Enable showing the welcome page on the first browser launch following OS upgrade',
'tags': [],
'desc': '''If this policy is set to true or not configured, the browser will re-show the welcome page on the first launch following an OS upgrade.
If this policy is set to false, the browser will not re-show the welcome page on the first launch following an OS upgrade.''',
'features': {
'dynamic_refresh': False,
'per_profile': False
},
'deprecated': True,
'example_value': False
},
{
'name': 'HardwareAccelerationModeEnabled',
'owners': ['zmo@chromium.org', 'kbr@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:46-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 304,
'caption': '''Use hardware acceleration when available''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset turns on hardware acceleration, if available.
Setting the policy to Disabled turns off hardware acceleration.''',
},
{
'name': 'UnifiedDesktopEnabledByDefault',
'owners': ['phweiss@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:47-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 307,
'caption': '''Make Unified Desktop available and turn on by default''',
'tags': [],
'desc': '''Setting the policy to True turns on Unified Desktop, which allows applications to span multiple displays. Users can turn off Unified Desktop for individual displays.
Setting the policy to False or leaving it unset turns off Unified Desktop, and users can't turn it on.''',
},
{
'name': 'DisplayRotationDefault',
'owners': ['phweiss@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'ROTATE_0',
'value': 0,
'caption': '''Rotate screen by 0 degrees''',
},
{
'name': 'ROTATE_90',
'value': 1,
'caption': '''Rotate screen clockwise by 90 degrees''',
},
{
'name': 'ROTATE_180',
'value': 2,
'caption': '''Rotate screen by 180 degrees''',
},
{
'name': 'ROTATE_270',
'value': 3,
'caption': '''Rotate screen clockwise by 270 degrees''',
},
],
'supported_on': ['chrome_os:48-'],
'device_only': True,
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'id': 311,
'caption': '''Set default display rotation, reapplied on every reboot''',
'tags': [],
'desc': '''Setting the policy has each display rotate to the specified orientation on every reboot and the first time it's connected after the policy value changes. Users may change the display rotation through the settings page after signing in, but it changes back at the next reboot. This policy applies to primary and secondary displays.
If not set, the default value is 0 degrees and users are free to change it. In this case, the default value isn't reapplied at restart.''',
},
{
'name': 'ArcEnabled',
'owners': ['pbond@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:50-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 317,
'default_for_enterprise_users': False,
'caption': '''Enable ARC''',
'tags': [],
'desc':
'''Unless Ephemeral mode or multiple sign-in is on during the user's session, setting ArcEnabled to True turns ARC on for the user. Setting the policy to False or leaving it unset means enterprise users can't use ARC.''',
},
{
'name': 'ArcPolicy',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'description_schema': {
"type": "object",
"properties": {
"applications": {
"type": "array",
"items": {
"type": "object",
"properties": {
"packageName": {
"description": "Android app identifier, e.g. \"com.google.android.gm\" for Gmail",
"type": "string"
},
"installType": {
"description": "Specifies how an app is installed. OPTIONAL: The app is not installed automatically, but the user can install it. This is the default if this policy is not specified. PRELOAD: The app is installed automatically, but the user can uninstall it. FORCE_INSTALLED: The app is installed automatically and the user cannot uninstall it. BLOCKED: The app is blocked and cannot be installed. If the app was installed under a previous policy it will be uninstalled.",
"type": "string",
"enum": [
"OPTIONAL",
"PRELOAD",
"FORCE_INSTALLED",
"BLOCKED"
]
},
"defaultPermissionPolicy": {
"description": "Policy for granting permission requests to apps. PERMISSION_POLICY_UNSPECIFIED: Policy not specified. If no policy is specified for a permission at any level, then the `PROMPT` behavior is used by default. PROMPT: Prompt the user to grant a permission. GRANT: Automatically grant a permission. DENY: Automatically deny a permission.",
"type": "string",
"enum": [
"PERMISSION_POLICY_UNSPECIFIED",
"PROMPT",
"GRANT",
"DENY"
]
},
"managedConfiguration": {
"description": "App-specific JSON configuration object with a set of key-value pairs, e.g. '\"managedConfiguration\": { \"key1\": value1, \"key2\": value2 }'. The keys are defined in the app manifest.",
"type": "object"
}
}
}
}
}
},
'supported_on': ['chrome_os:50-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '{"applications":[{"packageName":"com.google.android.gm","installType":"FORCE_INSTALLED","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}},{"packageName":"com.google.android.apps.docs","installType":"PRELOAD","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}}]}',
'id': 318,
'caption': '''Configure ARC''',
'tags': [],
'desc':
'''Setting the policy specifies a set of policies to hand over to the ARC runtime. Admins can use it to select the Android apps that autoinstall. Enter value in valid JSON format.
To pin apps to the launcher, see PinnedLauncherApps.'''
},
{
'name': 'AllowKioskAppControlChromeVersion',
'owners': ['xiyuan@chromium.org', 'poromov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:51-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 319,
'caption': '''Allow the auto launched with zero delay kiosk app to control <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled means the value of the <ph name="REQUIRED_PLATFORM_VERSION">required_platform_version</ph> manifest key of the zero-delay, autolaunched kiosk app is used as the autoupdate target version prefix.
Setting the policy to Disabled or leaving it unset means the <ph name="REQUIRED_PLATFORM_VERSION">required_platform_version</ph> manifest key is ignored and autoupdate proceeds as normal.
Warning: Do not delegate control of the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version to a kiosk app, because it might prevent the device from getting software updates and critical security fixes. Delegating control of the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version might leave users at risk.''',
'arc_support': 'If the kiosk app is an Android app, it will have no control over the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version, even if this policy is set to <ph name="TRUE">True</ph>.',
},
{
'name': 'LoginAuthenticationBehavior',
'owners': ['afakhry@chromium.org', 'tbarzic@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'GAIA',
'value': 0,
'caption': '''Authentication via the default GAIA flow''',
},
{
'name': 'SAML_INTERSTITIAL',
'value': 1,
'caption': '''Redirect to SAML IdP after user confirmation''',
},
],
'supported_on': ['chrome_os:51-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 0,
'id': 321,
'caption': '''Configure the login authentication behavior''',
'tags': [],
'desc': '''When this policy is set, the login authentication flow will be in one of the following ways depending on the value of the setting:
If set to GAIA, login will be done via the normal GAIA authentication flow.
If set to SAML_INTERSTITIAL, login will show an interstitial screen offering the user to go forward with authentication via the SAML IdP of the device's enrollment domain, or go back to the normal GAIA login flow.'''
},
{
'name': 'UsbDetachableWhitelist',
'owners': ['vpalatin@chromium.org', 'poromov@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'id': 'UsbDeviceId',
'properties': {
'vendor_id': { 'type': 'integer' },
'product_id': { 'type': 'integer' },
},
},
},
'supported_on': ['chrome_os:51-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'deprecated': True,
'example_value': [
{
'vendor_id' : 1027,
'product_id' : 24577,
},
{
'vendor_id' : 16700,
'product_id' : 8453,
}
],
'id': 322,
'caption': '''Whitelist of USB detachable devices''',
'tags': ['system-security'],
'desc': '''Setting the policy defines the list of USB devices users can detach from their kernel driver to use through the chrome.usb API directly inside a web app. Entries are pairs of USB Vendor Identifier and Product Identifier to identify specific hardware.
If not set, the list of a detachable USB devices is empty.
This policy is deprecated, please use <ph name="USB_DETACHABLE_ALLOWLIST_POLICY_NAME">UsbDetachableAllowlist</ph> instead.
''',
},
{
'name': 'UsbDetachableAllowlist',
'owners': ['file://components/policy/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'id': 'UsbDeviceIdInclusive',
'properties': {
'vendor_id': { 'type': 'integer' },
'product_id': { 'type': 'integer' },
},
},
},
'supported_on': ['chrome_os:87-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': [
{
'vendor_id' : 1027,
'product_id' : 24577,
},
{
'vendor_id' : 16700,
'product_id' : 8453,
}
],
'id': 765,
'caption': '''Allowlist of USB detachable devices''',
'tags': ['system-security'],
'desc': '''Setting the policy defines the list of USB devices users can detach from their kernel driver to use through the chrome.usb API directly inside a web app. Entries are pairs of USB Vendor Identifier and Product Identifier to identify specific hardware.
If not set, the list of a detachable USB devices is empty.''',
},
{
'name': 'DeviceAllowBluetooth',
'owners': ['isandrk@chromium.org', 'sinhak@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:52-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': True,
'id': 323,
'caption': '''Allow bluetooth on device''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users turn Bluetooth on or off.
Setting the policy to Disabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> turns Bluetooth off, and users can't turn it on.
Note: To turn on Bluetooth, users must sign out and in again.''',
},
{
'name': 'SuppressUnsupportedOSWarning',
'owners': ['grt@chromium.org'],
'caption': '''Suppress the unsupported OS warning''',
'desc': '''Setting the policy to Enabled suppresses the warning that appears when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running on an unsupported computer or operating system.
Setting the policy to Disabled or leaving it unset means the warnings appear on unsupported systems.''',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:49-','chrome_os:49-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'tags': ['system-security'],
'id': 324,
},
{
'name': 'DeviceQuirksDownloadEnabled',
'owners': ['glevin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:51-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'items': [
{
'value': True,
'caption': 'Allow queries to the Quirks Server and potentially downloading hardware-specific configuration files',
},
{
'value': False,
'caption': 'Do not query Quirks Servers',
},
],
'example_value': True,
'default': True,
'id': 325,
'caption': '''Enable queries to Quirks Server for hardware profiles''',
'tags': [],
'desc':
'''The Quirks Server provides hardware-specific configuration files, like
ICC display profiles to adjust monitor calibration.
When this policy is set to false, the device will not attempt to
contact the Quirks Server to download configuration files.
If this policy is true or not configured then <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will automatically contact the Quirks Server and download configuration files, if available, and store them on the device. Such files might, for example, be used to improve display quality of attached monitors.''',
},
{
'name': 'SystemTimezoneAutomaticDetection',
'owners': ['alemate@chromium.org', 'michaelpg@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3, 4 ],
},
'items': [
{
'name': 'TimezoneAutomaticDetectionUsersDecide',
'value': 0,
'caption': '''Let users decide''',
},
{
'name': 'TimezoneAutomaticDetectionDisabled',
'value': 1,
'caption': '''Never auto-detect timezone''',
},
{
'name': 'TimezoneAutomaticDetectionIPOnly',
'value': 2,
'caption': '''Always use coarse timezone detection''',
},
{
'name': 'TimezoneAutomaticDetectionSendWiFiAccessPoints',
'value': 3,
'caption': '''Always send WiFi access-points to server while resolving timezone''',
},
{
'name': 'TimezoneAutomaticDetectionSendAllLocationInfo',
'value': 4,
'caption': '''Always send any available location signals to the server while resolving timezone''',
},
],
'supported_on': ['chrome_os:53-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 0,
'id': 326,
'caption': '''Configure the automatic timezone detection method''',
'tags': ['google-sharing'],
'desc': '''Unless the <ph name="SYSTEM_TIMEZONE_POLICY_NAME">SystemTimezone</ph> policy turns off automatic time zone detection, then setting the policy outlines the automatic time zone detection method, which users can't change.
Setting the policy to:
* <ph name="POLICY_ENUM_SYSTEMTIMEZONEAUTOMATICDETECTION_TIMEZONEAUTOMATICDETECTIONDISABLED">TimezoneAutomaticDetectionDisabled</ph> keeps automatic time zone detection off.
* <ph name="POLICY_ENUM_SYSTEMTIMEZONEAUTOMATICDETECTION_TTIMEZONEAUTOMATICDETECTIONIPONLY">TimezoneAutomaticDetectionIPOnly</ph> keeps automatic time zone detection on, using the IP-only method.
* <ph name="POLICY_ENUM_SYSTEMTIMEZONEAUTOMATICDETECTION_TIMEZONEAUTOMATICDETECTIONSENDWIFIACCESSPOINTS">TimezoneAutomaticDetectionSendWiFiAccessPoints</ph> keeps automatic time zone detection on, continually sending the list of visible Wi-Fi access-points to the Geolocation API server for finer-grained time zone detection.
* <ph name="POLICY_ENUM_SYSTEMTIMEZONEAUTOMATICDETECTION_TIMEZONEAUTOMATICDETECTIONSENDALLLOCATIONINFO">TimezoneAutomaticDetectionSendAllLocationInfo</ph> keeps automatic time zone detection on, continually sending location information (such as Wi-Fi access points, reachable cell towers, GPS) to a server for the most fine-grained time zone detection.
If not set, set to Let users decide, or set to None, then users control automatic time zone detection using normal controls in chrome://settings.''',
},
{
'name': 'TaskManagerEndProcessEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'caption': '''Enable ending processes in Task Manager''',
'desc': '''Setting the policy to Disabled prevents users from ending processes in the Task Manager.
Setting the policy to Enabled or leaving it unset lets users end processes in the Task Manager.''',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:52-','chrome_os:52-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'tags': [],
'id': 327,
},
{
'name': 'DeviceShowLowDiskSpaceNotification',
'owners': ['vsavu@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Always show low disk space warnings',
},
{
'value': False,
'caption': 'Only show low disk space warnings if the device is unmanged or there is only 1 user',
},
],
'example_value': True,
'default': False,
'device_only': True,
'default_for_managed_devices_doc_only': False,
'id': 763,
'caption': '''Show notification when disk space is low''',
'tags': [],
'desc':
'''Allows enabling or disabling a notification when disk space is low. This applies to all users on the device.
This policy is ignored and the notification is always shown if the device is unmanaged or there is only one user.
If there are multiple user accounts on a managed device, the notification will only be shown when this policy is enabled.''',
},
{
'name': 'NetworkThrottlingEnabled',
'owners': ['kirtika@chromium.org', 'pmarko@chromium.org'],
'device_only': True,
'caption': '''Enable throttling network bandwidth''',
'desc': '''Setting the policy turns network throttling on or off. This means that the system is throttled to achieve the provided upload and download rates (in kbits/s). It applies to all users and interfaces on the device.''',
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'enabled': {
'description': 'A boolean flag indicating if throttling is enabled.',
'type': 'boolean'
},
'upload_rate_kbits': {
'description': 'Desired upload rate in kbits/s.',
'type': 'integer'
},
'download_rate_kbits': {
'description': 'Desired download rate in kbits/s.',
'type': 'integer'
}
},
'required': ['enabled', 'upload_rate_kbits', 'download_rate_kbits']
},
'supported_on': ['chrome_os:56-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {'enabled': True, 'upload_rate_kbits': 5600, 'download_rate_kbits': 5600},
'tags': [],
'id': 351,
},
{
'name': 'DeviceWiFiFastTransitionEnabled',
'owners': ['matthewmwang@chromium.org'],
'device_only': True,
'caption': '''Enable 802.11r Fast Transition''',
'desc': '''Setting the policy to Enabled means that Fast Transition is used when the wireless access point supports it. It applies to all users and interfaces on the device.
Setting the policy to Disabled or leaving it unset means that Fast Transition isn't used.''',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:72-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'tags': [],
'id': 501,
},
{
'name': 'DeviceWiFiAllowed',
'owners': ['apotapchuk@chromium.org'],
'device_only': True,
'caption': '''Enable WiFi''',
'desc': '''Setting the policy to Disabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> turns off Wi-Fi, and users can't change it.
Setting the policy to Enabled or leaving it unset lets users turn Wi-Fi on or off.''',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'tags': [],
'id': 537,
},
{
'name': 'DeviceDockMacAddressSource',
'owners': ['lamzin@google.com'],
'caption': '''Device MAC address source when docked''',
'desc': '''Setting the policy lets the administrator change the MAC (media access control) address when connecting a device to the dock. When a dock is connected to some device models, by default, the device's designated dock's MAC address helps identify the device on Ethernet.
If 'DeviceDockMacAddress' is selected or the policy is left unset, the device's designated dock MAC address will be used.
If 'DeviceNicMacAddress' is selected, the device's NIC (network interface controller) MAC address will be used.
If 'DockNicMacAddress' is selected, the dock's NIC MAC address will be used.
Users can't change this setting.''',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ]
},
'items': [
{
'name': 'DeviceDockMacAddress',
'value': 1,
'caption': '''Device's designated dock MAC address'''
},
{
'name': 'DeviceNicMacAddress',
'value': 2,
'caption': '''Device's built-in NIC MAC address'''
},
{
'name': 'DockNicMacAddress',
'value': 3,
'caption': '''Dock's built-in NIC MAC address'''
},
],
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'tags': [],
'id': 547,
},
{
'name': 'LoginVideoCaptureAllowedUrls',
'owners': ['cernekee@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:52-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ "https://example.com" ],
'id': 328,
'caption': '''URLs that will be granted access to video capture devices on SAML login pages''',
'tags': ['website-sharing'],
'desc': '''Patterns in this list will be matched against the security
origin of the requesting URL. If a match is found, access to video
capture devices will be granted on SAML login pages. If no match is
found, access will be automatically denied. Wildcard patterns are not
allowed.'''
},
{
'name': 'DeviceLoginScreenExtensions',
'owners': ['emaxx@chromium.org', 'hendrich@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:60-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': ['khpfeaanjngmcnplbdlpegiifgpfgdco;https://clients2.google.com/service/update2/crx'],
'id': 336,
'caption': '''Configure the list of installed apps and extensions on the login screen''',
'tags': ['full-admin-access'],
'desc': '''
Specifies a list of apps and extensions that are installed silently on the login screen, without user interaction, and which cannot be uninstalled or disabled by the user.
Permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> restricts the set of permissions that the extensions can request.
Note that, for security and privacy reasons, only apps and extensions that belong to the allow list bundled into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can be installed. All other items will be ignored.
If an app or extension that previously had been force-installed is removed from this list, it is automatically uninstalled by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (<ph name="SEMICOLON">;</ph>). The extension ID is the 32-letter string found e.g. on <ph name="CHROME_EXTENSIONS_LINK">chrome://extensions</ph> when in developer mode. The "update" URL, if specified, should point to an update manifest XML document as described at <ph name="LINK_TO_EXTENSION_DOC1">https://developer.chrome.com/extensions/autoupdate</ph>. By default, the Chrome Web Store's update URL is used (which currently is "https://clients2.google.com/service/update2/crx"). Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest.
For example, <ph name="LOGIN_SCREEN_EXTENSION_POLICY_EXAMPLE">khpfeaanjngmcnplbdlpegiifgpfgdco;https://clients2.google.com/service/update2/crx</ph> installs the <ph name="SMART_CARD_CONNECTOR_APP_NAME">Smart Card Connector</ph> app from the standard Chrome Web Store "update" URL. For more information about hosting extensions, see: <ph name="LINK_TO_EXTENSION_DOC2">https://developer.chrome.com/extensions/hosting</ph>.''',
},
{
'name': 'AllowScreenLock',
'owners': ['file://components/policy/resources/OWNERS'],
'caption': '''Permit locking the screen''',
'desc': '''Setting the policy to Enabled or leaving it unset lets users who authenticate with a password lock the screen.
Setting the policy to Disabled means users can't lock the screen. (They can only sign out from the user session.)''',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:52-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'tags': [],
'id': 329,
},
{
'name': 'ArcCertificatesSyncMode',
'owners': ['pbond@chromium.org', 'edmanp@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'SyncDisabled',
'value': 0,
'caption': '''Disable usage of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> certificates to ARC-apps''',
},
{
'name': 'CopyCaCerts',
'value': 1,
'caption': '''Enable <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> CA certificates to ARC-apps'''
},
],
'supported_on': ['chrome_os:52-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 0,
'id': 330,
'caption': '''Set certificate availability for ARC-apps''',
'tags': ['system-security'],
'desc': '''Setting the policy to CopyCaCerts makes all ONC-installed CA certificates with <ph name="WEB_TRUSTED_BIT">Web TrustBit</ph> available for ARC-apps.
Setting to None or leaving it unset makes <ph name="PRODUCT_OS_NAME">$2<ex>Chrome OS</ex></ph> certificates unavailable for ARC-apps.''',
},
{
'name': 'AllowedDomainsForApps',
'owners': ['igorcov@chromium.org', 'atwilson@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:51-', 'chrome_os:51-', 'android:51-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'managedchrome.com,example.com',
'id': 331,
'caption': '''Define domains allowed to access G Suite''',
'tags': ['filtering'],
'desc': '''Setting the policy turns on Chrome's restricted sign-in feature in G Suite and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains.
Leaving this setting empty or unset means users can access G Suite with any account.
Users cannot change or override this setting.
Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://support.google.com/a/answer/1668854.''',
},
{
'name': 'PacHttpsUrlStrippingEnabled',
'owners': ['net-dev@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [ 'chrome.*:52-74', 'chrome_os:52-74' ],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 332,
'caption': '''Enable PAC URL stripping (for https://)''',
'tags': ['system-security'],
'desc': '''Strips privacy and security sensitive parts of https:// URLs before passing them on to PAC scripts (Proxy Auto Config) used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> during proxy resolution.
When True, the security feature is enabled, and https:// URLs are
stripped before submitting them to a PAC script. In this manner the PAC
script is not able to view data that is ordinarily protected by an
encrypted channel (such as the URL's path and query).
When False, the security feature is disabled, and PAC scripts are
implicitly granted the ability to view all components of an https://
URL. This applies to all PAC scripts regardless of origin (including
those fetched over an insecure transport, or discovered insecurely
through WPAD).
This defaults to True (security feature enabled).
It is recommended that this be set to True. The only reason to set it to
False is if it causes a compatibility problem with existing PAC scripts.
The policy will be removed in M75.''',
},
{
'name': 'EnableMediaRouter',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:52-', 'chrome_os:52-', 'android:52-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': True,
'id': 333,
'caption': '''Enable <ph name="PRODUCT_NAME">Google Cast</ph>''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset turns on <ph name="PRODUCT_NAME">Google Cast</ph>, which users can launch from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.
Setting the policy to Disabled turns off <ph name="PRODUCT_NAME">Google Cast</ph>.'''
},
{
'name': 'ShowCastIconInToolbar',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:58-', 'chrome_os:58-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 362,
'caption': '''Show the <ph name="PRODUCT_NAME">Google Cast</ph> toolbar icon''',
'tags': [],
'desc': '''Setting the policy to Enabled displays the Cast toolbar icon on the toolbar or the overflow menu, and users can't remove it.
Setting the policy to Disabled or leaving it unset lets users pin or remove the icon through its contextual menu.
If the policy <ph name="ENABLE_MEDIA_ROUTER_POLICY_NAME">EnableMediaRouter</ph> is set to Disabled, then this policy's value has no effect, and the toolbar icon doesn't appear.'''
},
{
'name': 'MediaRouterCastAllowAllIPs',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:67-', 'chrome_os:67-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 437,
'caption': '''Allow <ph name="PRODUCT_NAME">Google Cast</ph> to connect to Cast devices on all IP addresses.''',
'tags': [],
'desc': '''Unless <ph name="ENABLE_MEDIA_ROUTER_POLICY_NAME">EnableMediaRouter</ph> is set to Disabled, setting <ph name="MEDIA_ROUTER_CAST_ALLOW_ALL_IPS_POLICY_NAME">MediaRouterCastAllowAllIPs</ph> to Enabled connects <ph name="PRODUCT_NAME">Google Cast</ph> to Cast devices on all IP addresses, not just RFC1918/RFC4193 private addresses.
Setting the policy to Disabled connects <ph name="PRODUCT_NAME">Google Cast</ph> to Cast devices only on RFC1918/RFC4193.
Leaving the policy unset connects <ph name="PRODUCT_NAME">Google Cast</ph> to Cast devices only on RFC1918/RFC4193, unless the CastAllowAllIPs feature is turned on.'''
},
{
'name': 'ArcBackupRestoreEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:53-67'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 337,
'caption': '''Enable Android Backup Service''',
'tags': ['google-sharing'],
'desc':
'''This policy was removed in <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph> 68 and replaced by <ph name="ARC_BR_POLICY_NAME">ArcBackupRestoreServiceEnabled</ph>.''',
},
{
'name': 'ArcLocationServiceEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:57-67'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 363,
'caption': '''Enable Android Google Location Service''',
'tags': ['google-sharing'],
'desc':
'''This policy was removed in <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph> 68 and replaced by <ph name="ARC_GLS_POLICY_NAME">ArcGoogleLocationServicesEnabled</ph>.''',
},
{
'name': 'NTPContentSuggestionsEnabled',
'owners': ['treib@chromium.org', 'carlosk@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:54-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Show content suggestions on the New Tab page',
},
{
'value': False,
'caption': 'Do not show content suggestions on the New Tab page',
},
],
'example_value': True,
'default': True,
'id': 338,
'default_for_enterprise_users': False,
'caption': '''Show content suggestions on the New Tab page''',
'tags': [],
'desc':
'''Setting the policy to True or leaving it unset displays autogenerated content suggestions on the New Tab page, based on the user's browsing history, interests, or location.
Setting the policy to False prevents autogenerated content suggestions from appearing on the New Tab page.''',
},
{
'name': 'NTPCustomBackgroundEnabled',
'owners': ['mahmadi@chromium.org', 'yyushkina@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-', 'chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Users can customize the New Tab page background',
},
{
'value': False,
'caption': 'Users can not customize the New Tab page background',
},
],
'example_value': True,
'default': True,
'id': 653,
'default_for_enterprise_users': True,
'caption': '''Allow users to customize the background on the New Tab page''',
'tags': [],
'desc':
'''If the policy is set to false, the New Tab page won't allow users to customize the background. Any existing custom background will be permanently removed even if the policy is set to true later.
If the policy is set to true or unset, users can customize the background on the New Tab page.''',
},
{
'name': 'NTPCardsVisible',
'owners': ['danielms@chromium.org', 'tiborg@chromium.org', 'yyushkina@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:88-', 'chrome_os:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'New Tab Page will show cards if content is available',
},
{
'value': False,
'caption': 'New Tab Page will not show cards',
},
{
'value': None,
'caption': 'New Tab Page will show cards if content is available, but allow the user to change this setting',
},
],
'example_value': True,
'default': None,
'id': 805,
'caption': '''Show cards on the New Tab Page''',
'tags': [],
'desc':
'''This policy controls the visibility of cards on the New Tab Page. Cards surface entry points to launch common user journeys based on the user's browsing behavior.
If the policy is set to Enabled, the New Tab Page will show cards if content is available.
If the policy is set to Disabled, the New Tab Page won't show cards.
If the policy is not set, the user can control the card visibility. The default is visible.
''',
},
{
'name': 'WebRtcUdpPortRange',
'owners': ['guidou@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:54-', 'chrome_os:54-', 'android:54-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': '10000-11999',
'id': 339,
'caption': '''Restrict the range of local UDP ports used by WebRTC''',
'tags': [],
'desc': '''If the policy is set, the UDP port range used by WebRTC is restricted to the specified port interval (endpoints included).
If the policy is not set, or if it is set to the empty string or an invalid port range, WebRTC is allowed to use any available local UDP port.''',
},
{
'name': 'WebRtcLocalIpsAllowedUrls',
'owners': ['qingsi@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:79-', 'chrome_os:79-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': ['https://www.example.com', '*example.com*'],
'id': 640,
'caption': '''URLs for which local IPs are exposed in WebRTC ICE candidates''',
'tags': [],
'desc': '''Patterns in this list will be matched against the security origin of the requesting URL.
If a match is found or chrome://flags/#enable-webrtc-hide-local-ips-with-mdns is Disabled, the local IP addresses are shown in WebRTC ICE candidates.
Otherwise, local IP addresses are concealed with mDNS hostnames.
Please note that this policy weakens the protection of local IPs if needed by administrators.''',
},
{
'name': 'WebRestrictionsAuthority',
'owners': ['file://components/policy/resources/OWNERS'],
'id': 341,
'type': 'string',
'schema' : { 'type': 'string' },
'tags': ['filtering', 'admin-sharing'],
'future_on': ['webview_android'],
'caption': '''Set an external source of URL restrictions''',
'desc' : '''When this policy is set to a non-empty string the WebView will read URL restrictions from the content provider with the given authority name.''',
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'com.android.chrome.SupervisedUserProvider'
},
{
'name': 'ComponentUpdatesEnabled',
'owners': ['file://components/update_client/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:54-', 'chrome_os:54-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 342,
'caption': '''Enable component updates in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''Enables component updates for all components in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when not set or set to True.
If set to False, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code, or does not significantly alter the behavior of the browser, or is critical for its security will not be disabled.
Examples of such components include the certificate revocation lists and Safe Browsing data.
See https://developers.google.com/safe-browsing for more info on Safe Browsing.''',
},
{
'name': 'NativePrinters',
'owners': ['file://chromeos/printing/OWNERS', 'skau@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'validation_schema': {
'type': 'array',
'items': {
'type': 'object',
'id': 'PrinterType',
'properties': {
'display_name': { 'type': 'string' },
'description': { 'type': 'string' },
'manufacturer': { 'type': 'string' },
'model': { 'type': 'string' },
'uri': { 'type': 'string' },
'uuid': { 'type': 'string' },
'ppd_resource': {
'type': 'object',
'id': 'PpdResource',
'properties': {
'effective_model': {
'type': 'string',
'description': 'This field must match one of the strings which represent a <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph> supported printer. The string will be used to identify and install the appropriate PPD for the printer. More information can be found at https://support.google.com/chrome?p=noncloudprint.'
},
'autoconf': {
'type': 'boolean',
'description': 'Boolean flag indicating whether IPP Everywhere should be used to set up the printer. This flag is supported on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 76 and higher.'
}
}
}
}
}
},
'supported_on': [ 'chrome_os:57-' ],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
# example_value is split onto multiple lines here for readability, but the
# 'type': 'list' above means that each element has to fit inside a single-
# line textbox in the GPO UI - so the example string is a single line.
'example_value': [
'{ '
'"display_name": "Color Laser", '
'"description": "The printer next to the water cooler.", '
'"manufacturer": "Printer Manufacturer", '
'"model": "Color Laser 2004", '
'"uri": "ipps://print-server.intranet.example.com:443/ipp/cl2k4", '
'"uuid": "1c395fdb-5d93-4904-b246-b2c046e79d12", '
'"ppd_resource": { "effective_model": "Printer Manufacturer ColorLaser2k4", "autoconf": false } '
'}'
],
'id': 350,
'caption': '''Native Printing''',
'tags': [],
'desc': '''Setting the policy lets administrators set up a list of printers for their users. Printer selection occurs the first time users try to print.
Using the policy:
* Customize free-form <ph name="PRINTER_DISPLAY_NAME">display_name</ph> and <ph name="PRINTER_DESCRIPTION">description</ph> for ease of printer selection.
* Help users identify printers using <ph name="PRINTER_MANUFACTURER">manufacturer</ph> and <ph name="PRINTER_MODEL">model</ph>.
* <ph name="PRINTER_URI">uri</ph> should be an address reachable from a client computer, including the <ph name="URI_SCHEME">scheme</ph>, <ph name="URI_PORT">port</ph>, and <ph name="URI_QUEUE">queue</ph>.
* Optionally provide <ph name="PRINTER_UUID">uuid</ph> to help deduplicate <ph name="ZEROCONF_DISCOVERY">zeroconf</ph> printers.
* Either use the model name for <ph name="PRINTER_EFFECTIVE_MODEL">effective_model</ph> or set <ph name="PRINTER_AUTOCONF">autoconf</ph> to True. Printers with both or no properties get ignored.
PPDs are downloaded after the printer is used, and frequently used PPDs are cached. This policy doesn't affect whether users can configure printers on individual devices.
Note: For <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> managed devices, this policy supports expansion of <ph name="MACHINE_NAME_VARIABLE">${MACHINE_NAME[,pos[,count]]}</ph> to the <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> machine name or a substring of it. For example, if the machine name is <ph name="MACHINE_NAME_EXAMPLE">CHROMEBOOK</ph>, then <ph name="MACHINE_NAME_VARIABLE_EXAMPLE">${MACHINE_NAME,6,4}</ph> gets replaced by the 4 characters starting after the 6th position, in other words, <ph name="MACHINE_NAME_PART_EXAMPLE">BOOK</ph>. The position is zero-based.
This policy is deprecated, please use <ph name="PRINTERS_POLICY_NAME">Printers</ph> instead.''',
},
{
'name': 'Printers',
'owners': ['file://chromeos/printing/OWNERS', 'skau@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'validation_schema': {
'type': 'array',
'items': {
'type': 'object',
'id': 'PrinterTypeInclusive',
'properties': {
'display_name': { 'type': 'string' },
'description': { 'type': 'string' },
'manufacturer': { 'type': 'string' },
'model': { 'type': 'string' },
'uri': { 'type': 'string' },
'uuid': { 'type': 'string' },
'ppd_resource': {
'type': 'object',
'id': 'PpdResourceInclusive',
'properties': {
'effective_model': {
'type': 'string',
'description': 'This field must match one of the strings which represent a <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph> supported printer. The string will be used to identify and install the appropriate PPD for the printer. More information can be found at https://support.google.com/chrome?p=noncloudprint.'
},
'autoconf': {
'type': 'boolean',
'description': 'Boolean flag indicating whether IPP Everywhere should be used to set up the printer.'
}
}
}
}
}
},
'supported_on': [ 'chrome_os:86-' ],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
# example_value is split onto multiple lines here for readability, but the
# 'type': 'list' above means that each element has to fit inside a single-
# line textbox in the GPO UI - so the example string is a single line.
'example_value': [
'{ '
'"display_name": "Color Laser", '
'"description": "The printer next to the water cooler.", '
'"manufacturer": "Printer Manufacturer", '
'"model": "Color Laser 2004", '
'"uri": "ipps://print-server.intranet.example.com:443/ipp/cl2k4", '
'"uuid": "1c395fdb-5d93-4904-b246-b2c046e79d12", '
'"ppd_resource": { "effective_model": "Printer Manufacturer ColorLaser2k4", "autoconf": false } '
'}'
],
'id': 769,
'caption': '''Configures a list of printers''',
'tags': [],
'desc': '''Setting the policy lets administrators set up a list of printers for their users. Printer selection occurs the first time users try to print.
Using the policy:
* Customize free-form <ph name="PRINTER_DISPLAY_NAME">display_name</ph> and <ph name="PRINTER_DESCRIPTION">description</ph> for ease of printer selection.
* Help users identify printers using <ph name="PRINTER_MANUFACTURER">manufacturer</ph> and <ph name="PRINTER_MODEL">model</ph>.
* <ph name="PRINTER_URI">uri</ph> should be an address reachable from a client computer, including the <ph name="URI_SCHEME">scheme</ph>, <ph name="URI_PORT">port</ph>, and <ph name="URI_QUEUE">queue</ph>.
* Optionally provide <ph name="PRINTER_UUID">uuid</ph> to help deduplicate <ph name="ZEROCONF_DISCOVERY">zeroconf</ph> printers.
* Either use the model name for <ph name="PRINTER_EFFECTIVE_MODEL">effective_model</ph> or set <ph name="PRINTER_AUTOCONF">autoconf</ph> to True. Printers with both or no properties get ignored.
PPDs are downloaded after the printer is used, and frequently used PPDs are cached. This policy doesn't affect whether users can configure printers on individual devices.
Note: For <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> managed devices, this policy supports expansion of <ph name="MACHINE_NAME_VARIABLE">${MACHINE_NAME[,pos[,count]]}</ph> to the <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> machine name or a substring of it. For example, if the machine name is <ph name="MACHINE_NAME_EXAMPLE">CHROMEBOOK</ph>, then <ph name="MACHINE_NAME_VARIABLE_EXAMPLE">${MACHINE_NAME,6,4}</ph> gets replaced by the 4 characters starting after the 6th position, in other words, <ph name="MACHINE_NAME_PART_EXAMPLE">BOOK</ph>. The position is zero-based.''',
},
{
'name': 'NativePrintersBulkConfiguration',
'owners': ['file://chromeos/printing/OWNERS', 'luum@chromium.org'],
'id': 382,
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': { 'type': 'string' },
'hash': { 'type': 'string' }
},
},
'supported_on': ['chrome_os:65-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': {
"url": "https://example.com/printerpolicy",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef"
},
'max_size': 5242880,
'caption': '''Enterprise printer configuration file''',
'tags': [],
'desc': '''Setting this policy configure enterprise printers. Its format matches the <ph name="NATIVE_PRINTERS_POLICY_NAME">NativePrinters</ph> dictionary, with an additional required <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="BULK_PRINTERS_ACCESS_MODE_POLICY_NAME">NativePrintersBulkAccessMode</ph>, <ph name="BULK_PRINTERS_WHITELIST">NativePrintersBulkWhitelist</ph>, and <ph name="BULK_PRINTERS_BLACKLIST">NativePrintersBulkBlacklist</ph>.
This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.
If you set the policy, users can't change it.
This policy is deprecated, please use <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph> instead.''',
},
{
'name': 'PrintersBulkConfiguration',
'owners': ['file://chromeos/printing/OWNERS', 'luum@chromium.org'],
'id': 770,
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': { 'type': 'string' },
'hash': { 'type': 'string' }
},
},
'supported_on': ['chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
"url": "https://example.com/printerpolicy",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef"
},
'max_size': 5242880,
'caption': '''Enterprise printer configuration file''',
'tags': [],
'desc': '''Setting this policy configure enterprise printers. Its format matches the <ph name="PRINTERS_POLICY_NAME">Printers</ph> dictionary, with an additional required <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME">PrintersBulkAccessMode</ph>, <ph name="PRINTERS_BULK_ALLOWLIST_POLICY_NAME">PrintersBulkAllowlist</ph>, and <ph name="PRINTERS_BULK_BLOCKLIST_POLICY_NAME">PrintersBulkBlocklist</ph>.
This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.
If you set the policy, users can't change it.''',
},
{
'name': 'NativePrintersBulkAccessMode',
'owners': ['file://chromeos/printing/OWNERS', 'zentaro@chromium.org'],
'id': 383,
'supported_on': ['chrome_os:65-'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'BlacklistRestriction',
'value': 0,
'caption': '''All printers are shown except those in the blacklist.''',
},
{
'name': 'WhitelistPrintersOnly',
'value': 1,
'caption': '''Only printers in the whitelist are shown to users''',
},
{
'name': 'AllowAll',
'value': 2,
'caption': '''Allow all printers from the configuration file.''',
},
],
'features' : {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 1,
'caption': '''Printer configuration access policy.''',
'tags': [],
'desc': '''Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from <ph name="NATIVE_PRINTERS_BULK_CONFIGURATION_POLICY_NAME">NativePrintersBulkConfiguration</ph> are available for users.
* If <ph name="PRINTERS_BLACKLIST">BlacklistRestriction</ph> (value 0) is selected, <ph name="BULK_PRINTERS_BLACKLIST">NativePrintersBulkBlacklist</ph> restricts access to the specified printers
* If <ph name="PRINTERS_WHITELIST">WhitelistPrintersOnly</ph> is selected, <ph name="BULK_PRINTERS_WHITELIST">NativePrintersBulkWhitelist</ph> (value 1) designates only those printers which are selectable
* <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph> (Value 2) displays all printers
Leaving the policy unset puts <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph> in use.
This policy is deprecated, please use <ph name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME_POLICY_NAME">PrintersBulkAccessMode</ph> instead.''',
},
{
'name': 'PrintersBulkAccessMode',
'owners': ['file://chromeos/printing/OWNERS', 'zentaro@chromium.org'],
'id': 772,
'supported_on': ['chrome_os:86-'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'BlocklistRestriction',
'value': 0,
'caption': '''All printers are shown except those in the blocklist.''',
},
{
'name': 'AllowlistPrintersOnly',
'value': 1,
'caption': '''Only printers in the allowlist are shown to users''',
},
{
'name': 'AllowAll',
'value': 2,
'caption': '''Allow all printers from the configuration file.''',
},
],
'features' : {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'caption': '''Printer configuration access policy.''',
'tags': [],
'desc': '''Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph> are available for users.
* <ph name="PRINTERS_BLOCKLIST">BlocklistRestriction</ph> (value 0) uses <ph name="PRINTERS_BULK_BLOCKLIST">PrintersBulkBlocklist</ph> to restrict access to the specified printers
* <ph name="PRINTERS_ALLOWLIST">AllowlistPrintersOnly</ph> (value 1) uses <ph name="PRINTERS_BULK_ALLOWLIST">PrintersBulkAllowlist</ph> to designate only those printers which are selectable
* <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph> (value 2) displays all printers
Leaving the policy unset puts <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph> in use.''',
},
{
'name': 'NativePrintersBulkBlacklist',
'owners': ['file://chromeos/printing/OWNERS', 'thestig@chromium.org'],
'supported_on': ['chrome_os:65-'],
'id': 384,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ["id1", "id2", "id3"],
'caption': '''Disabled enterprise printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_BLACKLIST">BlacklistRestriction</ph> is chosen for <ph name="BULK_PRINTERS_ACCESS_MODE_POLICY_NAME">NativePrintersBulkAccessMode</ph>, then setting <ph name="NATIVE_PRINTERS_BULK_BLACKLIST_POLICY_NAME">NativePrintersBulkBlacklist</ph> specifies which printers users can't use. All printers are provided to the user, except for the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="BULK_PRINTERS_POLICY_NAME">NativePrintersBulkConfiguration</ph>.
This policy is deprecated, please use <ph name="PRINTERS_BULK_BLOCKLIST">PrintersBulkBlocklist</ph> instead.''',
},
{
'name': 'PrintersBulkBlocklist',
'owners': ['file://chromeos/printing/OWNERS', 'thestig@chromium.org'],
'supported_on': ['chrome_os:86-'],
'id': 779,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ["id1", "id2", "id3"],
'caption': '''Disabled enterprise printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_BLOCKLIST">BlocklistRestriction</ph> is chosen for <ph name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME">PrintersBulkAccessMode</ph>, then setting <ph name="PRINTERS_BULK_BLOCKLIST_POLICY_NAME">PrintersBulkBlocklist</ph> specifies which printers users can't use. All printers are provided to the user, except for the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph>.''',
},
{
'name': 'NativePrintersBulkWhitelist',
'owners': ['file://chromeos/printing/OWNERS', 'thestig@chromium.org'],
'supported_on': ['chrome_os:65-'],
'id': 385,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ["id1", "id2", "id3"],
'caption': '''Enabled enterprise printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_WHITELIST">WhitelistPrintersOnly</ph> is chosen for <ph name="BULK_PRINTERS_ACCESS_MODE_POLICY_NAME">NativePrintersBulkAccessMode</ph>, then setting <ph name="NATIVE_PRINTERS_BULK_WHITELIST_POLICY_NAME">NativePrintersBulkWhitelist</ph> specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to the user. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="NATIVE_PRINTERS_BULK_CONFIGURATION_POLICY_NAME">NativePrintersBulkConfiguration</ph>.
This policy is deprecated, please use <ph name="PRINTERS_BULK_ALLOWLIST_POLICY_NAME">PrintersBulkAllowlist</ph> instead.''',
},
{
'name': 'PrintersBulkAllowlist',
'owners': ['file://chromeos/printing/OWNERS', 'thestig@chromium.org'],
'supported_on': ['chrome_os:86-'],
'id': 780,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ["id1", "id2", "id3"],
'caption': '''Enabled enterprise printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_ALLOWLIST">AllowlistPrintersOnly</ph> is chosen for <ph name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME">PrintersBulkAccessMode</ph>, then setting <ph name="PRINTERS_BULK_ALLOWLIST_POLICY_NAME">PRINTERS_BULK_ALLOWLIST</ph> specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to the user. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph>.''',
},
{
'name': 'DeviceNativePrinters',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'id': 386,
'device_only': True,
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': { 'type': 'string' },
'hash': { 'type': 'string' }
},
},
'supported_on': ['chrome_os:73-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': {
"url": "https://example.com/printerpolicy",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef"
},
'max_size': 5242880,
'caption': '''Enterprise printer configuration file for devices''',
'tags': [],
'desc': '''Setting the policy provides configurations for enterprise printers bound to devices. Its format matches the <ph name="NATIVE_PRINTERS_POLICY_NAME">NativePrinters</ph> dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph>, and <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph>.
This policy:
* doesn't affect whether users can configure printers on individual devices
* supplements <ph name="BULK_PRINTERS_POLICY_NAME">NativePrintersBulkConfiguration</ph> and individual users' printer setups
If unset, there are no device printers, and the other <ph name="DEVICE_NATIVE_PRINTERS_POLICY_PATTERN">DeviceNativePrinter*</ph> policies are ignored.
This policy is deprecated, please use <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph> instead.''',
},
{
'name': 'DeviceNativePrintersAccessMode',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'id': 387,
'device_only': True,
'supported_on': ['chrome_os:73-'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'BlacklistRestriction',
'value': 0,
'caption': '''All printers are shown except those in the blacklist.''',
},
{
'name': 'WhitelistPrintersOnly',
'value': 1,
'caption': '''Only printers in the whitelist are shown to users''',
},
{
'name': 'AllowAll',
'value': 2,
'caption': '''Allow all printers from the configuration file.''',
},
],
'features' : {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 1,
'caption': '''Device printers configuration access policy.''',
'tags': [],
'desc': '''Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph> are available for users.
* <ph name="PRINTERS_BLACKLIST">BlacklistRestriction</ph> (value 0), <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph> can restrict access to the specified printers
* If set to <ph name="PRINTERS_WHITELIST">WhitelistPrintersOnly</ph> (value 1), <ph name="DEVICE_PRINTERS_ALLOWLIST_POLCY_NAME">DevicePrintersAllowlist</ph> designates only those printers which are selectable
* <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph> (value 2), all printers are shown.
Leaving the policy unset applies <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph>.
This policy is deprecated, please use <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph> instead.''',
},
{
'name': 'DeviceNativePrintersBlacklist',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'supported_on': ['chrome_os:73-'],
'device_only': True,
'id': 388,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': ["id1", "id2", "id3"],
'caption': '''Disabled enterprise device printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_BLACKLIST">BlacklistRestriction</ph> is chosen for <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then setting <ph name="DEVICE_NATIVE_PRINTERS_BLACKLIST_POLICY_NAME">DeviceNativePrintersBlacklist</ph> specifies which printers users can't use. All printers are provided to users, except for the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>.
This policy is deprecated, please use <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph> instead.''',
},
{
'name': 'DeviceNativePrintersWhitelist',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'supported_on': ['chrome_os:73-'],
'device_only': True,
'id': 389,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': ["id1", "id2", "id3"],
'caption': '''Enabled enterprise device printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_WHITELIST">WhitelistPrintersOnly</ph> is chosen for <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then setting <ph name="DEVICE_NATIVE_PRINTERS_WHITELIST_POLICY_NAME">DeviceNativePrintersWhitelist</ph> specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to users. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>.
This policy is deprecated, please use <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph>instead.''',
},
{
'name': 'DevicePrinters',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'id': 743,
'device_only': True,
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': { 'type': 'string' },
'hash': { 'type': 'string' }
},
},
'supported_on': ['chrome_os:87-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
"url": "https://example.com/printerpolicy",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef"
},
'max_size': 5242880,
'caption': '''Enterprise printer configuration file for devices''',
'tags': [],
'desc': '''Setting the policy provides configurations for enterprise printers bound to devices. Its format matches the <ph name="PRINTERS_POLICY_NAME">Printers</ph> dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph>, and <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph>.
This policy:
* doesn't affect whether users can configure printers on individual devices
* supplements <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph> and individual users' printer setups
If unset, there are no device printers, and the other <ph name="DEVICE_PRINTERS_POLICY_PATTERN">DevicePrinter*</ph> policies are ignored.''',
},
{
'name': 'DevicePrintersAccessMode',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'id': 733,
'device_only': True,
'supported_on': ['chrome_os:87-'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'BlocklistRestriction',
'value': 0,
'caption': '''All printers are shown except those in the blocklist.''',
},
{
'name': 'AllowlistPrintersOnly',
'value': 1,
'caption': '''Only printers in the allowlist are shown to users''',
},
{
'name': 'AllowAll',
'value': 2,
'caption': '''Allow all printers from the configuration file.''',
},
],
'features' : {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'caption': '''Device printers configuration access policy.''',
'tags': [],
'desc': '''Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph> are available for users.
* <ph name="POLICY_ENUM_DEVICEPRINTERSACCESSMODE_BLOCKLISTRESTRICTIONS">BlocklistRestriction</ph> (value 0), <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph> can restrict access to the specified printers
* <ph name="POLICY_ENUM_DEVICEPRINTERSACCESSMODE_ALLOWLISTPRINTERSONLY">AllowlistPrintersOnly</ph> (value 1), <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph> designates only those printers which are selectable
* <ph name="POLICY_ENUM_DEVICEPRINTERSACCESSMODE_ALLOWALL">AllowAll</ph> (value 2), all printers are allowed.
Leaving the policy unset applies <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph>.''',
},
{
'name': 'DevicePrintersBlocklist',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'supported_on': ['chrome_os:87-'],
'device_only': True,
'id': 734,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
},
'example_value': ["id1", "id2", "id3"],
'caption': '''Disabled enterprise device printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_BLOCKLIST">BlocklistRestriction</ph> is chosen for <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then setting <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph> specifies which printers users can't use. All printers are provided to users, except for the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>.''',
},
{
'name': 'DevicePrintersAllowlist',
'owners': ['skau@chromium.org', 'bmalcolm@chromium.org'],
'supported_on': ['chrome_os:87-'],
'device_only': True,
'id': 735,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': ["id1", "id2", "id3"],
'caption': '''Enabled enterprise device printers''',
'tags': [],
'desc': '''If <ph name="PRINTERS_ALLOWLIST">AllowlistPrintersOnly</ph> is chosen for <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then setting <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph> specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to users. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>''',
},
{
'name': 'TPMFirmwareUpdateSettings',
'owners': ['file://components/policy/resources/OWNERS'],
'supported_on': ['chrome_os:63-'],
'device_only': True,
'id': 390,
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'allow-user-initiated-powerwash': {
'type': 'boolean',
},
'allow-user-initiated-preserve-device-state': {
'type': 'boolean',
},
'auto-update-mode': {
'type': 'integer',
'enum': [ 1, 2, 3, 4 ],
},
},
},
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'allow-user-initiated-powerwash': True,
'allow-user-initiated-preserve-device-state': True,
'auto-update-mode': 1,
},
'caption': '''Configure <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update behavior''',
'tags': [],
'desc': '''Setting the policy configures availability and behavior of <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates.
Specify individual settings in JSON properties:
* <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_POWERWASH">allow-user-initiated-powerwash</ph>: If set to <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_POWERWASH_TRUE">true</ph>, users can trigger the powerwash flow to install a <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update.
* <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_PRESERVE_DEVICE_STATE">allow-user-initiated-preserve-device-state</ph> (available starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 68): If set to <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_PRESERVE_DEVICE_STATE_TRUE">true</ph>, users can invoke the <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update flow that preserves device-wide state, including enterprise enrollment, but loses user data.
* <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_AUTO_UPDATE_MODE">auto-update-mode</ph> (available starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 75): Controls how automatic <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates are enforced for vulnerable <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware. All flows preserve local device state. If set to:
* 1 or left not set, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates are not enforced.
* 2, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates at the next reboot after user acknowledges the update.
* 3, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates at the next reboot.
* 4, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates after enrollment, before user sign-in.
Leaving the policy unset renders <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update unavailable.''',
},
{
'name': 'MinimumRequiredChromeVersion',
'owners': ['antrim@chromium.org'],
'supported_on': ['chrome_os:64-81'],
'device_only': True,
'type': 'string',
'schema': { 'type': 'string' },
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': '61.0.3163.120',
'id': 394,
'caption': '''Configure minimum allowed Chrome version for the device.''',
'tags': [],
'desc': '''This policy is removed in M82, please use DeviceMinimumVersion instead.
Configures the requirement of the minimum allowed version of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Versions below given are treated as obsolete and device would not allow user sign in before OS is updated.
If current version becomes obsolete during user session, user will be forcefully signed out.
If this policy is not set, no restrictions are applied, and user can sign regardless of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version.
Here "Version" can be either an exact version like '61.0.3163.120' or a version prefix, like '61.0' ''',
},
{
'name': 'DeviceMinimumVersion',
'owners': ['snijhara@google.com'],
'supported_on': ['chrome_os:86-'],
'device_only': True,
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'requirements': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'chromeos_version': {
'description': '''Minimum allowed <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version''',
'type': 'string',
},
'warning_period': {
'description': '''Time in days after which the user will be signed out if <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version is less than the specified <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph>''',
'type': 'integer',
'minimum': 0,
},
'aue_warning_period': {
'description': '''Time in days after auto update expiration post which the user will be signed out if <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version is less than the specified <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph>''',
'type': 'integer',
'minimum': 0,
},
},
'required': ['chromeos_version'],
},
},
'unmanaged_user_restricted': {
'description': '''A boolean flag indicating whether unmanaged user sessions should receive notifications and force log out if update is required as per this policy.''',
'type': 'boolean'
}
}
},
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
"requirements":
[
{
"chromeos_version" : "12215",
"warning_period" : 0,
"aue_warning_period" : 14
}, {
"chromeos_version" : "13315.60.12",
"warning_period" : 10,
"aue_warning_period" : 21
}
],
"unmanaged_user_restricted": True
},
'id': 670,
'caption': '''Configure minimum allowed Chrome OS version for the device.''',
'tags': [],
'desc': '''Configures the requirement of the minimum allowed version of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
When this policy is set to a non-empty list:
If none of the entries has a <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph> greater than the current version of the device, then no restrictions are applied and the already existing restrictions are revoked.
If at least one of the entries has a <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph> greater than the current version, the entry whose version is greater and closest to the current version is chosen.
In case of conflict, preference is given to the entry with lower <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> or <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph> and the policy is applied using that entry.
If the current version becomes obsolete during user session and the current network limits auto updates, an on-screen notification is shown to update the device within the <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> shown in the notification.
No notifications are shown if the current network allows auto updates and the device must be updated within the <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph>.
The <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> starts from the time the policy is applied.
If the device is not updated till the expiry of the <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph>, the user is signed out of the session.
If the current version is found to be obsolete at the time of login with expired <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph>, the user is required to update the device before signing in.
If the current version becomes obsolete during user session and the device has reached auto update expiration, an on-screen notification is shown to return the device within <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph>.
If the device is found to have reached auto update expiration at the time of login with expired <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph>, the device is blocked for any user to sign in.
Unmanaged user sessions do not receive notifications and force log out if <ph name="UNMANAGED_USER_RESTRICTED_PROPERTY_NAME">unmanaged_user_restricted</ph> is unset or set to False.
If this policy is not set or set to empty, no restrictions are applied, already existing restrictions are revoked and user can sign in regardless of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version.
Here <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph> can be either an exact version like '13305.0.0' or a version prefix, like '13305'.
The <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> and <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph> are optional values specified in number of days. Default value for them is 0 days, which means that there is no warning period.
The <ph name="UNMANAGED_USER_RESTRICTED_PROPERTY_NAME">unmanaged_user_restricted</ph> is an optional property with default value as False.''',
},
{
'name': 'DeviceMinimumVersionAueMessage',
'owners': ['snijhara@google.com', 'marcgrimme@chromium.org'],
'supported_on': ['chrome_os:86-'],
'device_only': True,
'type': 'string',
'schema': { 'type': 'string' },
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'This device has reached auto update expiration. Kindly return it.',
'id': 714,
'caption': '''Configure auto update expiration message for DeviceMinimumVersion policy''',
'tags': [],
'desc': '''This policy is only effective when the device has reached auto update expiration and does not meet the minimum allowed version of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> set through <ph name="DEVICE_MINIMUM_VERSION_POLICY_NAME">DeviceMinimumVersion</ph> policy.
When this policy is set to a non-empty string :
If the warning time mentioned in <ph name="DEVICE_MINIMUM_VERSION_POLICY_NAME">DeviceMinimumVersion</ph> policy has expired, this message is shown at the login screen when the device is blocked for any user to sign in.
If the warning time mentioned in <ph name="DEVICE_MINIMUM_VERSION_POLICY_NAME">DeviceMinimumVersion</ph> policy has not expired, this message is shown on the Chrome management page after user sign in.
If this policy is not set or set to empty, the default auto update expiration message is shown to the user in both of the above cases.
The auto update expiration message must be plain text without any formatting. No markup is allowed.''',
},
{
'name': 'QuickUnlockModeAllowlist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'all',
'PIN',
'FINGERPRINT',
],
},
'id': 'QuickUnlockModeAllowlist',
},
'supported_on': ['chrome_os:87-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['PIN'],
'default_for_enterprise_users': [],
'id': 784,
'caption': '''Configure allowed quick unlock modes''',
'tags': [],
'desc': '''Setting the policy controls which quick unlock modes can unlock the lock screen.
To allow:
* Every quick unlock mode, use ["all"] (includes modes added in the future).
* Only PIN unlock, use ["PIN"].
* PIN and fingerprint, use ["PIN", "FINGERPRINT"].
If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.''',
},
{
'name': 'QuickUnlockModeWhitelist',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'all',
'PIN',
'FINGERPRINT',
],
},
'id': 'QuickUnlockModeWhitelist',
},
'supported_on': ['chrome_os:56-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['PIN'],
'default_for_enterprise_users': [],
'id': 352,
'caption': '''Configure allowed quick unlock modes''',
'tags': [],
'desc': '''Setting the policy controls which quick unlock modes can unlock the lock screen.
To allow:
* Every quick unlock mode, use ["all"] (includes modes added in the future).
* Only PIN unlock, use ["PIN"].
* PIN and fingerprint, use ["PIN", "FINGERPRINT"].
If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.
This policy is deprecated, please use <ph name="QUICK_UNLOCK_MODE_ALLOW_LIST_POLICY_NAME">QuickUnlockModeAllowlist</ph> instead''',
},
{
'name': 'QuickUnlockTimeout',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'SixHours',
'value': 0,
'caption': '''Password entry is required every six hours''',
},
{
'name': 'TweleveHours',
'value': 1,
'caption': '''Password entry is required every twelve hours''',
},
{
'name': 'TwoDays',
'value': 2,
'caption': '''Password entry is required every two days (48 hours)''',
},
{
'name': 'Week',
'value': 3,
'caption': '''Password entry is required every week (168 hours)''',
},
],
'supported_on': ['chrome_os:57-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 353,
'caption': '''Set how often user has to enter password to use quick unlock''',
'tags': [],
'desc': '''Setting the policy controls how often the lock screen requests the password for quick unlock. Each time the lock screen appears, if the last password entry occurred before the time window specified by the value chosen, quick unlock won't be available. If users stay on the lock screen past this amount of time, a password is requested next time they enter the wrong code or re-enter the lock screen, whichever comes first.
Leaving the policy unset means users using quick unlock enter their password on the lock screen daily.''',
},
{
'name': 'PinUnlockMinimumLength',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:57-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 6,
'id': 354,
'caption': '''Set the minimum length of the lock screen PIN''',
'tags': [],
'desc': '''Setting the policy enforces the minimum PIN length chosen. (Values below 1 are rounded up to the minimum of 1.)
Leaving the policy unset enforces a minimal PIN length of 6 digits, the recommended minimum.''',
},
{
'name': 'PinUnlockMaximumLength',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:57-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 0,
'id': 355,
'caption': '''Set the maximum length of the lock screen PIN''',
'tags': [],
'desc': '''Setting the policy means the configured maximum PIN length is enforced. A value of 0 or less means the user may set a PIN of any length. If the value is less than <ph name="PIN_UNLOCK_MINIMUM_LENGTH_POLICY_NAME">PinUnlockMinimumLength</ph> but greater than 0, the maximum length is set to the minimum length.
Leaving the policy unset means no maximum length is enforced.''',
},
{
'name': 'PinUnlockWeakPinsAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:57-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 356,
'caption': '''Enable users to set weak PINs for the lock screen PIN''',
'tags': [],
'desc': '''Setting the policy to Enabled allows weak PINs. Some characteristics of weak PINs: only one digit (1111), digits increase by 1 (1234), digits decrease by 1 (4321), and common PINs. Setting the policy to Disabled means users can't set weak, easy-to-guess PINs.
By default, users get a warning, not an error, for a weak PIN.''',
},
{
'name': 'DeviceWallpaperImage',
'owners': ['xdai@chromium.org', 'maybelle@chromium.org'],
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': {
'description': 'The URL from which the wallpaper image can be downloaded.',
'type': 'string'
},
'hash': {
'description': 'The SHA-256 hash of the wallpaper image.',
'type': 'string'
}
},
},
'supported_on': ['chrome_os:61-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': { "url": "https://example.com/device_wallpaper.jpg", "hash": "1337c0ded00d84b1dbadf00dd15ea5eb000deaddeaddeaddeaddeaddeaddead0" },
'max_size': 16777216,
'id': 357,
'caption': '''Device wallpaper image''',
'tags': [],
'desc': '''Configure device-level wallpaper image that is shown on the login screen if no user has yet signed in to the device. The policy is set by specifying the URL from which the Chrome OS device can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication. The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
If the device wallpaper policy is set, the Chrome OS device will download and use the wallpaper image on the login screen if no user has yet signed in to the device. Once the user logs in, the user's wallpaper policy kicks in.
If the device wallpaper policy is left not set, it's the user's wallpaper policy to decide what to show if the user's wallpaper policy is set.''',
},
{
'name': 'DeviceLoginScreenLocales',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:58-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': [ "en-US" ],
'id': 364,
'caption': '''Device sign-in screen locale''',
'tags': [],
'desc': '''Configures the locale which is enforced on the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> sign-in screen.
If this policy is set, the sign-in screen will always be displayed in the locale which is given by the first value of this policy (the policy is defined as a list for forward compatibility). If this policy is not set or is set to an empty list, the sign-in screen will be displayed in the locale of the last user session. If this policy is set to a value which is not a valid locale, the sign-in screen will be displayed in a fallback locale (currently, en-US).'''
},
{
'name': 'DeviceLoginScreenInputMethods',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:58-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ "xkb:us::en", "xkb:ch::ger" ],
'id': 365,
'caption': '''Device sign-in screen keyboard layouts''',
'tags': [],
'desc': '''Configures which keyboard layouts are allowed on the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> sign-in screen.
If this policy is set to a list of input method identifiers, the given input methods will be available on the sign-in screen. The first given input method will be preselected. While a user pod is focused on the sign-in screen, the user's last used input method will be available in addition to the input methods given by this policy. If this policy is not set, the input methods on the sign-in screen will be derived from the locale in which the sign-in screen is displayed. Values which are not valid input method identifiers will be ignored.''',
},
{
'name': 'DeviceLoginScreenSystemInfoEnforced',
'owners': ['anqing@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:79-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 609,
'caption': '''Force the sign-in screen to show or hide system information.''',
'tags': [],
'desc': '''Specify whether the system information (e.g. Chrome OS version, device serial
number) is always shown (or hidden) on the login screen.
If the policy is set to true, the system information will be shown forcedly.
If the policy is set to false, the system information will be hidden forcedly.
If the policy is unset, default hehavior (being shown for Canary / Dev channel)
is effective. Users can toggle the visibility by specific operations (e.g., Alt-V).'''
},
{
'name': 'SmsMessagesAllowed',
'owners': ['jlklein@chromium.org', 'jonmann@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:70-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 469,
'caption': '''Allow SMS Messages to be synced from phone to Chromebook.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''Setting the policy to Enabled lets users set up their devices to sync their text messages to Chromebooks. Users must explicitly opt in to this feature by completing a setup flow. On completion, users can send and receive texts on their Chromebooks.
Setting the policy to Disabled means users can't set up text syncing.
Leaving the policy unset means that by default, the feature isn't allowed for managed users but is allowed for other users.''',
},
{
'name': 'WifiSyncAndroidAllowed',
'owners': ['jonmann@chromium.org', 'cvandermerwe@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 798,
'caption': '''Allow Wi-Fi network configurations to be synced across <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices and a connected Android phone.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''If this setting is enabled, users will be allowed to sync Wi-Fi network configurations between their <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> device(s) and a connected Android phone. Before Wi-Fi network configurations can sync, users must explicitly opt in to this feature by completing a setup flow.
If this setting is disabled, users will not be allowed to sync Wi-Fi network configurations.
This feature depends on the <ph name="WIFI_CONFIGURATIONS_DATATYPE_NAME">wifiConfigurations</ph> datatype in Chrome Sync being enabled. If <ph name="WIFI_CONFIGURATIONS_DATATYPE_NAME">wifiConfigurations</ph> is disabled in the <ph name="SYNC_TYPES_LIST_DISABLED_POLICY_NAME">SyncTypesListDisabled</ph> policy, or Chrome Sync is disabled in the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy this feature will not be enabled.
If this policy is left not set, the default is not allowed for managed users.''',
},
{
'name': 'SmartLockSigninAllowed',
'owners': ['hansberry@chromium.org', 'jhawkins@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:71-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 488,
'caption': '''Allow Smart Lock Signin to be used.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''If this setting is enabled, users will be allowed to sign into their account with Smart Lock. This is more permissive than usual Smart Lock behavior which only allows users to unlock their screen.
If this setting is disabled, users will not be allowed to use Smart Lock Signin.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.''',
},
{
'name': 'InstantTetheringAllowed',
'owners': ['hansberry@chromium.org', 'khorimoto@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 367,
'caption': '''Allow Instant Tethering to be used.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''If this setting is enabled, users will be allowed to use Instant Tethering, which allows their Google phone to share its mobile data with their device.
If this setting is disabled, users will not be allowed to use Instant Tethering.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.''',
},
{
'name': 'PhoneHubAllowed',
'owners': ['khorimoto@google.com', 'vecore@chromium.org', 'better-together-dev@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 795,
'caption': '''Allow Phone Hub to be enabled.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''If this setting is enabled, users will be allowed to opt in to Phone Hub, which allows them to interact with their phone on a Chrome OS device.
If this setting is disabled, users will not be allowed to opt in to Phone Hub.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.''',
},
{
'name': 'PhoneHubNotificationsAllowed',
'owners': ['khorimoto@google.com', 'vecore@chromium.org', 'better-together-dev@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 796,
'caption': '''Allow Phone Hub notifications to be enabled.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''If this setting is enabled, users who have already opted in to Phone Hub, will be able to send/receive their phone's notifications on Chrome OS.
If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.
If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.''',
},
{
'name': 'PhoneHubTaskContinuationAllowed',
'owners': ['khorimoto@google.com', 'vecore@chromium.org', 'better-together-dev@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 797,
'caption': '''Allow Phone Hub task continuation to be enabled.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''If this setting is enabled, users who have already opted in to Phone Hub, will be able to continue tasks such as viewing their phone's webpages on Chrome OS.
If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.
If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.''',
},
{
'name': 'NearbyShareAllowed',
'owners': ['vecore@google.com', 'hansberry@chromium.org', 'better-together-dev@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 761,
'caption': '''Allow Nearby Share to be enabled.''',
'tags': ['local-data-access', 'google-sharing'],
'desc': '''If this setting is enabled, users will be allowed to opt in to Nearby Share, which allows them to send and receive files from people closeby.
If this setting is disabled, users will not be allowed to opt in to Nearby Share.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.''',
},
{
'name': 'BrowserNetworkTimeQueriesEnabled',
'owners': ['estark@chromium.org', 'mab@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Allow queries to a Google server to retrieve an accurate timestamp',
},
{
'value': False,
'caption': 'Do not allow queries to Google servers to retrieve timestamps',
},
],
'example_value': True,
'default': True,
'id': 370,
'caption': '''Allow queries to a Google time service''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> send occasional queries to a Google server to retrieve an accurate timestamp.
Setting the policy to Disabled stops <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from sending these queries.''',
},
{
'name': 'DeviceSecondFactorAuthentication',
'owners': ['vpalatin@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'Disabled',
'value': 1,
'caption': '''Second factor disabled''',
},
{
'name': 'U2F',
'value': 2,
'caption': '''U2F (Universal Second Factor)''',
},
{
'name': 'U2F_EXTENDED',
'value': 3,
'caption': '''U2F plus extensions for individual attestation''',
},
],
'supported_on': ['chrome_os:61-'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': 2,
'id': 372,
'caption': '''Integrated second factor authentication mode''',
'tags': ['system-security'],
'desc': '''Specifies how the on-board secure element hardware can be used to provide a second-factor authentication if it is compatible with this feature. The machine power button is used to detect the user physical presence.
If 'Disabled' is selected, no second factor is provided.
If 'U2F' is selected, the integrated second factor will behave according the FIDO U2F specification.
If 'U2F_EXTENDED' is selected, the integrated second factor will provide the U2F functions plus some extensions for individual attestation.''',
},
{
'name': 'PrintPreviewUseSystemDefaultPrinter',
'owners': ['file://printing/OWNERS', 'thestig@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:61-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Use the system default printer as the default choice in Print Preview',
},
{
'value': False,
'caption': 'Use the most recently used printer as the default choice in Print Preview',
},
],
'example_value': False,
'default': False,
'id': 373,
'caption': '''Use System Default Printer as Default''',
'tags': [],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the OS default printer as the default destination for print preview.
Setting the policy to Disabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the most recently used printer as the default destination for print preview.''',
},
{
'name': 'DeviceEcryptfsMigrationStrategy',
'owners': ['igorcov@chromium.org', 'pmarko@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Unset',
'value': 0,
'caption': '''Policy unset, disallow data migration and ARC''',
},
{
'name': 'DisallowArc',
'value': 1,
'caption': '''Disallow data migration and ARC''',
},
{
'name': 'AllowMigration',
'value': 2,
'caption': '''Allow data migration''',
},
],
'supported_on': ['chrome_os:60-60'],
'supported_chrome_os_management': ['google_cloud'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': 1,
'id': 374,
'caption': '''Migration strategy for ecryptfs''',
'tags': [],
'desc': '''This policy was removed in M61.
Specifies how a device should behave that shipped with ecryptfs and needs to transition to ext4 encryption.
If you set this policy to 'DisallowArc', Android apps will be disabled for all users on the device (including those that have ext4 encryption already) and no migration from ecryptfs to ext4 encryption will be offered to any users.
If you set this policy to 'AllowMigration', users with ecryptfs home directories will be offered to migrate these to ext4 encryption as necessary (currently when Android N becomes available on the device).
This policy does not apply to kiosk apps - these are migrated automatically. If this policy is left not set, the device will behave as if 'DisallowArc' was chosen.''',
},
{
'name': 'EcryptfsMigrationStrategy',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 4],
},
'items': [
{
'name': 'DisallowArc',
'value': 0,
'caption': '''Disallow data migration and ARC.''',
},
{
'name': 'Migrate',
'value': 1,
'caption': '''Migrate automatically, don’t ask for user consent.''',
},
{
'name': 'Wipe',
'value': 2,
'caption': '''Wipe the user’s ecryptfs home directory and start with a fresh ext4-encrypted home directory.''',
},
{
'name': 'MinimalMigrate',
'value': 4,
'caption': '''Similar to Wipe (value 2), but tries to preserve login tokens so the user does not have to sign in again.''',
},
],
'supported_on': ['chrome_os:61-87'],
'device_only': False,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': 2,
'id': 376,
'caption': '''Migration strategy for ecryptfs''',
'tags': [],
'desc': '''This policy was removed in M87 and home directories will automatically migrate to ext4 at sign-in.
Setting the policy specifies the action to take when the user's home directory was created with ecryptfs encryption. Unless ecryptfs-encrypted home directories migrate to ext4-encryption, Android apps might stop running.
Setting the policy to:
* Migrate (or an unsupported option such as AskUser or AskForEcryptfsArcUsers) means directories automatically migrate to ext4 at sign-in, without asking for user consent.
* Wipe or MinimalMigrate means that, at sign-in, new ext4-encrypted home directories replace old ecryptfs-encrypted directories. To help the user avoid repeated sign-ins, MinimalMigrate tries to preserve sign-in tokens.
* DisallowArc or leaving it unset prevents migration, and the user's Android apps stop running.
This policy doesn't apply to kiosk users.
Warning: Wipe and MinimalMigrate remove local data.''',
},
{
'name': 'SchedulerConfiguration',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'conservative',
'performance',
],
},
'items': [
{
'name': 'Conservative',
'value': 'conservative',
'caption': '''Optimize for stability.''',
},
{
'name': 'Performance',
'value': 'performance',
'caption': '''Optimize for performance.''',
},
],
'supported_on': ['chrome_os:74-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'performance',
'id': 522,
'caption': '''Select task scheduler configuration''',
'tags': [],
'desc': '''Setting the policy instructs <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> to use the task scheduler configuration identified by the specified name. This policy can be set to <ph name="CONSERVATIVE_VALUE">Conservative</ph> or <ph name="PERFORMANCE_VALUE">Performance</ph>, which tune the task scheduler for stability or maximum performance, respectively.
If unset, users make their own choice.''',
},
{
'name': 'NoteTakingAppsLockScreenWhitelist',
'owners': ['tbarzic@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome_os:61-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'deprecated': True,
'example_value': ['abcdefghabcdefghabcdefghabcdefgh'],
'id': 377,
'caption': '''Whitelist note-taking apps allowed on the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> lock screen''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="NOTE_TAKING_APPS_LOCK_SCREEN_ALLOWLIST">NoteTakingAppsLockScreenAllowlist</ph> instead.
Setting the policy specifies the apps that users can turn on as a note-taking app on the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> lock screen.
If the preferred app is on the lock screen, a UI element for launching the preferred note-taking app appears on the screen. When launched, the app can create a window on top of the lock screen and create notes in this context. The app can import created notes to the primary user session, when the session is unlocked. Only <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> note-taking apps are supported on the lock screen.
Setting the policy means users can turn on an app on the lock screen if the app's extension ID is in the policy list value. So, setting it to an empty list will turn off note-taking on the lock screen. The policy with an app ID doesn't necessarily mean that users can turn the app on as a note-taking app on the lock screen. For example, on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 61, the set of available apps is also restricted by the platform.
Leaving the policy unset amounts to no restrictions on the set of apps users can enable on the lock screen imposed by the policy.'''
},
{
'name': 'NoteTakingAppsLockScreenAllowlist',
'owners': ['tbarzic@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome_os:86-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': ['abcdefghabcdefghabcdefghabcdefgh'],
'id': 759,
'caption': '''The list of note-taking apps allowed on the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> lock screen''',
'tags': [],
'desc': '''Setting the policy specifies the apps that users can turn on as a note-taking app on the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> lock screen.
If the preferred app is on the lock screen, a UI element for launching the preferred note-taking app appears on the screen. When launched, the app can create a window on top of the lock screen and create notes in this context. The app can import created notes to the primary user session, when the session is unlocked. Only <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> note-taking apps are supported on the lock screen.
Setting the policy means users can turn on an app on the lock screen if the app's extension ID is in the policy list value. So, setting it to an empty list will turn off note-taking on the lock screen. The policy with an app ID doesn't necessarily mean that users can turn the app on as a note-taking app on the lock screen. For example, on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 61, the set of available apps is also restricted by the platform.
Leaving the policy unset amounts to no restrictions on the set of apps users can enable on the lock screen imposed by the policy.'''
},
{
'name': 'CastReceiverEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 378,
'default_for_enterprise_users': False,
'caption': '''Enable casting content to the device''',
'tags': [],
'desc': '''Allow content to be cast to the device using <ph name="PRODUCT_NAME">Google Cast</ph>.
If this policy is set to False, users will not be able to cast content to their device. If this policy is set to True, users are allowed to cast content. If this policy is not set, users are not allowed to cast content to enrolled Chrome OS devices, but can cast to non enrolled devices.''',
},
{
'name': 'CastReceiverName',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'future_on': ['chrome_os'],
'deprecated': True,
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'My Chromebook',
'id': 379,
'caption': '''Name of the <ph name="PRODUCT_NAME">Google Cast</ph> destination''',
'tags': [],
'desc': '''Determine the name advertised as a <ph name="PRODUCT_NAME">Google Cast</ph> destination.
If this policy is set to a non empty string, that string will be used as the name of the <ph name="PRODUCT_NAME">Google Cast</ph> destination. Otherwise, the destination name will be the device name. If this policy is not set, the destination name will be the device name, and the owner of the device (or a user from the domain managing the device) will be allowed to change it. The name is limited to 24 characters.'''
},
{
'name': 'DeviceOffHours',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'intervals': {
'type': 'array',
'items': {
'type': 'object',
'id': 'WeeklyTimeIntervals',
'properties': {
'start': {
'type': 'object',
'id': 'WeeklyTime',
'properties': {
'day_of_week': {
'type': 'string',
'id': 'WeekDay',
'enum': [
'MONDAY',
'TUESDAY',
'WEDNESDAY',
'THURSDAY',
'FRIDAY',
'SATURDAY',
'SUNDAY'
]
},
'time': { 'type': 'integer'}
}
},
'end': {
'$ref': 'WeeklyTime'
}
}
}
},
'timezone': { 'type': 'string' },
'ignored_policy_proto_tags': {
'type': 'array',
'items': { 'type':'integer' }
}
}
},
'supported_on': ['chrome_os:62-'],
'device_only': True,
'features': {
'dynamic_refresh': True
},
'example_value': {
'intervals':
[
{
'start': {
'day_of_week': 'MONDAY',
'time': 12840000
},
'end': {
'day_of_week': 'MONDAY',
'time': 21720000
}
},
{
'start': {
'day_of_week': 'FRIDAY',
'time': 38640000
},
'end': {
'day_of_week': 'FRIDAY',
'time': 57600000
}
}
],
'timezone': 'GMT',
'ignored_policy_proto_tags': [3, 8]
},
'id': 380,
'caption': '''Off hours intervals when the specified device policies are released''',
'tags': [],
'desc': '''Setting the policy means the specified device policies are ignored (use these policies' default settings) during the specified intervals. Device policies are reapplied by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when the policy period starts or ends. The user is notified and forced to sign out when this period changes and device policy settings change (for example, when a user signs in with a disallowed account).''',
},
{
'name': 'CloudPolicyOverridesPlatformPolicy',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean'},
'supported_on': [
'chrome.*:75-',
'ios:88-',
],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'platform_only': True,
},
'example_value': False,
'id': 381,
'caption': '''<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud policy overrides Platform policy.''',
'tags': [],
'desc': '''Setting the policy to Enabled means cloud policy takes precedence if it conflicts with platform policy.
Setting the policy to Disabled or leaving it unset means platform policy takes precedence if it conflicts with cloud policy.
This mandatory policy affects machine scope cloud policies.''',
},
{
'name': 'PromptForDownloadLocation',
'owners': ['macourteau@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean'},
'supported_on': ['chrome.*:64-', 'chrome_os:64-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 395,
'caption': '''Ask where to save each file before downloading''',
'tags': [],
'desc': '''Setting the policy to Enabled means users are asked where to save each file before downloading. Setting the policy to Disabled has downloads start immediately, and users aren't asked where to save the file.
Leaving the policy unset lets users change this setting.'''
},
{
'name': 'UnaffiliatedArcAllowed',
'owners': ['phweiss@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:64-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': False,
'id': 397,
'caption': '''Allow unaffiliated users to use ARC''',
'tags': [],
'desc': '''Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets users use ARC. Setting the policy to False means unaffiliated users may not use ARC.
Changes to the policy only apply while ARC isn't running, for example, while starting Chrome OS.''',
},
{
'name': 'DeviceArcDataSnapshotHours',
'owners': ['pbond@chromium.org', 'file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'intervals': {
'type': 'array',
'items': {
'$ref': 'WeeklyTimeIntervals'
}
},
'timezone': { 'type': 'string' },
}
},
'supported_on': ['chrome_os:88-'],
'device_only': True,
'features': {
'dynamic_refresh': True
},
'example_value': {
'intervals':
[
{
'start': {
'day_of_week': 'MONDAY',
'time': 12840000
},
'end': {
'day_of_week': 'MONDAY',
'time': 21720000
}
},
{
'start': {
'day_of_week': 'FRIDAY',
'time': 38640000
},
'end': {
'day_of_week': 'FRIDAY',
'time': 57600000
}
}
],
'timezone': 'GMT',
},
'id': 794,
'caption': '''Intervals when ARC data snapshot update process can be started for Managed Guest Sessions''',
'tags': [],
'desc': '''If "DeviceArcDataSnapshotHours" policy is set, then the ARC data snapshotting mechanism is turned on. And the ARC data snapshot update can be started automatically during the defined time intervals. When an interval starts, ARC data snapshot update is required and no user is logged-in, the ARC data snapshot update process is started without user notification. If the user session is active, the UI notification is shown and have to be accepted in order to reboot a device and start ARC data snapshot update process. Note: a device is blocked for usage during the ARC data snapshot update process.''',
},
{
'name': 'IsolateOrigins',
'owners': ['palmer@chromium.org', 'creis@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:63-', 'chrome_os:63-'],
'device_only': False,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'https://example.com/,https://othersite.org/',
'id': 398,
'caption': '''Enable Site Isolation for specified origins''',
'tags': ['system-security'],
'desc': '''Setting the policy means each of the named origins in a comma-separated list runs in its own process, and it isolates origins named by subdomains. For example, specifying https://example.com/ isolates https://foo.example.com/ as part of the https://example.com/ site.
Setting it to off or leaving it unset lets users change this setting.
Note: For Android, use the <ph name="ISOLATE_ORIGINS_ANDROID_POLICY_NAME">IsolateOriginsAndroid</ph> policy instead.''',
},
{
'name': 'SitePerProcess',
'owners': ['palmer@chromium.org', 'creis@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:63-', 'chrome_os:63-'],
'device_only': False,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 399,
'caption': '''Enable Site Isolation for every site''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled isolates all sites. (Each site runs in its own process.) Setting the policy to Disabled or leaving it unset doesn't turn off site isolation, but it lets users opt out (for example, by using Disable site isolation in chrome://flags).
<ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph> might also be useful for fine-tuning origins. On <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 76 and earlier, set the <ph name="DEVICE_LOGIN_SCREEN_SITE_PER_PROCESS_POLICY_NAME">DeviceLoginScreenSitePerProcess</ph> device policy to the same value. (Because if the values don't match, a delay can occur when entering a user session.)
Note: For Android, use the <ph name="SITE_PER_PROCESS_ANDROID_POLICY_NAME">SitePerProcessAndroid</ph> policy instead.''',
},
{
'name': 'DeviceLoginScreenIsolateOrigins',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:66-76'],
'device_only': True,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': 'https://example.com/,https://othersite.org/',
'id': 417,
'caption': '''Enable Site Isolation for specified origins''',
'tags': ['system-security'],
'desc': '''
This policy was removed in M77.
This policy applies to the sign-in screen. Please see also the <ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph> policy which applies to the user session.
If the policy is enabled, each of the named origins in a comma-separated list will run in its own process. This will also isolate origins named by subdomains; e.g. specifying https://example.com/ will also cause https://foo.example.com/ to be isolated as part of the https://example.com/ site.
If the policy is not configured or disabled, the platform default site isolation settings will be used for the sign-in screen.
''',
},
{
'name': 'DeviceLoginScreenSitePerProcess',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:66-76'],
'device_only': True,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 418,
'caption': '''Enable Site Isolation for every site''',
'tags': ['system-security'],
'desc': '''
This policy was removed in M77.
This policy applies to the sign-in screen. Please see also the <ph name="SITE_PER_PROCESS_POLICY_NAME">SitePerProcess</ph> policy which applies to the user session. It is recommended to set both policies to the same value. If the values don't match, a delay may be incurred when entering a user session while the value specified by user policy is being applied.
''',
},
{
'name': 'IsolateOriginsAndroid',
'owners': ['palmer@chromium.org', 'creis@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['android:68-'],
'device_only': False,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'https://example.com/,https://othersite.org/',
'id': 445,
'caption': '''Enable Site Isolation for specified origins on Android devices''',
'tags': ['system-security'],
'desc': '''Setting the policy means each of the named origins in a comma-separated list runs in its own process, and it isolates origins named by subdomains. For example, specifying https://example.com/ isolates https://foo.example.com/ as part of the https://example.com/ site.
Turning the policy off prevents explicit site isolation and turns off field trials of IsolateOriginsAndroid and SitePerProcessAndroid. Users can still turn on IsolateOrigins manually, through the command line flag.
Leaving the policy unset lets users change this setting.
Note: Site isolation support for Android will improve, but currently it may cause performance problems. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To apply the policy on non-Android platforms, use <ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph>.''',
},
{
'name': 'SitePerProcessAndroid',
'owners': ['palmer@chromium.org', 'creis@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:68-'],
'device_only': False,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 446,
'caption': '''Enable Site Isolation for every site''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled isolates all sites (each site runs in its own process). Setting the policy to Disabled means no explicit site isolation happens and field trials of IsolateOriginsAndroid and SitePerProcessAndroid are off. Users can still turn the policy on manually.
Leaving the policy unset means users can change this setting.
To get isolation and limited impact for users, use <ph name="ISOLATE_ORIGINS_ANDROID_POLICY_NAME">IsolateOriginsAndroid</ph> with a list of the sites you want to isolate.
Note: Site isolation support for Android will improve, but currently it may cause performance problems. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To apply the policy on non-Android platforms, use <ph name="SITE_PER_PROCESS_POLICY_NAME">SitePerProcess</ph>.''',
},
{
'name': 'WebDriverOverridesIncompatiblePolicies',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:65-79'],
'device_only': False,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 414,
'caption': '''Allow WebDriver to Override Incompatible Policies''',
'tags': ['system-security'],
'desc': '''
This policy was removed in M80, because it is not necessary anymore as
WebDriver is now compatible with all existing policies.
This policy allows users of the WebDriver feature to override
policies which can interfere with its operation.
Currently this policy disables SitePerProcess and IsolateOrigins policies.
If the policy is enabled, WebDriver will be able to override incomaptible
policies.
If the policy is disabled or not configured, WebDriver will not be allowed
to override incompatible policies.''',
},
{
'name': 'UnsafelyTreatInsecureOriginAsSecure',
'owners': ['vogelheim@chromium.org', 'pastarmovj@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'deprecated': True,
'supported_on': ['chrome.*:65-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': ['http://testserver.example.com/','*.example.org'],
'id': 400,
'caption': '''Origins or hostname patterns for which restrictions on
insecure origins should not apply''',
'tags': ['system-security'],
'desc': '''Deprecated in M69. Use
OverrideSecurityRestrictionsOnInsecureOrigin instead.
The policy specifies a list of origins (URLs) or hostname patterns (such
as "*.example.com") for which security restrictions on insecure origins
will not apply.
The intent is to allow organizations to whitelist origins for legacy
applications that cannot deploy TLS, or to set up a staging server for
internal web development so that their developers can test out features
requiring secure contexts without having to deploy TLS on the staging
server. This policy will also prevent the origin from being labeled
"Not Secure" in the omnibox.
Setting a list of URLs in this policy has the same effect as setting the
command-line flag '--unsafely-treat-insecure-origin-as-secure' to a
comma-separated list of the same URLs. If the policy is set, it will
override the command-line flag.
This policy is deprecated in M69 in favor of
OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are
present, OverrideSecurityRestrictionsOnInsecureOrigin will override this
policy.
For more information on secure contexts, see
https://www.w3.org/TR/secure-contexts/
'''
},
{
'name': 'DefaultDownloadDirectory',
'owners': ['macourteau@chromium.org', 'zmin@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:64-', 'chrome_os:64-'],
'features': {
'can_be_mandatory': False,
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '/home/${user_name}/Downloads',
'id': 401,
'caption': '''Set default download directory''',
'tags': ['local-data-access'],
'desc': '''Setting the policy changes the default directory that Chrome downloads files to, but users can change the directory.
Leaving the policy unset means Chrome uses its platform-specific default directory.
Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).''',
},
{
'name': 'DeviceHostnameTemplate',
'owners': ['antrim@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:65-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'chromebook-${ASSET_ID}',
'id': 403,
'caption': '''Device network hostname template''',
'tags': [],
'desc': '''Setting the policy to a string applies the string as the device hostname during DHCP request. The string can have variables <ph name="ASSET_ID_PLACEHOLDER">${ASSET_ID}</ph>, <ph name="SERIAL_NUM_PLACEHOLDER">${SERIAL_NUM}</ph>, <ph name="MAC_ADDR_PLACEHOLDER">${MAC_ADDR}</ph>, <ph name="MACHINE_NAME_PLACEHOLDER">${MACHINE_NAME}</ph>, <ph name="LOCATION_PLACEHOLDER">${LOCATION}</ph> to be replaced with values on the device before using it as a hostname. The resulting substitution should be a valid hostname (per RFC 1035, section 3.1).
Leaving the policy unset or if the value after substitution isn't a valid hostname, no hostname is set in DHCP request.'''
},
{
'name': 'AbusiveExperienceInterventionEnforce',
'owners': ['shivanisha@chromium.org', 'csharrison@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:65-', 'chrome_os:65-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Prevent sites with abusive experiences from opening new windows or tabs',
},
{
'value': False,
'caption': 'Allow sites with abusive experiences to open new windows or tabs',
},
],
'example_value': True,
'default': True,
'id': 404,
'caption': '''Abusive Experience Intervention Enforce''',
'tags': [],
'desc': '''If <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> is not Disabled, then setting <ph name="ABUSIVE_EXPERIENCE_INTERVENTION_ENFORCE_POLICY_NAME">AbusiveExperienceInterventionEnforce</ph> to Enabled or leaving it unset prevents sites with abusive experiences from opening new windows or tabs.
Setting <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> to Disabled or <ph name="ABUSIVE_EXPERIENCE_INTERVENTION_ENFORCE_POLICY_NAME">AbusiveExperienceInterventionEnforce</ph> to Disabled lets sites with abusive experiences open new windows or tabs.''',
},
{
'name': 'SpellcheckLanguage',
'owners': ['macourteau@chromium.org', 'zmin@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' }
},
# Spell checking is provided by macOS, so can't be controlled on Mac.
'supported_on': ['chrome.win:65-', 'chrome.linux:65-', 'chrome_os:65-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['fr', 'es'],
'id': 405,
'caption': '''Force enable spellcheck languages''',
'tags': [],
'desc': '''Force-enables spellcheck languages. Unrecognized languages in the list will be ignored.
If you enable this policy, spellcheck will be enabled for the languages specified, in addition to the languages for which the user has enabled spellcheck.
If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
If the <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> policy is set to false, this policy will have no effect.
If a language is included in both this policy and the <ph name="SPELLCHECK_LANGUAGE_BLOCKLIST_POLICY_NAME">SpellcheckLanguageBlocklist</ph> policy, this policy is prioritized and the spellcheck language is enabled.
The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.'''
},
{
'name': 'SpellcheckLanguageBlacklist',
'owners': ['gujen@google.com'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' }
},
# Spell checking is provided by macOS, so can't be controlled on Mac.
'supported_on': ['chrome.win:75-', 'chrome.linux:75-', 'chrome_os:75-'],
'deprecated': True,
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['fr', 'es'],
'id': 536,
'caption': '''Force disable spellcheck languages''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="SPELLCHECK_LANGUAGE_BLOCKLIST_POLICY_NAME">SpellcheckLanguageBlocklist</ph> instead.
Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.
If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.
If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
If the <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> policy is set to false, this policy will have no effect.
If a language is included in both this policy and the <ph name="SPELLCHECK_LANGUAGE_POLICY_NAME">SpellcheckLanguage</ph> policy, the latter is prioritized and the spellcheck language will be enabled.
The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.'''
},
{
'name': 'SpellcheckLanguageBlocklist',
'owners': ['gujen@google.com'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' }
},
# Spell checking is provided by macOS, so can't be controlled on Mac.
'supported_on': ['chrome.win:86-', 'chrome.linux:86-', 'chrome_os:86-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['fr', 'es'],
'id': 749,
'caption': '''Force disable spellcheck languages''',
'tags': [],
'desc': '''Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.
If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.
If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
If the <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> policy is set to false, this policy will have no effect.
If a language is included in both this policy and the <ph name="SPELLCHECK_LANGUAGE_POLICY_NAME">SpellcheckLanguage</ph> policy, the latter is prioritized and the spellcheck language will be enabled.
The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.'''
},
{
'name': 'ThirdPartyBlockingEnabled',
'owners': ['chrisha@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:65-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 407,
'caption': '''Enable third party software injection blocking''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset prevents third-party software from injecting executable code into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s processes.
Setting the policy to Disabled allows this software to inject such code into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s processes.
Regardless of the value of this policy, the browser won't block third-party software from injecting executable code into its processes on a machine that's joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain.''',
},
{
'name': 'SpellcheckEnabled',
'owners': ['macourteau@chromium.org', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:65-', 'chrome_os:65-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable spellcheck',
},
{
'value': False,
'caption': 'Disable spellcheck',
},
{
'value': None,
'caption': 'Allow the user to enable or disable spellcheck',
},
],
'example_value': False,
'default': None,
'id': 408,
'caption': '''Enable spellcheck''',
'tags': [],
'desc': '''Setting the policy to Enabled turns spellcheck on, and users can't turn it off. On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> and <ph name="LINUX_OS_NAME">Linux®</ph>, spellcheck languages can be switched on or off individually, so users can still turn spellcheck off by switching off every spellcheck language. To avoid that, use the <ph name="SPELLCHECK_LANGUAGE_POLICY_NAME">SpellcheckLanguage</ph> to force-enable specific spellcheck languages.
Setting the policy to Disabled turns off spellcheck from all sources, and users can't turn it on. The <ph name="SPELL_CHECK_SERVICE_ENABLED_POLICY_NAME">SpellCheckServiceEnabled</ph>, <ph name="SPELLCHECK_LANGUAGE_POLICY_NAME">SpellcheckLanguage</ph> and <ph name="SPELLCHECK_LANGUAGE_BLOCKLIST_POLICY_NAME">SpellcheckLanguageBlocklist</ph> policies have no effect when this policy is set to False.
Leaving the policy unset lets users turn spellcheck on or off in the language settings. '''
},
{
'name': 'AdsSettingForIntrusiveAdsSites',
'owners': ['shivanisha@chromium.org', 'csharrison@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowAds',
'value': 1,
'caption': '''Allow ads on all sites''',
},
{
'name': 'BlockAds',
'value': 2,
'caption': '''Do not allow ads on sites with intrusive ads''',
},
],
'supported_on': ['chrome.*:65-', 'chrome_os:65-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'default': 1,
'id': 409,
'caption': '''Ads setting for sites with intrusive ads''',
'tags': [],
'desc': '''Unless <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> is set to False, then setting <ph name="ADS_SETTINGS_FOR_INTRUSIVE_ADS_SITES_POLICY_NAME">AdsSettingForIntrusiveAdsSites</ph> to 1 or leaving it unset allows ads on all sites.
Setting the policy to 2 blocks ads on sites with intrusive ads.''',
},
{
'name': 'RestrictAccountsToPatterns',
'owners': ['bsazonov@chromium.org', 'file://components/signin/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' }
},
'supported_on': ['android:65-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': ['*@example.com', 'user@managedchrome.com'],
'id': 410,
'caption': '''Restrict accounts that are visible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''Contains a list of patterns which are used to control the visibility of accounts in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Each Google account on the device will be compared to patterns stored in this policy to determine the account visibility in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The account will be visible if its name matches any pattern on the list. Otherwise, the account will be hidden.
Use the wildcard character '*' to match zero or more arbitrary characters. The escape character is '\\', so to match actual '*' or '\\' characters, put a '\\' in front of them.
If this policy is not set, all Google accounts on the device will be visible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
},
{
'name': 'PasswordProtectionWarningTrigger',
'owners': ['bdea@chromium.org', 'nparker@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'PasswordProtectionWarningOff',
'value': 0,
'caption': '''Password protection warning is off''',
},
{
'name': 'PasswordProtectionWarningOnPasswordReuse',
'value': 1,
'caption': '''Password protection warning is triggered by password reuse''',
},
{
'name': 'PasswordProtectionWarningOnPhishingReuse',
'value': 2,
'caption': '''Password protection warning is triggered by password reuse on phishing page''',
},
],
'supported_on': ['chrome.*:69-', 'chrome_os:69-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 411,
'caption': '''Password protection warning trigger''',
'tags': [],
'desc': '''Setting the policy lets you control the triggering of password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.
Use <ph name="PASSWORD_PROTECTION_LOGIN_URLS_POLICY_NAME">PasswordProtectionLoginURLs</ph> and <ph name="PASSWORD_PROTECTION_CHANGE_PASSWORD_URL_POLICY_NAME">PasswordProtectionChangePasswordURL</ph> to set which password to protect.
If this policy is set to:
* PasswordProtectionWarningOff, no password protection warning will be shown.
* PasswordProtectionWarningOnPasswordReuse, password protection warning will be shown when the user reuses their protected password on a non-whitelisted site.
* PasswordProtectionWarningOnPhishingReuse, password protection warning will be shown when the user reuses their protected password on a phishing site.
Leaving the policy unset has the password protection service only protect Google passwords, but users can change this setting.''',
},
{
'id': 419,
'name': 'RelaunchNotification',
'owners': ['grt@chromium.org'],
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'supported_on': ['chrome.*:66-', 'chrome_os:70-'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'caption': '''Notify a user that a browser relaunch or device restart is recommended or required''',
'items': [
{
'name': 'Recommended',
'value': 1,
'caption': '''Show a recurring prompt to the user indicating that a relaunch is recommended''',
},
{
'name': 'Required',
'value': 2,
'caption': '''Show a recurring prompt to the user indicating that a relaunch is required''',
},
],
'example_value': 1,
'desc': '''Notify users that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> must be relaunched or <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> must be restarted to apply a pending update.
This policy setting enables notifications to inform the user that a browser relaunch or device restart is recommended or required. If not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> indicates to the user that a relaunch is needed via subtle changes to its menu, while <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> indicates such via a notification in the system tray. If set to 'Recommended', a recurring warning will be shown to the user that a relaunch is recommended. The user can dismiss this warning to defer the relaunch. If set to 'Required', a recurring warning will be shown to the user indicating that a browser relaunch will be forced once the notification period passes. The default period is seven days for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and four days for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>, and may be configured via the <ph name="RELAUNCH_NOTIFICATION_PERIOD_POLICY_NAME">RelaunchNotificationPeriod</ph> policy setting.
The user's session is restored following the relaunch/restart.''',
},
{
'id': 420,
'name': 'RelaunchNotificationPeriod',
'owners': ['grt@chromium.org'],
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'supported_on': ['chrome.*:67-', 'chrome_os:67-'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 3600000 },
'caption': '''Set the time period for update notifications''',
'label': '''Time period (milliseconds)''',
'example_value': 604800000,
'desc': '''Allows you to set the time period, in milliseconds, over which users are notified that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> must be relaunched or that a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> device must be restarted to apply a pending update.
Over this time period, the user will be repeatedly informed of the need for an update. For <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices, a restart notification appears in the system tray according to the <ph name="RELAUNCH_HEADS_UP_PERIOD_POLICY_NAME">RelaunchHeadsUpPeriod</ph> policy. For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browsers, the app menu changes to indicate that a relaunch is needed once one third of the notification period passes. This notification changes color once two thirds of the notification period passes, and again once the full notification period has passed. The additional notifications enabled by the <ph name="RELAUNCH_NOTIFICATION_POLICY_NAME">RelaunchNotification</ph> policy follow this same schedule.
If not set, the default period of 604800000 milliseconds (one week) is used.''',
},
{
'id': 567,
'name': 'RelaunchHeadsUpPeriod',
'owners': ['file://components/policy/resources/OWNERS'],
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'supported_on': ['chrome_os:76-'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 3600000 },
'caption': '''Set the time of the first user relaunch notification''',
'label': '''Time period (milliseconds)''',
'example_value': 86400000,
'desc': '''Allows you to set the time period, in milliseconds, between the first notification that a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> device must be restarted to apply a pending update and the end of the time period specified by the <ph name="RELAUNCH_NOTIFICATION_PERIOD_POLICY_NAME">RelaunchNotificationPeriod</ph> policy.
If not set, the default period of 259200000 milliseconds (three days) is used for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.''',
},
{
'name': 'VirtualMachinesAllowed',
'owners': ['timzheng@chromium.org', 'aoldemeier@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:66-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'default_for_managed_devices_doc_only': False,
'id': 421,
'caption': '''Allow devices to run virtual machines on Chrome OS''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled lets the device run virtual machines on <ph name="PRODUCT_OS_NAME">$2<ex>Chrome OS</ex></ph>. <ph name="VIRTUAL_MACHINES_ALLOWED_POLICY_NAME">VirtualMachinesAllowed</ph> and <ph name="CROSTINI_ALLOWED_POLICY_NAME">CrostiniAllowed</ph> must be Enabled to use <ph name="PRODUCT_CROSTINI_NAME">$6<ex>Crostini</ex></ph>. Setting the policy to Disabled means the device can't run virtual machines. Changing it to Disabled starts applying the policy to starting new virtual machines, not those already running.
When this policy is not set on a managed device, the device can't run virtual machines. Unmanaged devices can run virtual machines.''',
},
{
'name': 'CrostiniAllowed',
'owners': ['timzheng@chromium.org', 'aoldemeier@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:70-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 481,
'caption': '''User is enabled to run Crostini''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset lets users run <ph name="PRODUCT_CROSTINI_NAME">$6<ex>Crostini</ex></ph>, as long as <ph name="VIRTUAL_MACHINES_ALLOWED_POLICY_NAME">VirtualMachinesAllowed</ph> and <ph name="CROSTINI_ALLOWED_POLICY_NAME">CrostiniAllowed</ph> are set to Enabled. Setting the policy to Disabled turns <ph name="PRODUCT_CROSTINI_NAME">$6<ex>Crostini</ex></ph> off for the user. Changing it to Disabled starts applying the policy to starting new <ph name="PRODUCT_CROSTINI_NAME">$6<ex>Crostini</ex></ph> containers, not those already running.''',
},
{
'name': 'DeviceUnaffiliatedCrostiniAllowed',
'owners': ['timzheng@chromium.org', 'aoldemeier@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:70-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 482,
'caption': '''Allow unaffiliated users to use Crostini''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset lets all users use <ph name="PRODUCT_CROSTINI_NAME">$6<ex>Crostini</ex></ph> as long as all 3 policies, <ph name="VIRTUAL_MACHINES_ALLOWED_POLICY_NAME">VirtualMachinesAllowed</ph>, <ph name="CROSTINI_ALLOWED_POLICY_NAME">CrostiniAllowed</ph>, and <ph name="DEVICE_UNAFFILIATED_CROSTINI_ALLOWED_POLICY_NAME">DeviceUnaffiliatedCrostiniAllowed</ph> are set to Enabled. Setting the policy to Disabled means unaffiliated users can't use <ph name="PRODUCT_CROSTINI_NAME">$6<ex>Crostini</ex></ph>. Changing it to Disabled starts applying the policy to starting new <ph name="PRODUCT_CROSTINI_NAME">$6<ex>Crostini</ex></ph> containers, not those already running.''',
},
{
'name': 'CrostiniExportImportUIAllowed',
'owners': ['joelhockey@chromium.org', 'aoldemeier@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:74-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 523,
'caption': '''User is enabled to export / import Crostini containers via the UI''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset makes the export-import UI available to users. Setting the policy to Disabled renders the export-import UI unavailable to users.''',
},
{
'name': 'CrostiniRootAccessAllowed',
'owners': ['aoldemeier@chromium.org', 'okalitova@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 576,
'caption': '''User is allowed to have root access to Crostini containers''',
'tags': ['system-security'],
'desc': '''Allow this user root access to Crostini containers.
If the policy is set to true or left unset root access to Crostini containers will be granted to the user.
If the policy is set to false, root access to both existing and new Crostini containers will not be granted to the user.''',
},
{
'name': 'CrostiniAnsiblePlaybook',
'owners': ['aoldemeier@chromium.org', 'okalitova@chromium.org'],
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': {
'description': 'The URL from which the Ansible playbook can be downloaded.',
'type': 'string'
},
'hash': {
'description': 'The SHA-256 hash of the Ansible playbook.',
'type': 'string'
}
},
},
'supported_on': ['chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
"url": "https://example.com/ansibleplaybook",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
},
'max_size': 1000000,
'id': 639,
'caption': '''Crostini Ansible playbook''',
'tags': [],
'desc': '''Provides an Ansible playbook that should be executed in the default Crostini container.
This policy allows to provide an Ansible playbook to be applied to the default Crostini container if it is available on the given device and allowed by policies.
The size of the data must not exceed 1MB (1000000 bytes) and must be encoded in YAML. The cryptographic hash is used to verify the integrity of the download.
The configuration is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
If you set the policy, users can't change it. If not set, users can continue using default Crostini container in its ongoing configuration if Crostini is allowed by policies.''',
},
{
'name': 'CrostiniArcAdbSideloadingAllowed',
'owners': ['janagrill@chromium.org', 'okalitova@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'Disallow',
'value': 0,
'caption': '''Prevent the user from using Android apps from untrusted sources''',
},
{
'name': 'Allow',
'value': 1,
'caption': '''Allow the user to use Android apps from untrusted sources''',
},
],
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'default': 0,
'id': 690,
'caption': '''Control usage of Android apps from untrusted sources for the user''',
'tags': ['system-security'],
'desc': '''This policy controls the usage of Android apps from untrusted sources (other than Google Play Store) on a per-user basis.
If the value for this policy is not set, then the functionality is treated as disallowed.
If the user's device is managed, the availability of this functionality is additionally dependant on the corresponding device policy.
If the user's device is not managed, the availability of this functionality is additionally dependant on whether the user is the device owner.''',
},
{
'name': 'DeviceCrostiniArcAdbSideloadingAllowed',
'owners': ['janagrill@chromium.org', 'okalitova@chromium.org'],
'device_only': True,
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Disallow',
'value': 0,
'caption': '''Prevent users of this device from using ADB sideloading, without forcing a powerwash, which might leave the device in a questionable state security-wise''',
},
{
'name': 'DisallowWithPowerwash',
'value': 1,
'caption': '''Prevent users of this device from using ADB sideloading and force a device powerwash if sideloading was enabled before''',
},
{
'name': 'AllowForAffiliatedUsers',
'value': 2,
'caption': '''Allow affiliated users of this device to use ADB sideloading''',
},
],
'future_on': ['chrome_os'],
'features': {
'dynamic_refresh': True,
},
'example_value': 1,
'default': 0,
'id': 695,
'caption': '''Control usage of Android apps from untrusted sources for the device''',
'tags': ['system-security'],
'desc': '''This policy controls the usage of Android apps from untrusted sources (other than Google Play Store) for a device.
If the value for this policy is not set, then the functionality is treated as disallowed.
The availability of this functionality is additionally dependant on the corresponding user policy.''',
},
{
'name': 'CrostiniPortForwardingAllowed',
'owners': ['danielng@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 716,
'caption': '''Allow users to [enable/configure] Crostini port forwarding''',
'tags': ['system-security'],
'desc': '''Specifies whether port forwarding into Crostini containers is allowed.
If this policy is set to True or not set, users will be able to configure port forwarding into their Crostini containers.
If this policy is set to False, port forwarding into Crostini containers will be disabled.''',
},
{
'name': 'SafeBrowsingWhitelistDomains',
'owners': ['bdea@chromium.org', 'nparker@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:68-', 'chrome_os:68-'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['mydomain.com', 'myuniversity.edu'],
'id': 422,
'caption': '''Configure the list of domains on which Safe Browsing will not trigger warnings.''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="SAFE_BROWSING_ALLOWLIST_DOMAINS_POLICY_NAME">SafeBrowsingAllowlistDomains</ph> instead.
Setting the policy to Enabled means Safe Browsing will trust the domains you designate. It won't check them for dangerous resources such as phishing, malware, or unwanted software. Safe Browsing's download protection service won't check downloads hosted on these domains. Its password protection service won't check for password reuse.
Setting the policy to Disabled or leaving it unset means default Safe Browsing protection applies to all resources.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'SafeBrowsingAllowlistDomains',
'owners': ['bdea@chromium.org', 'nparker@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:86-', 'chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['mydomain.com', 'myuniversity.edu'],
'id': 732,
'caption': '''Configure the list of domains on which Safe Browsing will not trigger warnings.''',
'tags': [],
'desc': '''Setting the policy to Enabled means Safe Browsing will trust the domains you designate. It won't check them for dangerous resources such as phishing, malware, or unwanted software. Safe Browsing's download protection service won't check downloads hosted on these domains. Its password protection service won't check for password reuse.
Setting the policy to Disabled or leaving it unset means default Safe Browsing protection applies to all resources.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'PasswordProtectionLoginURLs',
'owners': ['bdea@chromium.org', 'nparker@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:69-', 'chrome_os:69-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://mydomain.com/login.html', 'https://login.mydomain.com'],
'id': 423,
'caption': '''Configure the list of enterprise login URLs where password protection service should capture salted hashes of passwords.''',
'tags': [],
'desc': '''Setting the policy sets the list of enterprise login URLs (HTTP and HTTPS protocols only). Password protection service will capture salted hashes of passwords on these URLs and use them for password reuse detection. For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to correctly capture password salted hashes, ensure your sign-in pages follow these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).
Turning this setting off or leaving it unset means the password protection service only captures the password salted hashes on https://accounts.google.com.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'PasswordProtectionChangePasswordURL',
'owners': ['bdea@chromium.org', 'nparker@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:69-', 'chrome_os:69-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://mydomain.com/change_password.html',
'id': 424,
'caption': '''Configure the change password URL.''',
'tags': [],
'desc': '''Setting the policy sets the URL for users to change their password after seeing a warning in the browser. The password protection service sends users to the URL (HTTP and HTTPS protocols only) you designate through this policy. For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to correctly capture the salted hash of the new password on this change password page, make sure your change password page follows these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).
Turning the policy off or leaving it unset means the service sends users to https://myaccount.google.com to change their password.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'SafeBrowsingExtendedReportingEnabled',
'owners': ['bdea@chromium.org', 'nparker@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:66-', 'chrome_os:66-', 'android: 87-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 429,
'tags': ['google-sharing'],
'caption': '''Enable Safe Browsing Extended Reporting''',
'desc': '''Setting the policy to Enabled turns on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Safe Browsing Extended Reporting, which sends some system information and page content to Google servers to help detect dangerous apps and sites.
Setting the policy to Disabled means reports are never sent.
If you set this policy, users can't change it. If not set, users can decide whether to send reports or not.
See more about Safe Browsing ( https://developers.google.com/safe-browsing ).''',
'arc_support': 'This policy is not supported within Arc.',
},
{
'name': 'MachineLevelUserCloudPolicyEnrollmentToken',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org', 'rogerta@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:66-80'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'platform_only': True,
},
'example_value': '37185d02-e055-11e7-80c1-9a214cf093ae',
'id': 428,
'caption': '''The enrollment token of cloud policy on desktop''',
'tags': [],
'deprecated': True,
'desc': '''
This policy is deprecated in M72. Please use CloudManagementEnrollmentToken instead.
''',
},
{
'name': 'CloudManagementEnrollmentToken',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org', 'rogerta@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:72-',
'ios:88-',
],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'platform_only': True,
},
'example_value': '37185d02-e055-11e7-80c1-9a214cf093ae',
'id': 510,
'caption': '''The enrollment token of cloud policy on desktop''',
'tags': [],
'desc': '''Setting the policy means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> tries to register itself with <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. The value of this policy is an enrollment token you can retrieve from the <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.''',
},
{
'name': 'CloudManagementEnrollmentMandatory',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:72-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'platform_only': True,
},
'example_value': True,
'id': 505,
'caption': '''Enable mandatory cloud management enrollment''',
'tags': [],
'desc': '''Setting the policy to Enabled mandates <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph> enrollment and blocks <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> launch process if failed.
Setting the policy to Disabled or leaving it unset renders <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph> optional and doesn't block <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> launch process if failed.
Machine scope cloud policy enrollment on desktop uses this policy. See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.''',
},
{
'name': 'AutoplayAllowed',
'owners': ['fbeaufort@chromium.org', 'beccahughes@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:66-', 'chrome.linux:66-', 'chrome.mac:66-', 'chrome_os:66-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 430,
'caption': '''Allow media autoplay''',
'tags': [],
'desc': '''Setting the policy to True lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> autoplay media. Setting the policy to False stops <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from autoplaying media.
By default, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't autoplay media. But, for certain URL patterns, you can use the <ph name="AUTOPLAY_ALLOWLIST_POLICY_NAME">AutoplayAllowlist</ph> policy to change this setting.
If this policy changes while <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running, it only applies to newly opened tabs.''',
},
{
'name': 'AutoplayWhitelist',
'owners': ['fbeaufort@chromium.org', 'beccahughes@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:66-', 'chrome_os:66-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 431,
'caption': '''Allow media autoplay on a whitelist of URL patterns''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="AUTOPLAY_ALLOWLIST_POLICY_NAME">AutoplayAllowlist</ph>' policy instead.
Setting the policy lets videos play automatically (without user consent) with audio content in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If <ph name="AUTOPLAY_ALLOWED_POLICY_NAME">AutoplayAllowed</ph> policy is set to True, then this policy has no effect. If <ph name="AUTOPLAY_ALLOWED_POLICY_NAME">AutoplayAllowed</ph> is set to False, then any URL patterns set in this policy can still play. If this policy changes while <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running, it only applies to newly opened tabs.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
},
{
'name': 'AutoplayAllowlist',
'owners': ['fbeaufort@chromium.org', 'beccahughes@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:86-', 'chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 742,
'caption': '''Allow media autoplay on a whitelist of URL patterns''',
'tags': [],
'desc': '''Setting the policy lets videos play automatically (without user consent) with audio content in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If <ph name="AUTOPLAY_ALLOWED_POLICY_NAME">AutoplayAllowed</ph> policy is set to True, then this policy has no effect. If <ph name="AUTOPLAY_ALLOWED_POLICY_NAME">AutoplayAllowed</ph> is set to False, then any URL patterns set in this policy can still play. If this policy changes while <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running, it only applies to newly opened tabs.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
},
{
'name': 'TabUnderAllowed',
'owners': ['chrisha@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:67-67', 'chrome_os:67-67'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'deprecated': True,
'id': 432,
'caption': '''Allow sites to simultaneously navigate and open pop-ups''',
'tags': [],
'desc': '''Deprecated in M68. Use DefaultPopupsSetting instead.
For a full explanation, see https://www.chromestatus.com/features/5675755719622656.
If this policy is enabled, sites will be allowed to simultaneously navigate and open new windows/tabs.
If this policy is disabled or not set, sites will be disallowed from simultaneously navigating and opening a new window/tab.''',
},
{
'name': 'UserNativePrintersAllowed',
'owners': ['valleau@chromium.org', 'skau@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:67-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 433,
'caption': '''Allow access to native CUPS printers''',
'tags': [],
'desc': '''Allows you to control if users can access non-enterprise printers
If the policy is set to True, or not set at all, users will be able to add, configure, and print using their own native printers.
If the policy is set to False, users will not be able to add and configure their own native printers. They will also not be able to print using any previously configured native printers.
This policy is deprecated, please use <ph name="USER_PRINTERS_ALLOWED">UserPrintersAllowed</ph> instead.
''',
},
{
'name': 'UserPrintersAllowed',
'owners': ['valleau@chromium.org', 'skau@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 768,
'caption': '''Allow access to CUPS printers''',
'tags': [],
'desc': '''Allows you to control if users can access non-enterprise printers
If the policy is set to True, or not set at all, users will be able to add, configure, and print using their own printers.
If the policy is set to False, users will not be able to add and configure their own printers. They will also not be able to print using any previously configured printers.
''',
},
{
'name': 'DeviceSamlLoginAuthenticationType',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'Default',
'value': 0,
'caption': '''Default configuration''',
},
{
'name': 'ClientCertificate',
'value': 1,
'caption': '''Authentication based on client certificates''',
},
],
'future_on': ['chrome_os'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 0,
'id': 438,
'caption': '''SAML login authentication type''',
'tags': ['system-security'],
'desc': '''Configures the type of authentication for SAML logins.
When this policy is unset or set to Default (value 0), the behavior of SAML logins is determined by the browser depending on other factors. In the most basic scenario, the user authentication and the protection of the cached user data are based on passwords manually entered by users.
When this policy is set to ClientCertificate (value 1), client certificate authentication is used for newly added users which log in via SAML. No passwords are used for such users, and their cached local data is protected using corresponding cryptographic keys. For instance, this setting allows configuring smart card based user authentication (note that smart card middleware apps have to be installed via the DeviceLoginScreenExtensions policy).
This policy affects only users who authenticate using SAML.''',
},
{
'name': 'ChromeCleanupEnabled',
'owners': ['proberge@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:68-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 441,
'caption': '''Enable Chrome Cleanup on Windows''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset means Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is allowed.
Setting the policy to Disabled means Chrome Cleanup won't periodically scan and manual triggering is disabled.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.''',
},
{
'name': 'ChromeCleanupReportingEnabled',
'owners': ['proberge@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:68-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 442,
'caption': '''Control how Chrome Cleanup reports data to Google''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled means if <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> detects unwanted software, it may, in line with policy set by <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>, report about the scan to Google. <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> asks users if they want the cleanup. It sends results to Google.
Setting the policy to Disabled means if <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> detects unwanted software, it won't report about the scan to Google, regardless of the value of <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>. <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> asks users if they want the cleanup. The results aren't reported to Google.
Leaving the policy unset means <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> may, in line with policy set by <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>, report about scans for detecting unwanted software to Google. <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> asks users if they want the cleanup and to share the results with Google to help with future unwanted software detection. These results have file metadata, automatically installed extensions, and registry keys, as described by the Chrome Privacy Whitepaper.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.''',
},
{
'name': 'AllowedLanguages',
'owners': ['hendrich@chromium.org', 'file://components/policy/resources/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:72-'],
'device_only': False,
'features': {
'dynamic_refresh': False,
'per_profile': True
},
'example_value': [ 'en-US' ],
'id': 444,
'caption': '''Configure the allowed languages in a user session''',
'tags': [],
'desc': '''Setting the policy lets users add only one of the languages listed in this policy to the list of preferred languages.
If not set or set to an empty list, users can specify languages as preferred.
If set to a list with invalid values, those values are ignored. If users added languages not allowed by this policy to the list of preferred languages, they're removed. If they had <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> displayed in a language not allowed by this policy, the next time they sign in, the display language switches to an allowed UI language. Otherwise, if this policy only has invalid entries, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> switches to the first valid value specified by this policy or a fallback locale such as en-US.'''
},
{
'name': 'AllowedInputMethods',
'owners': ['hendrich@chromium.org', 'pmarko@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:69-'],
'device_only': False,
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': [ 'xkb:us::eng' ],
'id': 456,
'caption': '''Configure the allowed input methods in a user session''',
'tags': [],
'desc': '''Setting the policy lets users choose one of the input methods (keyboard layouts) for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> sessions that you specify.
If you leave it unset or set to an empty list, users can select all supported input methods.
Note: If the current input method is unsupported, it switches to the hardware keyboard layout (if allowed) or the first valid entry in this list. Invalid or unsupported methods are ignored.'''
},
{
'name': 'ArcAppInstallEventLoggingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:67-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 447,
'caption': '''Log events for Android app installs''',
'tags': ['google-sharing'],
'desc': '''Setting the policy to True sends reports of key, policy-triggered Android app installation events to Google. Setting the policy to False means no events are captured.''',
},
{
'name': 'ExtensionInstallEventLoggingEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'default': True,
'example_value': True,
'id': 727,
'caption': '''Log events for policy based extension installs''',
'tags': ['google-sharing'],
'desc': '''Setting the policy to True sends reports of key, policy-triggered extension installation events to Google. Setting the policy to False means no events are captured. If the policy is unset, default value is set to True.''',
},
{
'name': 'UsageTimeLimit',
'owners': ['hgrandinetti@chromium.org', 'vtrmc@chromium.org'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'time_window_limit': {
'type': 'object',
'properties': {
'entries': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'effective_day': { '$ref': 'WeekDay' },
'starts_at': {
'type': 'object',
'id': 'Time',
'properties': {
'hour': {
'type': 'integer',
'minimum': 0,
'maximum': 23
},
'minute': {
'type': 'integer',
'minimum': 0,
'maximum': 59
},
},
'required': ['hour', 'minute']
},
'ends_at': { '$ref': 'Time' },
'last_updated_millis': { 'type': 'string' }
}
}
}
}
},
'time_usage_limit': {
'type': 'object',
'properties': {
'monday': {
'type': 'object',
'id': 'TimeUsageLimitEntry',
'properties': {
'usage_quota_mins': {
'type': 'integer',
'minimum': 0
},
'last_updated_millis': { 'type': 'string' }
}
},
'tuesday': { '$ref': 'TimeUsageLimitEntry' },
'wednesday': { '$ref': 'TimeUsageLimitEntry' },
'thursday': { '$ref': 'TimeUsageLimitEntry' },
'friday': { '$ref': 'TimeUsageLimitEntry' },
'saturday': { '$ref': 'TimeUsageLimitEntry' },
'sunday': { '$ref': 'TimeUsageLimitEntry' },
'reset_at': { '$ref': 'Time' }
}
},
'overrides': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'action': {
'type': 'string',
'enum': [
'LOCK',
'UNLOCK'
]
},
'created_at_millis': { 'type': 'string' },
'action_specific_data': {
'type': 'object',
'properties': {
'duration_mins': {
'type': 'integer',
'minimum': 0
}
}
}
}
}
}
}
},
'supported_on': ['chrome_os:69-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': {
'time_window_limit': {
'entries': [{
'effective_day': 'WEDNESDAY',
'starts_at': {
'hour': 21,
'minute': 0
},
'ends_at': {
'hour': 7,
'minute': 30
},
'last_updated_millis': '1000000'
}]
},
'time_usage_limit': {
'monday': {
'usage_quota_mins': 120,
'last_updated_millis': '1200000'
},
'tuesday': {
'usage_quota_mins': 120,
'last_updated_millis': '1200000'
},
'wednesday': {
'usage_quota_mins': 120,
'last_updated_millis': '1200000'
},
'thursday': {
'usage_quota_mins': 120,
'last_updated_millis': '1200000'
},
'friday': {
'usage_quota_mins': 120,
'last_updated_millis': '1200000'
},
'saturday': {
'usage_quota_mins': 120,
'last_updated_millis': '1200000'
},
'sunday': {
'usage_quota_mins': 120,
'last_updated_millis': '1200000'
},
'reset_at': {
'hour': 6,
'minute': 0
}
},
'overrides': [{
'action': 'UNLOCK',
'created_at_millis': '1250000',
'action_specific_data': {
'duration_mins': 30
}
}]
},
'id': 448,
'caption': '''Time Limit''',
'tags': [],
'desc': '''Allows you to lock the user's session based on the client time or the usage quota of the day.
The |time_window_limit| specifies a daily window in which the user's session should be locked. We only support one rule for each day of the week, therefore the |entries| array may vary from 0-7 in size. |starts_at| and |ends_at| are the beginning and the end of the window limit, when |ends_at| is smaller than |starts_at| it means that the |time_limit_window| ends on the following day. |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.
The |time_usage_limit| specifies a daily screen quota, so when the user reaches it, the user's session is locked. There is a property for each day of the week, and it should be set only if there is an active quota for that day. |usage_quota_mins| is the amount of time that the managed device can be use in a day and |reset_at| is the time when the usage quota is renewed. The default value for |reset_at| is midnight ({'hour': 0, 'minute': 0}). |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.
|overrides| is provided to invalidate temporarily one or more of the previous rules.
* If neither time_window_limit nor time_usage_limit is active |LOCK| can be used to lock the device.
* |LOCK| temporarily locks a user session until the next time_window_limit or time_usage_limit starts.
* |UNLOCK| unlocks a user's session locked by time_window_limit or time_usage_limit.
|created_time_millis| is the UTC timestamp for the override creation, it is sent as a String because the timestamp wouldn't fit in an integer It is used to determine whether this override should still be applied. If the current active time limit feature (time usage limit or time window limit) started after the override was created, it should not take action. Also if the override was created before the last change of the active time_window_limit or time_usage_window it should not be applied.
Multiple overrides may be sent, the newest valid entry is the one that is going to be applied.'''
},
{
'name': 'ArcBackupRestoreServiceEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'BackupAndRestoreDisabled',
'value': 0,
'caption': '''Backup and restore disabled''',
},
{
'name': 'BackupAndRestoreUnderUserControl',
'value': 1,
'caption': '''User decides whether to enable backup and restore''',
},
{
'name': 'BackupAndRestoreEnabled',
'value': 2,
'caption': '''Backup and restore enabled''',
},
],
'supported_on': ['chrome_os:68-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 1,
'id': 449,
'default_for_enterprise_users': 0,
'caption': '''Control Android backup and restore service''',
'tags': ['google-sharing'],
'desc':
'''Setting the policy to <ph name="BR_ENABLED">BackupAndRestoreEnabled</ph> means Android backup and restore is initially on. Setting the policy to <ph name="BR_DISABLED">BackupAndRestoreDisabled</ph> or leaving it unset keeps backup and restore off during setup.
Setting the policy to <ph name="BR_UNDER_USER_CONTROL">BackupAndRestoreUnderUserControl</ph> means users see prompts to use backup and restore. If they turn on backup and restore, Android app data is uploaded to Android backup servers and restored during reinstallations of compatible apps.
After initial setup, users can turn backup and restore on or off.''',
},
{
'name': 'ArcGoogleLocationServicesEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'GoogleLocationServicesDisabled',
'value': 0,
'caption': '''Google location services disabled''',
},
{
'name': 'GoogleLocationServicesUnderUserControl',
'value': 1,
'caption': '''User decides whether to enable Google location services''',
},
{
'name': 'GoogleLocationServicesEnabled',
'value': 2,
'caption': '''Google location services enabled''',
},
],
'supported_on': ['chrome_os:68-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 1,
'id': 450,
'default_for_enterprise_users': 0,
'caption': '''Control Android Google location services''',
'tags': ['google-sharing'],
'desc':
'''Unless the <ph name="DEFAULT_GEOLOCATION_SETTING_POLICY_NAME">DefaultGeolocationSetting</ph> policy is set to <ph name="BLOCK_GEOLOCATION_SETTING">BlockGeolocation</ph>, then setting <ph name="GLS_ENABLED">GoogleLocationServicesEnabled</ph> turns Google location services on during initial setup. Setting the policy to <ph name="GLS_DISABLED">GoogleLocationServicesDisabled</ph> or leaving it unset keeps location services off during setup.
Setting policy to <ph name="BR_UNDER_USER_CONTROL">BackupAndRestoreUnderUserControl</ph> prompts users about whether or not to use Google location services. If they turn it on, Android apps use the services to search the device location and send anonymous location data to Google.
After initial setup, users can turn Google location services on or off.''',
},
{
'name': 'EnableSyncConsent',
'owners': ['agawronska@chromium.org', 'alemate@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean'},
'supported_on': ['chrome_os:66-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 451,
'caption': '''Enable displaying Sync Consent during sign-in''',
'tags': [],
'desc': '''This policy controls if Sync Consent can be shown to the user during first sign-in. It should be set to false if Sync Consent is never needed for the user.
If set to false, Sync Consent will not be displayed.
If set to true or unset, Sync Consent can be displayed.''',
},
{
'name': 'ContextualSuggestionsEnabled',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:69-75'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 452,
'caption': '''Enable contextual suggestions of related web pages''',
'tags': ['google-sharing'],
'desc':
'''This feature never launched, therefore the policy is deprecated. If this is set to true or unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will suggest pages related to the current page.
These suggestions are fetched remotely from Google servers.
If this setting is set to false, suggestions will not be fetched or displayed.''',
},
{
'name': 'DeviceAutoUpdateTimeRestrictions',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'description': 'Time interval that spans at most one week. If the start time is later than the end time, then the interval will wrap around.',
'properties': {
'start': {
'description': 'Start time of the interval, inclusive.',
'type': 'object',
'id': 'DisallowedTimeInterval',
'properties': {
'day_of_week': {
'description': 'Day of the week for the interval.',
'type': 'string',
'enum': ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"]
},
'minutes': {
'description': 'Minutes elapsed in the current hour.',
'type': 'integer',
'minimum': 0,
'maximum': 59
},
'hours': {
'description': 'Hours elapsed since the start of the day in (24 hour format).',
'type': 'integer',
'minimum': 0,
'maximum': 23
}
},
'required': ['day_of_week', 'minutes', 'hours']
},
'end': {
'description': 'End of the interval, exclusive.',
'$ref': 'DisallowedTimeInterval'
}
},
'required': ['start', 'end']
}
},
'supported_on': ['chrome_os:69-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': [
{
'start': {
'day_of_week': 'Monday',
'minutes': 50,
'hours': 3,
},
'end': {
'day_of_week': 'Thursday',
'minutes': 30,
'hours': 2,
}
},
{
'start': {
'day_of_week': 'Thursday',
'minutes': 30,
'hours': 3
},
'end': {
'day_of_week': 'Sunday',
'minutes': 10,
'hours': 15,
}
}
],
'id': 453,
'caption': '''Update Time Restrictions''',
'tags': [],
'desc': '''This policy controls the time frames during which the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> device is not allowed to check for updates automatically.
When this policy is set to a non-empty list of time intervals:
Devices will not be able to check for updates automatically during the specified time intervals. Devices that require an enterprise rollback or are below the minimum <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version will not be affected by this policy due to potential security issues. Furthermore, this policy will not block update checks requested by users or administrators.
Starting from M88, this policy cancels an ongoing update when a restricted time interval is reached. The next auto update after the restricted time interval ends will automatically resume the update. Devices updating to a Quick Fix Build will not be affected by this policy.
When this policy is unset or contains no time intervals:
No automatic update checks will be blocked by this policy, but they may be blocked by other policies.
Till M88, this feature is only enabled on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices configured as auto-launch kiosks. Other devices will not be restricted by this policy. However starting from M89, this policy is enabled on all <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.''',
},
{
'id': 454,
'name': 'PromotionalTabsEnabled',
'owners': ['grt@chromium.org'],
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'supported_on': ['chrome.*:69-'],
'type': 'main',
'schema': { 'type': 'boolean' },
'caption': '''Enable showing full-tab promotional content''',
'example_value': False,
'desc': '''Setting the policy to True or leaving it unset lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> show users product information as full-tab content.
Setting the policy to False prevents <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from showing product information as full-tab content.
Setting the policy controls the presentation of the welcome pages that help users sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as users' default browser, or otherwise inform them of product features.'''
},
{
'name': 'SafeSitesFilterBehavior',
'owners': ['bdea@chromium.org', 'nparker@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'SafeSitesFilterDisabled',
'value': 0,
'caption': '''Do not filter sites for adult content''',
},
{
'name': 'SafeSitesFilterEnabled',
'value': 1,
'caption': '''Filter top level sites (but not embedded iframes) for adult content''',
},
],
'supported_on': ['chrome.*:69-', 'chrome_os:69-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 0,
'id': 455,
'caption': '''Control SafeSites adult content filtering.''',
'tags': ['filtering', 'google-sharing'],
'desc':
'''Setting the policy controls the SafeSites URL filter, which uses the Google Safe Search API to classify URLs as pornographic or not.
When this policy is set to:
* Do not filter sites for adult content, or not set, sites aren't filtered
* Filter top level sites for adult content, pornographic sites are filtered''',
},
{
'name': 'OverrideSecurityRestrictionsOnInsecureOrigin',
'owners': ['estark@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' }
},
'supported_on': ['chrome.*:69-', 'chrome_os:69-', 'android:69-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': ['http://testserver.example.com/','*.example.org'],
'id': 457,
'caption': '''Origins or hostname patterns for which restrictions on
insecure origins should not apply''',
'tags': ['system-security'],
'desc': '''Setting the policy specifies a list of origins (URLs) or hostname patterns (such as *.example.com) for which security restrictions on insecure origins won't apply. Organizations can specify origins for legacy applications that can't deploy TLS or set up a staging server for internal web development, so developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy also prevents the origin from being labeled "Not Secure" in the address bar.
Setting a list of URLs in this policy amounts to setting the command-line flag --unsafely-treat-insecure-origin-as-secure to a comma-separated list of the same URLs. The policy overrides the command-line flag and UnsafelyTreatInsecureOriginAsSecure, if present.
For more information on secure contexts, see Secure Contexts ( https://www.w3.org/TR/secure-contexts ).'''
},
{
'name': 'DeviceUpdateStagingSchedule',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'description': 'Contains the number of days and the percentage of the fleet that should be updated after those days have passed.',
'id': 'DayPercentagePair',
'properties': {
'days': {
'description': 'Days from update discovery.',
'type': 'integer',
'minimum': 1,
'maximum': 28,
},
'percentage': {
'description': 'Percentage of the fleet that should be updated after the given days.',
'type': 'integer',
'minimum': 0,
'maximum': 100,
}
}
},
},
'supported_on': ['chrome_os:69-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [{'days': 7, 'percentage': 50}, {'days': 10, 'percentage': 100}],
'id': 458,
'caption': '''The staging schedule for applying a new update''',
'tags': ['system-security'],
'desc': '''This policy defines a list of percentages that will define the fraction of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices in the OU to update per day starting from the day the update is first discovered. The discovery time is later than the update published time, since it could be a while after the update publishing until the device checks for updates.
Each (day, percentage) pair contains which percentage of the fleet has to be updated by the given number of days since the update has been discovered. For example, if we have the pairs [(4, 40), (10, 70), (15, 100)], then 40% of the fleet should have been updated 4 days after seeing the update. 70% should be updated after 10 days, and so on.
If there is a value defined for this policy, updates will ignore the <ph name="DEVICE_UPDATE_SCATTER_FACTOR_POLICY_NAME">DeviceUpdateScatterFactor</ph> policy and follow this policy instead.
If this list is empty, there will be no staging and updates will be applied according to other device policies.
This policy does not apply for channel switches.''',
},
{
'name': 'TabFreezingEnabled',
'owners': ['catan-team@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:79-79', 'chrome_os:79-79'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 460,
'caption': '''Allow background tabs freeze''',
'tags': [],
'desc': '''Controls whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can freeze tabs that have been in the background for at least 5 minutes.
If the policy is set to true, tabs that have been in the background for at least 5 minutes may be frozen. Tab freezing reduces CPU, battery and memory usage. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses heuristics to avoid freezing tabs that do useful work in the background (e.g. display notifications, play sound, stream video). Web developers can also opt-out their site from freezing (https://chromium.googlesource.com/chromium/src/+/HEAD/chrome/browser/performance_manager/docs/freezing_opt_out_opt_in.md).
If the policy is set to false, no tabs will be frozen.''',
},
{
'name': 'UrlKeyedAnonymizedDataCollectionEnabled',
'owners': ['file://base/metrics/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:69-', 'chrome_os:69-', 'android:70-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 461,
'caption': '''Enable URL-keyed anonymized data collection''',
'tags': ['google-sharing'],
'desc': '''Setting the policy to Enabled means URL-keyed anonymized data collection, which sends URLs of pages the user visits to Google to make searches and browsing better, is always active.
Setting the policy to Disabled results in no URL-keyed anonymized data collection.
If you set the policy, users can't change. If not set, then URL-keyed anonymized data collection at first, but users can change it.''',
},
{
'id': 462,
'name': 'NetworkFileSharesAllowed',
'owners': ['amistry@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean', },
'tags': [],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'supported_on': ['chrome_os:70-'],
'caption': '''Contorls Network File Shares for ChromeOS availability''',
'example_value': True,
'desc': '''Setting the policy to Enabled lets users use Network File Shares for <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph>. Setting the policy to Disabled means users can't use this feature.''',
},
{
'name': 'WebRtcEventLogCollectionAllowed',
'owners': ['eladalon@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:70-', 'chrome_os:70-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 464,
'caption': '''Allow collection of WebRTC event logs from Google services''',
'tags': ['google-sharing'],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can collect WebRTC event logs from Google services such as Hangouts Meet and upload them to Google. These logs have diagnostic information for debugging issues with audio or video meetings in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, such as the time and size of RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs have no audio or video content from the meeting. To make debugging easier, Google might associate these logs, by means of a session ID, with other logs collected by the Google service itself.
Setting the policy to Disabled results in no collection or uploading of such logs.
Leaving the policy unset on versions up to and including M76 means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> defaults to not being able to collect and upload these logs. Starting at M77, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> defaults to being able to collect and upload these logs from most profiles affected by cloud-based, user-level enterprise policies. From M77 up to and including M80, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can also collect and upload these logs by default from profiles affected by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> on-premise management.''',
},
{
'name': 'PowerSmartDimEnabled',
'owners': ['jiameng@chromium.org', 'ejcaruso@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:70-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 465,
'caption': '''Enable smart dim model to extend the time until the screen is dimmed''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset turns the smart dim model on and can extend the time until the screen dims. If it delays the time, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
Setting the policy to Disabled means the smart dim model won't influence screen dimming.''',
},
{
'name': 'CoalesceH2ConnectionsWithClientCertificatesForHosts',
'owners': ['nharper@chromium.org', 'rsleevi@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:70-','android:70-','chrome_os:70-'],
'features': {
'internal_only': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['example.com'],
'id': 466,
'caption': '''Allow coalescing of HTTP/2 connections for these hosts even when client certificates are used''',
'tags': [],
'desc': '''This policy allows HTTP/2 connection coalescing when client certificates are in use. In order to coalesce, both the hostname of the potential new connection and the hostname of an existing connection must match one or more patterns described by this policy. The policy is a list of hosts using the <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> filter format: "example.com" matches "example.com" and all subdomains (e.g. "sub.example.com"), while ".example.net" matches exactly "example.net".
Coalescing requests to different hosts over connections that use client certificates can create security and privacy issues, as the ambient authority will be conveyed to all requests, even if the user did not explicitly authorize this. This policy is temporary and will be removed in a future release. See https://crbug.com/855690.
If this policy is left unset, then the default behavior of not allowing any HTTP/2 connection coalescing on connections using client certificates will be used.''',
},
{
'id': 467,
'name': 'NetBiosShareDiscoveryEnabled',
'owners': ['amistry@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean', },
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome_os:70-'],
'caption': '''Controls Network File Share discovery via <ph name="NETBIOS_NAME">NetBIOS</ph>''',
'example_value': True,
'default_for_enterprise_users': False,
'desc': '''Setting the policy to Enabled means share discovery (the Network File Shares feature for <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph>) uses the <ph name="NETBIOS_PROTOCOL">NetBIOS Name Query Request protocol</ph> to discover shares on the network. Setting the policy to Disabled means share discovery won't use this protocol to discover shares.
Leaving the policy unset means the behavior defaults to off for managed users and on for other users.''',
},
{
'name': 'ManagedConfigurationPerOrigin',
'owners': ['file://chrome/browser/device_api/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'origin': { 'type': 'string' },
'managed_configuration_url': { 'type': 'string' },
'managed_configuration_hash': { 'type': 'string' },
},
'required': ['origin', 'managed_configuration_url', 'managed_configuration_hash']
}
},
'supported_on': ['chrome.*:89-', 'chrome_os:89-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [{
'origin': 'https://www.google.com',
'managed_configuration_url' : 'https://gstatic.google.com/configuration.json',
'managed_configuration_hash' : 'asd891jedasd12ue9h'
}, {
'origin': 'https://www.example.com',
'managed_configuration_url' : 'https://gstatic.google.com/configuration2.json',
'managed_configuration_hash' : 'djio12easd89u12aws'
}],
'id': 813,
'caption': '''Sets managed configuration values to websites to specific origins''',
'tags': [],
'desc': '''Setting the policy defines the return value of Managed Configuration API for given origin.
Managed configuration API is a key-value configuration that can be accessed via navigator.device.getManagedConfiguration() javascript call. This API is only available to origins which correspond to force-installed web applications via <ph name="WEB_APP_INSTALL_FORCE_LIST_POLICY_NAME">WebAppInstallForceList</ph>.
'''
},
{
'name': 'WebAppInstallForceList',
'owners': ['file://chrome/browser/web_applications/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'url': { 'type': 'string' },
'default_launch_container': {
'type': 'string',
'enum': [
'tab',
'window'
]
},
'create_desktop_shortcut': { 'type': 'boolean' }
},
'required': ['url']
}
},
'supported_on': ['chrome.*:75-', 'chrome_os:75-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [{
'url': 'https://www.google.com/maps',
'default_launch_container': 'window',
'create_desktop_shortcut': True
}, {
'url': 'https://docs.google.com',
'default_launch_container': 'tab'
}],
'id': 468,
'caption': '''Configure list of force-installed Web Apps''',
'tags': [],
'desc': '''Setting the policy specifies a list of web apps that install silently, without user interaction, and which users can't uninstall or turn off.
Each list item of the policy is an object with a mandatory member: <ph name="URL_LABEL">url</ph> (the URL of the web app to install) and 2 optional members: <ph name="DEFAULT_LAUNCH_CONTAINER_LABEL">default_launch_container</ph> (for how the web app opensa new tab is the default) and <ph name="CREATE_DESKTOP_SHORTCUT_LABEL">create_desktop_shortcut</ph> (True if you want to create <ph name="LINUX_OS_NAME">Linux</ph> and Windows® desktop shortcuts).
See <ph name="PINNED_LAUNCHER_APPS_POLICY_NAME">PinnedLauncherApps</ph> for pinning apps to the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shelf.''',
'label': '''URLs for Web Apps to be silently installed.''',
},
{
'id': 470,
'name': 'ReportVersionData',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
'cloud_only': True,
},
'future_on': ['chrome.*'],
'caption': '''Report OS and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Version Information''',
'example_value': False,
'desc': '''This policy controls whether to report version information, such as OS version, OS platform, OS architecture, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> channel.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
When this policy is left unset or set to True, version information is gathered.
When this policy is set to False, version information is not gathered.
This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.'''
},
{
'id': 471,
'name': 'ReportPolicyData',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
'cloud_only': True,
},
'future_on': ['chrome.*'],
'caption': '''Report <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Policy Information''',
'example_value': False,
'desc': '''This policy controls whether to report policy data and time of policy fetch.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
When this policy is left unset or set to True, policy data and time of policy fetch are gathered.
When this policy is set to False, policy data and time of policy fetch are not gathered.
This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.'''
},
{
'id': 472,
'name': 'ReportMachineIDData',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
'cloud_only': True,
},
'future_on': ['chrome.*'],
'caption': '''Report Machine Identification information''',
'example_value': False,
'desc': '''This policy controls whether to report information that can be used to identify machines, such as machine name and network addresses.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
When this policy is left unset or set to True, information that can be used to identify machines is gathered.
When this policy is set to False, information that can be used to identify machines is not gathered.
This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.'''
},
{
'id': 473,
'name': 'ReportUserIDData',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
'cloud_only': True,
},
'future_on': ['chrome.*'],
'caption': '''Report User Identification information''',
'example_value': False,
'desc': '''This policy controls whether to report information that can be used to identify users, such as OS login, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Profile login, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Profile name, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Profile path and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> executable path.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
When this policy is left unset or set to True, information that can be used to identify users is gathered.
When this policy is set to False, information that can be used to identify users is not gathered.
This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.'''
},
{
'id': 499,
'name': 'ReportExtensionsAndPluginsData',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
'cloud_only': True,
},
'future_on': ['chrome.*'],
'caption': '''Report Extensions and Plugins information''',
'example_value': False,
'desc': '''This policy controls whether to report extensions and plugins information.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
When this policy is left unset or set to True, extension and plugins data are gathered.
When this policy is set to False, extensions and plugins data are not gathered.
This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.'''
},
{
'id': 500,
'name': 'ReportSafeBrowsingData',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
'cloud_only': True,
},
'supported_on': ['chrome.*:72-84'],
'deprecated': True,
'caption': '''Report Safe Browsing information''',
'example_value': False,
'desc': '''This policy controls whether to report Safe Browsing information including the number of Safe Browsing warning and the number of safe browsering warning click through.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
When this policy is left unset or set to True, Safe Browsing data are gathered.
When this policy is set to False, Safe Browsing data are not gathered.
This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.'''
},
{
'id': 608,
'name': 'CloudExtensionRequestEnabled',
'owners': ['zmin@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing', 'google-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
'cloud_only': True,
},
'supported_on': ['chrome.*:85-', 'chrome_os:85-'],
'caption': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extension installation requests''',
'example_value': True,
'desc': '''This policy controls <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extension installation requests which allows users to send the requests to the Google Admin console for approval.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored, extension installation requests are not created or uploaded.
When this policy is left unset or set to disabled, extension installation requests are not created or uploaded.
When this policy is set to enabled, extension installation requests are created and uploaded to Google Admin console.
Extension installation requests are created when users try to install an extension that is not whitelisted by <ph name="EXTENSION_INSTALL_WHITELIST">ExtesionInstallWhitelist</ph> or <ph name="EXTENSION_SETTINGS">ExtensionSettings</ph>.
This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.'''
},
{
'id': 493,
'name': 'CloudReportingEnabled',
'owners': ['zmin@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean' },
'tags': ['admin-sharing', 'google-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'cloud_only': True,
},
'supported_on': [
'chrome.*:72-',
'chrome_os:81-',
'ios:88-',
],
'caption': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud reporting''',
'example_value': True,
'desc': '''This policy controls <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud reporting which uploads information about the browser operation to Google Admin console.
When this policy is left unset or set to False, there is no data collected or uploaded.
When this policy is set to True, the data is collected and uploaded to Google Admin console.
For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, this policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph>.
For <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>, this policy is always effective.'''
},
{
'name': 'EnterpriseHardwarePlatformAPIEnabled',
'owners': ['guidou@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:71-', 'chrome_os:71-', 'android:71-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 483,
'caption': '''Enables managed extensions to use the Enterprise Hardware Platform API''',
'tags': [],
'desc': '''Setting the policy to True lets extensions installed by enterprise policy use the Enterprise Hardware Platform API.
Setting the policy to False or leaving it unset prevents extensions from using this API.
Note: This policy also applies to component extensions, such as the Hangout Services extension.''',
},
{
'name': 'VpnConfigAllowed',
'owners': ['phweiss@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:71-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 485,
'caption': '''Allow the user to manage VPN connections''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users manage (disconnect or modify) VPN connections. If the VPN connection is created using a VPN app, the UI inside the app isn't affected. So, users might still be able to use the app to modify the VPN connection. Use this policy with the Always on VPN feature, which lets the admin decide to establish a VPN connection when starting a device.
Setting the policy to Disabled turns off the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> user interfaces that would let the user disconnect or modify VPN connections.''',
},
{
'id': 489,
'name': 'NTLMShareAuthenticationEnabled',
'owners': ['amistry@chromium.org'],
'type': 'main',
'schema': {'type': 'boolean', },
'tags': [],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'supported_on': ['chrome_os:71-'],
'caption': '''Controls enabling NTLM as an authentication protocol for SMB mounts''',
'example_value': True,
'default_for_enterprise_users': False,
'desc': '''Setting the policy to Enabled means the Network File Shares feature for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> uses NTLM for authentication to SMB shares if necessary. Setting the policy to Disabled turns off NTLM authentication to SMB shares.
Leaving the policy unset means the behavior defaults to off for managed users and on for other users.''',
},
{
'name': 'NetworkFileSharesPreconfiguredShares',
'owners': ['amistry@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'share_url': { 'type': 'string' },
'mode': {
'type': 'string',
'enum': [
'drop_down', 'pre_mount',
]
}
},
'required': ['share_url', 'mode'],
}
},
'supported_on': ['chrome_os:71-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [{
'share_url': 'smb://server/share',
'mode': 'drop_down'
}, {
'share_url': '\\\\server\\share',
'mode': 'drop_down'
}],
'id': 490,
'caption': '''List of preconfigured network file shares.''',
'tags': [],
'desc': '''Setting the policy specifies a list of preset network file shares. Each item is an object with 2 properties: <ph name="SHARE_URL_FIELD_NAME">share_url</ph> and <ph name="MODE_FIELD_NAME">mode</ph>.
The share URL should be <ph name="SHARE_URL_FIELD_NAME">share_url</ph>.
For <ph name="MODE_FIELD_NAME">mode</ph>, it should be <ph name="MODE_ENUM_DROP_DOWN">drop_down</ph> or <ph name="MODE_ENUM_PRE_MOUNT">pre_mount</ph>:
* <ph name="MODE_ENUM_DROP_DOWN">drop_down</ph> indicates that <ph name="SHARE_URL_FIELD_NAME">share_url</ph> will be added to the share discovery list.
* <ph name="MODE_ENUM_PRE_MOUNT">pre_mount</ph> indicates that <ph name="SHARE_URL_FIELD_NAME">share_url</ph> will be mounted.''',
},
{
'name': 'ScreenBrightnessPercent',
'owners': ['file://chrome/browser/chromeos/login/demo_mode/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'BrightnessAC': {
'description': 'Screen brightness percent when running on AC power',
'type': 'integer',
'minimum': 0,
'maximum': 100
},
'BrightnessBattery': {
'description': 'Screen brightness percent when running on battery power',
'type': 'integer',
'minimum': 0,
'maximum': 100
}
}
},
'supported_on': ['chrome_os:72-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'BrightnessAC': 90,
'BrightnessBattery': 75
},
'id': 492,
'caption': '''Screen brightness percent''',
'tags': [],
'desc': '''Setting the policy specifies screen brightness percent, turning autobrightness features off. Initial screen brightness adjusts to the policy value, but users can change it.
Leaving the policy unset doesn't affect user screen controls or autobrightness features.
Note: The policy values should be specified in percents from 0 to 100.''',
},
{
'id': 494,
'name': 'AlternativeBrowserPath',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'string',
'schema': {'type': 'string'},
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '${ie}',
'supported_on': ['chrome.*:71-'],
'caption': '''Alternative browser to launch for configured websites.''',
'tags': [],
'desc': '''Setting the policy controls which command to use to open URLs in an alternative browser. The policy can be set to one of <ph name="INTERNET_EXPLORER_VALUE_PLACEHOLDER">${ie}</ph>, <ph name="FIREFOX_VALUE_PLACEHOLDER">${firefox}</ph>, <ph name="SAFARI_VALUE_PLACEHOLDER">${safari}</ph>, <ph name="OPERA_VALUE_PLACEHOLDER">${opera}</ph>, <ph name="EDGE_VALUE_PLACEHOLDER">${edge}</ph> or a file path. When this policy is set to a file path, that file is used as an executable file. <ph name="INTERNET_EXPLORER_VALUE_PLACEHOLDER">${ie}</ph> is only available on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>. <ph name="SAFARI_VALUE_PLACEHOLDER">${safari}</ph> and <ph name="EDGE_VALUE_PLACEHOLDER">${edge}</ph> are only available on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> and <ph name="MAC_OS_NAME">macOS</ph>.
Leaving the policy unset puts a platform-specific default in use: <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> for <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, or <ph name="SAFARI_PRODUCT_NAME">Safari®</ph> for <ph name="MAC_OS_NAME">macOS</ph>. On <ph name="LINUX_OS_NAME">Linux®</ph>, launching an alternative browser will fail.''',
},
{
'id': 495,
'name': 'AlternativeBrowserParameters',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string'},
},
'example_value': [
'-foreground',
'-new-window',
'${url}',
'-profile',
'%HOME%\\browser_profile',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:71-'],
'caption': '''Command-line parameters for the alternative browser.''',
'tags': [],
'desc': '''Setting the policy to a list of strings means each string is passed to the alternative browser as separate command-line parameters. On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, the parameters are joined with spaces. On <ph name="MAC_OS_NAME">macOS</ph> and <ph name="LINUX_OS_NAME">Linux®</ph>, a parameter can have spaces and still be treated as a single parameter.
If an parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, <ph name="URL_PLACEHOLDER">${url}</ph> is replaced with the URL of the page to open. If no parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, the URL is appended at the end of the command line.
Environment variables are expanded. On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, <ph name="ENV_VARIABLE_WIN_EXAMPLE">%ABC%</ph> is replaced with the value of the <ph name="ENV_VARIABLE_VALUE">ABC</ph> environment variable. On <ph name="MAC_OS_NAME">macOS</ph> and <ph name="LINUX_OS_NAME">Linux®</ph>, <ph name="ENV_VARIABLE_UNIX_EXAMPLE">${ABC}</ph> is replaced with the value of the <ph name="ENV_VARIABLE_VALUE">ABC</ph> environment variable.
Leaving the policy unset means only the URL is passed as a command-line parameter.''',
},
{
'id': 530,
'name': 'BrowserSwitcherChromePath',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'string',
'schema': {'type': 'string'},
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '${chrome}',
'supported_on': ['chrome.win:74-'],
'caption': '''Path to Chrome for switching from the alternative browser.''',
'tags': [],
'desc': '''This policy controls the command to use to open URLs in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when switching from <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. This policy can be set to an executable file path or <ph name="PRODUCT_NAME_PLACEHOLDER">${chrome}</ph> to autodetect the location of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Leaving the policy unset means <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> autodetects <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s own executable path when launching <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from Internet Explorer.
Note: If the Legacy Browser Support add-in for <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> isn't installed, this policy has no effect.''',
},
{
'id': 531,
'name': 'BrowserSwitcherChromeParameters',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string'},
},
'example_value': [
'--force-dark-mode',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.win:74-'],
'caption': '''Command-line parameters for switching from the alternative browser.''',
'tags': [],
'desc': '''Setting the policy to a list of strings means the strings are joined with spaces and passed from <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as command-line parameters. If an parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, <ph name="URL_PLACEHOLDER">${url}</ph> is replaced with the URL of the page to open. If no parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, the URL is appended at the end of the command line.
Environment variables are expanded. On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, <ph name="ENV_VARIABLE_WIN_EXAMPLE">%ABC%</ph> is replaced with the value of the <ph name="ENV_VARIABLE_VALUE">ABC</ph> environment variable.
Leaving the policy unset means <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> only passes the URL to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as a command-line parameter.
Note: If the Legacy Browser Support add-in for <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> isn't installed, this policy has no effect.''',
},
{
'id': 496,
'name': 'BrowserSwitcherUrlList',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string'},
},
'example_value': [
'ie.com',
'!open-in-chrome.ie.com',
'foobar.com/ie-only/'
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:71-'],
'caption': '''Websites to open in alternative browser''',
'tags': [],
'desc': '''Setting the policy controls the list of websites to open in an alternative browser. Each item is treated as a rule for something to open in an alternative browser. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses those rules when choosing if a URL should open in an alternative browser. When the <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> add-in is on, <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> switches back to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when the rules don't match. If rules contradict each other, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the most specific rule.
Leaving the policy unset adds no websites to the list.
Note: Elements can also be added to this list through the <ph name="USE_IE_SITELIST_POLICY_NAME">BrowserSwitcherUseIeSitelist</ph> and <ph name="EXTERNAL_SITELIST_URL_POLICY_NAME">BrowserSwitcherExternalSitelistUrl</ph> policies.''',
},
{
'id': 497,
'name': 'BrowserSwitcherUrlGreylist',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string'},
},
'example_value': [
'ie.com',
'!open-in-chrome.ie.com',
'foobar.com/ie-only/'
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:71-'],
'caption': '''Websites that should never trigger a browser switch.''',
'tags': [],
'desc': '''Setting the policy controls the list of websites that will never cause a browser switch. Each item is treated as a rule. Those rules that match won't open an alternative browser. Unlike the <ph name="URL_LIST_POLICY_NAME">BrowserSwitcherUrlList</ph> policy, rules apply to both directions. When the <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> add-in is on, it also controls whether <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> should open these URLs in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Leaving the policy unset adds no websites to the list.
Note: Elements can also be added to this list through the <ph name="EXTERNAL_SITELIST_URL_POLICY_NAME">BrowserSwitcherExternalGreylistUrl</ph> policy.''',
},
{
'id': 498,
'name': 'BrowserSwitcherUseIeSitelist',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'example_value': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.win:71-'],
'caption': '''Use Internet Explorer's SiteList policy for Legacy Browser Support.''',
'tags': [],
'desc': '''This policy controls whether to load rules from <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s SiteList policy.
When this policy is set to true, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> reads <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> to obtain the site list's URL. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> then downloads the site list from that URL, and applies the rules as if they had been configured with the <ph name="BROWSER_SWITCHER_URL_LIST_POLICY_NAME">BrowserSwitcherUrlList</ph> policy.
When this policy is false or unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> does not use <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy as a source of rules for switching browsers.
For more information on Internet Explorer's <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode''',
},
{
'id': 511,
'name': 'BrowserSwitcherExternalSitelistUrl',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'example_value': 'http://example.com/sitelist.xml',
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:72-'],
'caption': '''URL of an XML file that contains URLs to load in an alternative browser.''',
'tags': [],
'desc': '''Setting the policy to a valid URL has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> download the site list from that URL and apply the rules as if they were set up with the <ph name="SITELIST_POLICY_NAME">BrowserSwitcherUrlList</ph> policy.
Leaving it unset (or set to a invalid URL) means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't use the policy as a source of rules for switching browsers.
Note: This policy points to an XML file in the same format as <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy. This loads rules from an XML file, without sharing those rules with <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. Read more on <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode)''',
},
{
'id': 564,
'name': 'BrowserSwitcherExternalGreylistUrl',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'example_value': 'http://example.com/greylist.xml',
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:77-'],
'caption': '''URL of an XML file that contains URLs that should never trigger a browser switch.''',
'tags': [],
'desc': '''Setting the policy to a valid URL has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> download the site list from that URL and apply the rules as if they were set up with the <ph name="BROWSER_SWITCHER_URL_GREYLIST_POLICY_NAME">BrowserSwitcherUrlGreylist</ph> policy. These policies prevent <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and the alternative browser from opening one another.
Leaving it unset (or set to a invalid URL) means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't use the policy as a source of rules for not switching browsers.
Note: This policy points to an XML file in the same format as <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy. This loads rules from an XML file, without sharing those rules with <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. Read more on <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode )''',
},
{
'id': 524,
'name': 'BrowserSwitcherDelay',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'int',
'schema': { 'type': 'integer' },
'example_value': 10000,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:74-'],
'caption': '''Delay before launching alternative browser (milliseconds)''',
'tags': [],
'desc': '''Setting the policy to a number has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> show a message for that number of milliseconds, then it opens an alternative browser.
Leaving the policy unset or set to 0 means navigating to a designated URL immediately opens it in an alternative browser.''',
},
{
'id': 517,
'name': 'BrowserSwitcherEnabled',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'example_value': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:73-'],
'caption': '''Enable the Legacy Browser Support feature.''',
'tags': [],
'desc': '''Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will try to launch some URLs in an alternate browser, such as <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. This feature is set using the policies in the <ph name="LEGACY_BROWSER_SUPPORT_POLICY_GROUP">Legacy Browser support</ph> group.
Setting the policy to Disabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't try to launch designated URLs in an alternate browser.''',
},
{
'id': 519,
'name': 'BrowserSwitcherKeepLastChromeTab',
'owners': ['nicolaso@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'example_value': False,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:74-'],
'caption': '''Keep last tab open in Chrome.''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> keep at least one tab open, after switching to an alternate browser.
Setting the policy to Disabled has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> close the tab after switching to an alternate browser, even if it was the last tab. This causes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to exit completely.''',
},
{
'name': 'DeviceDisplayResolution',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'external_width': { 'type': 'integer', 'minimum': 1 },
'external_height': { 'type': 'integer', 'minimum': 1 },
'external_scale_percentage': { 'type': 'integer', 'minimum': 1 },
'external_use_native': { 'type': 'boolean' },
'internal_scale_percentage': { 'type': 'integer', 'minimum': 1 },
'recommended': { 'type': 'boolean' }
}
},
'supported_on': [ 'chrome_os:72-' ],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'device_only': True,
'example_value': {
'external_width': 1920,
'external_height': 1080,
'external_use_native': False,
'external_scale_percentage': 100,
'internal_scale_percentage': 150,
'recommended': True
},
'id': 502,
'caption': '''Set display resolution and scale factor''',
'tags': [],
'desc': '''Setting the policy sets the resolution and scale factor for each display. External display settings apply to connected displays. (The policy doesn't apply if a display doesn't support the specified resolution or scale.)
Setting <ph name="EXTERNAL_USE_NATIVE">external_use_native</ph> to True means the policy ignores <ph name="EXTERNAL_WIDTH">external_width</ph> and <ph name="EXTERNAL_HEIGHT">external_height</ph> and sets external displays to their native resolution. Setting <ph name="EXTERNAL_USE_NATIVE">external_use_native</ph> to False or leaving it and <ph name="EXTERNAL_WIDTH">external_width</ph> or <ph name="EXTERNAL_HEIGHT">external_height</ph> unset means the policy doesn't affect external displays.
Setting the recommended flag to True lets users change resolution and scale factor of any display through the settings page, but their settings change back at the next reboot. Setting the recommended flag to False or leaving it unset means users can't change the display settings.
Note: Set <ph name="EXTERNAL_WIDTH">external_width</ph> and <ph name="EXTERNAL_HEIGHT">external_height</ph> in pixels and <ph name="EXTERNAL_SCALE_PERCENTAGE">external_scale_percentage</ph> and <ph name="INTERNAL_SCALE_PERCENTAGE">internal_scale_percentage</ph> in percents.''',
},
{
'name': 'PluginVmAllowed',
'owners': ['okalitova@chromium.org', 'aoldemeier@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:72-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 503,
'caption': '''Allow devices to use a <ph name="PLUGIN_VM_NAME">PluginVm</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>''',
'tags': [],
'desc': '''Setting the policy to Enabled turns on <ph name="PLUGIN_VM_NAME">PluginVm</ph> for the device, as long as other settings also allow it. <ph name="PLUGIN_VM_ALLOWED_POLICY_NAME">PluginVmAllowed</ph> and <ph name="USER_PLUGIN_VM_ALLOWED_POLICY_NAME">UserPluginVmAllowed</ph> must be True, and either <ph name="PLUGIN_VM_LICENSE_KEY_POLICY_NAME">PluginVmLicenseKey</ph> or <ph name="PLUGIN_VM_USER_ID_POLICY_NAME">PluginVmUserId</ph> must be set for <ph name="PLUGIN_VM_NAME">PluginVm</ph> to run.
Setting the policy to Disabled or leaving it unset means <ph name="PLUGIN_VM_NAME">PluginVm</ph> isn't on for the device.''',
},
{
'name': 'UserPluginVmAllowed',
'owners': ['okalitova@chromium.org', 'janagrill@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:84-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'default': False,
'example_value': True,
'id': 705,
'caption': '''Allow users to use a <ph name="PLUGIN_VM_NAME">PluginVm</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>''',
'tags': [],
'desc': '''Allow this user to run PluginVm.
If the policy is set to false or left unset, <ph name="PLUGIN_VM_NAME">PluginVm</ph> is not enabled for the user.
If set to true, <ph name="PLUGIN_VM_NAME">PluginVm</ph> is enabled for the user as long as other settings also allow it. <ph name="PLUGIN_VM_ALLOWED_POLICY_NAME">PluginVmAllowed</ph> and <ph name="USER_PLUGIN_VM_ALLOWED_POLICY_NAME">UserPluginVmAllowed</ph> need to be true, and either <ph name="PLUGIN_VM_LICENSE_KEY_POLICY_NAME">PluginVmLicenseKey</ph> or <ph name="PLUGIN_VM_USER_ID_POLICY_NAME">PluginVmUserId</ph> need to be set for <ph name="PLUGIN_VM_NAME">PluginVm</ph> to be allowed to run.''',
},
{
'name': 'PluginVmLicenseKey',
'owners': ['okalitova@chromium.org', 'aoldemeier@chromium.org'],
'type': 'string',
'schema': {
'sensitiveValue': True,
'type': 'string'
},
'supported_on': ['chrome_os:73-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': "LICENSE_KEY",
'id': 515,
'caption': '''<ph name="PLUGIN_VM_NAME">PluginVm</ph> license key''',
'tags': [],
'desc': '''Setting the policy specifies the <ph name="PLUGIN_VM_NAME">PluginVm</ph> license key for this device.''',
},
{
'name': 'PluginVmUserId',
'owners': ['traciechan@google.com', 'zatrudo@google.com'],
'type': 'string',
'schema': {
'sensitiveValue': True,
'type': 'string'
},
'supported_on': ['chrome_os:84-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': "USER_ID",
'id': 698,
'caption': '''<ph name="PLUGIN_VM_NAME">PluginVm</ph> user id''',
'tags': [],
'desc': '''This policy specifies the <ph name="PLUGIN_VM_NAME">PluginVm</ph> licensing user id for this device.''',
},
{
'name': 'PluginVmImage',
'owners': ['okalitova@chromium.org', 'aoldemeier@chromium.org'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'url': {
'description': 'The URL from which the <ph name="PLUGIN_VM_NAME">PluginVm</ph> image can be downloaded.',
'type': 'string'
},
'hash': {
'description': 'The SHA-256 hash of the <ph name="PLUGIN_VM_NAME">PluginVm</ph> image.',
'type': 'string'
}
},
},
'supported_on': ['chrome_os:72-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
"url": "https://example.com/plugin_vm_image",
"hash": "842841a4c75a55ad050d686f4ea5f77e83ae059877fe9b6946aa63d3d057ed32"
},
'id': 504,
'caption': '''<ph name="PLUGIN_VM_NAME">PluginVm</ph> image''',
'tags': [],
'desc': '''Setting the policy specifies the <ph name="PLUGIN_VM_NAME">PluginVm</ph> image for a user. Specify this policy as a JSON format string, with <ph name="URL_PLUGIN_VM_IMAGE_FIELD">URL</ph> stating where to download the image and <ph name="HASH_PLUGIN_VM_IMAGE_FIELD">hash</ph> as a SHA-256 hash used to verify the integrity of the download.''',
},
{
'name': 'PluginVmDataCollectionAllowed',
'owners': ['okalitova@chromium.org', 'janagrill@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 712,
'caption': '''Allow <ph name="PLUGIN_VM_NAME">PluginVm</ph> Product Analytics''',
'tags': [],
'desc': '''Allow <ph name="PLUGIN_VM_NAME">PluginVm</ph> to collect <ph name="PLUGIN_VM_NAME">PluginVm</ph> usage data.
If the policy is set to false or left unset, <ph name="PLUGIN_VM_NAME">PluginVm</ph> is not allowed to collect data.
If set to true, <ph name="PLUGIN_VM_NAME">PluginVm</ph> might collect <ph name="PLUGIN_VM_NAME">PluginVm</ph> usage data that is then combined and thoroughly analyzed to improve <ph name="PLUGIN_VM_NAME">PluginVm</ph> experience.''',
},
{
'name': 'PluginVmRequiredFreeDiskSpace',
'owners': ['okalitova@chromium.org', 'janagrill@chromium.org'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0,
'maximum': 1000
},
'supported_on': ['chrome_os:85-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 20,
'id': 724,
'caption': '''Required free disk space for <ph name="PLUGIN_VM_NAME">PluginVm</ph>''',
'tags': [],
'desc': '''Free disk space (in GB) required to install <ph name="PLUGIN_VM_NAME">PluginVm</ph>.
If this policy is left unset, <ph name="PLUGIN_VM_NAME">PluginVm</ph> installation fails if free disk space available on the device is less than 20 GB (default value).
If this policy is set, <ph name="PLUGIN_VM_NAME">PluginVm</ph> installation fails if free disk space available on the device is less than required by policy.''',
},
{
'name': 'ParentAccessCodeConfig',
'owners': ['file://chrome/browser/chromeos/child_accounts/OWNERS'],
'type': 'dict',
'schema': {
'sensitiveValue': True,
'type': 'object',
'properties': {
'current_config': {
'id': 'Config',
'type': 'object',
'description': 'Configuration used to generate and verify Parent Access Code.',
'properties': {
'shared_secret': {
'type': 'string',
'description': 'Secret shared between child and parent devices.'
},
'access_code_ttl': {
'type': 'integer',
'minimum': 60,
'maximum': 3600,
'description': 'Time that access code is valid for (in seconds).'
},
'clock_drift_tolerance': {
'type': 'integer',
'minimum': 0,
'maximum': 1800,
'description': 'The allowed difference between the clock on child and parent devices (in seconds).'
}
}
},
'future_config': {
'$ref': 'Config',
},
'old_configs': {
'type': 'array',
'items': { '$ref': 'Config'},
}
},
},
'supported_on': ['chrome_os:73-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': {
'current_config': {
'shared_secret': 'oOA9nX02LdhYdOzwMsGof+QA3wUKP4YMNlk9S/W3o+w=',
'access_code_ttl': 600,
'clock_drift_tolerance': 300
},
'future_config': {
'shared_secret': 'KMsoIjnpvcWmiU1GHchp2blR96mNyJwS',
'access_code_ttl': 600,
'clock_drift_tolerance': 300
},
'old_configs': [{
'shared_secret': 'sTr6jqMTJGCbLhWI5plFTQb/VsqxwX2Q',
'access_code_ttl': 600,
'clock_drift_tolerance': 300
}],
},
'id': 507,
'caption': '''Parent Access Code Configuration''',
'tags': [],
'desc': '''This policy specifies configuration that is used to generate and verify Parent Access Code.
|current_config| is always used for generating access code and should be used for validating access code only when it cannot be validated with |future_config|.
|future_config| is the primary config used for validating access code.
|old_configs| should be used for validating access code only when it cannot be validated with |future_config| nor |current_config|.
The expected way of using this policy is to gradually rotate access code configuration. New configuration is always put into |future_config| and at the same
time the existing value is moved into |current_config|. |current_config|'s previous values are moved into |old_configs| and removed after rotation cycle is finished.
This policy applies only to child user.
When this policy is set Parent Access Code can be verified on child user's device.
When this policy is unset it is not possible to verify Parent Access Code on child user's device.'''
},
{
'name': 'ClientCertificateManagementAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'All',
'value': 0,
'caption': '''Allow users to manage all certificates''',
},
{
'name': 'UserOnly',
'value': 1,
'caption': '''Allow users to manage user certificates''',
},
{
'name': 'None',
'value': 2,
'caption': '''Disallow users from managing certificates''',
},
],
'supported_on': ['chrome_os:74-'],
'tags' : [],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': 1,
'default': 0,
'id': 518,
'caption': '''Allow users to manage installed client certificates.''',
'desc': '''Setting the policy to 'All' (value 0) or leaving it unset lets users manage certificates. Setting the policy to 'None' (value 2) means users can only view (not manage) certificates.
Setting the policy to 'UserOnly' (value 1) lets users manage user certificates, but not device-wide certificates.''',
},
{
'id': 520,
'name': 'DeviceRebootOnUserSignout',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3, 4 ],
},
'items': [
{
'name': 'Never',
'value': 1,
'caption': '''Do not reboot on user sign out.''',
},
{
'name': 'ArcSession',
'value': 2,
'caption': '''Reboot on user sign out if Android has started.''',
},
{
'name': 'Always',
'value': 3,
'caption': '''Always reboot on user sign out.''',
},
{
'name': 'ArcSessionOrVMStart',
'value': 4,
'caption': '''Reboot on user sign out if Android or a VM has started.''',
},
],
'device_only': True,
'example_value': 2,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'supported_on': ['chrome_os:76-'],
'caption': '''Force device reboot when user sign out''',
'tags': ['system-security'],
'desc': '''
This policy, when set to ArcSession, forces the device to reboot when a user sign out if Android has started.
This policy, when set to ArcSessionOrVMStart, forces the device to reboot when a user sign out if Android or a VM has started.
When set to Always, it forces the device to reboot on every user sign out.
If left unset, it has no effect and no reboot is forced on user sign out. The same applies if set to Never.
This policy has effect only for unaffiliated users.
''',
},
{
'name': 'ForceNetworkInProcess',
'owners': ['file://services/network/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:72-83'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 521,
'caption': '''Force networking code to run in the browser process''',
'tags': [],
'desc': '''This policy is deprecated.''',
},
{
'name': 'AssistantOnboardingMode',
'owners': ['xiaohuic@chromium.org', 'croissant-eng@google.com'],
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'Default',
'Education',
],
},
'items': [
{
'name': 'Default',
'value': 'Default',
'caption': '''Use the default mode of the Assistant onboarding experience''',
},
{
'name': 'Education',
'value': 'Education',
'caption': '''Use the EDU mode of the Assistant onboarding experience''',
},
],
'supported_on': ['chrome_os:85-'],
'tags': [],
'features': {
'dynamic_refresh': False,
'per_profile': True,
'unlisted': True,
'cloud_only': True,
},
'example_value': 'Default',
'default': 'Default',
'id': 729,
'caption': '''Mode of the Assistant onboarding experience''',
'desc': '''This policy controls the mode of the Assistant onboarding experience.
If the policy is unset or is set to <ph name="ASSISTANT_ONBOARDING_MODE_DEFAULT">"Default"</ph>, the default mode of the Assistant onboarding experience is used.
If the policy is set to <ph name="ASSISTANT_ONBOARDING_MODE_EDUCATION">"Education"</ph>, the EDU mode of the Assistant onboarding experience is used.''',
},
{
'name': 'VoiceInteractionContextEnabled',
'owners': ['yanxiao@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:74-'],
'tags' : ['google-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 527,
'caption': '''Allow Google Assistant to access screen context''',
'desc': '''Setting the policy to Enabled lets Google Assistant access screen context and send that data to a server. Setting the policy to Disabled keeps Google Assistant from screen context.
Leaving the policy unset lets users decide to turn this feature on or off.''',
},
{
'name': 'VoiceInteractionHotwordEnabled',
'owners': ['yanxiao@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:74-'],
'tags' : [],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 529,
'caption': '''Allow Google Assistant to listen for the voice activation phrase''',
'desc': '''Setting the policy to Enabled lets Google Assistant listen for the voice activation phrase. Setting the policy to Disabled keeps Google Assistant from listening for the phrase.
Leaving the policy unset lets users decide to turn this feature on or off.''',
},
{
'name': 'VoiceInteractionQuickAnswersEnabled',
'owners': ['llin@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:84-88'],
'tags' : ['google-sharing'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 694,
'caption': '''Allow Quick Answers to access selected content''',
'desc': '''This policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 89.
This policy gives Quick Answers permission to access selected content and send the info to server.
If the policy is enabled, Quick Answers will be allowed to access selected content.
If the policy is disabled, Quick Answers will not be allowed to access selected content.
If the policy is not set, users can decide whether to allow Quick Answers to access selected content.''',
},
{
'name': 'DeviceWilcoDtcAllowed',
'owners': ['pbond@chromium.org', 'lamzin@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:74-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 532,
'caption': '''Allows wilco diagnostics and telemetry controller''',
'tags': [],
'desc': '''Setting the policy to Enabled when <ph name="WILCO_NAME">wilco</ph> diagnostics and telemetry controller (DTC) is available on the device turns collecting, processing, and reporting of telemetry and diagnostics data on.
Setting the policy to Disabled or leaving it unset turns DTC off. It can't collect, process, or report telemetry and diagnostics data from the device.''',
},
{
'name': 'AllowPopupsDuringPageUnload',
'owners': ['avi@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'deprecated': True,
'supported_on': ['chrome.*:74-87', 'chrome_os:74-87', 'android:74-87'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'default_for_enterprise_users': False,
'example_value': False,
'id': 533,
'caption': '''Allows a page to show popups during its unloading''',
'tags': [],
'desc': '''Setting the policy to True allows pages to show pop-ups while the pages unload.
Setting the policy to False or leaving it unset prevents pages from showing pop-ups while the pages unload.
This policy was removed in Chrome 88 and is ignored if set.
See https://www.chromestatus.com/feature/5989473649164288.''',
},
{
'name': 'DeviceWilcoDtcConfiguration',
'owners': ['pbond@chromium.org', 'lamzin@google.com'],
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': { 'type': 'string' },
'hash': { 'type': 'string' }
},
},
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
"url": "https://example.com/wilcodtcconfig",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
},
'max_size': 1000000,
'id': 535,
'caption': '''Wilco DTC configuration''',
'tags': [],
'desc': '''Setting the policy configures the <ph name="WILCO_NAME">wilco</ph> diagnostics and telemetry controller (DTC), if available on the device. The setup size can't exceed 1MB (1,000,000 bytes) and must be in JSON format. The <ph name="WILCO_NAME">wilco</ph> DTC is responsible for handling it. The cryptographic hash verifies the integrity of the download. The configuration is downloaded and cached. It's redownloaded whenever the URL or the hash changes.
If you set this policy, users can't change it.''',
},
{
'name': 'DevicePowerPeakShiftEnabled',
'owners': ['lamzin@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': False,
'id': 538,
'caption': '''Enable peak shift power management''',
'tags': [],
'desc': '''Setting the policy to Enabled and setting <ph name="DEVICE_POWER_PEAK_SHIFT_BATTERY_THRESHOLD_POLICY_NAME">DevicePowerPeakShiftBatteryThreshold</ph> and <ph name="DEVICE_POWER_PEAK_SHIFT_DAY_CONFIG_POLICY_NAME">DevicePowerPeakShiftDayConfig</ph> keeps power peak shift on, if supported on the device. Power peak shift power management policy is a power-saving policy that minimizes alternating current usage during peak times. For each weekday, you can set a start and end time to run in power peak shift mode. As long as the battery stays above the threshold specified, during these times, the device runs from the battery (even if the alternating current is attached). After the specified end time, the device runs from alternating current (if attached), but won't charge the battery. The device will again function normally using alternating current and recharging the battery after the specified charge start time.
Setting the policy to Disabled keeps power peak shift off.
If unset, power peak shift is off at first. Users can't change this setting.'''
},
{
'name': 'DevicePowerPeakShiftBatteryThreshold',
'owners': ['lamzin@google.com'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 15,
'maximum': 100
},
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': 20,
'id': 539,
'caption': '''Set power peak shift battery threshold in percent''',
'tags': [],
'desc': '''If <ph name="DEVICE_POWER_PEAK_SHIFT_ENABLED_POLICY_NAME">DevicePowerPeakShiftEnabled</ph> is Enabled, then setting <ph name="DEVICE_POWER_PEAK_SHIFT_BATTERY_THRESHOLD_POLICY_NAME">DevicePowerPeakShiftBatteryThreshold</ph> sets power peak shift battery threshold in percent.
Leaving the policy unset keeps power peak shift off.'''
},
{
'name': 'DevicePowerPeakShiftDayConfig',
'owners': ['lamzin@google.com'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'entries': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'day': { '$ref': 'WeekDay' },
'start_time': {
'description': '''Time when the device will start running from the battery, interpreted in the device's local time zone.''',
'$ref': 'Time'
},
'end_time': {
'description': '''Time when the device will run from alternating current, interpreted in the device's local time zone.''',
'$ref': 'Time'
},
'charge_start_time': {
'description': '''Time when the device will use alternating current to charge battery, interpreted in the device's local time zone.''',
'$ref': 'Time'
}
}
}
}
}
},
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': {
'entries': [
{
'day': 'MONDAY',
'start_time': {
'hour': 9,
'minute': 0
},
'end_time': {
'hour': 15,
'minute': 15
},
'charge_start_time': {
'hour': 20,
'minute': 45
}
},
{
'day': 'FRIDAY',
'start_time': {
'hour': 2,
'minute': 30
},
'end_time': {
'hour': 21,
'minute': 0
},
'charge_start_time': {
'hour': 23,
'minute': 45
}
}
],
},
'id': 540,
'caption': '''Set power peak shift day config''',
'tags': [],
'desc': '''If <ph name="DEVICE_POWER_PEAK_SHIFT_ENABLED_POLICY_NAME">DevicePowerPeakShiftEnabled</ph> is Enabled, setting <ph name="DEVICE_POWER_PEAK_SHIFT_DAY_CONFIG_POLICY_NAME">DevicePowerPeakShiftDayConfig</ph> sets power peak shift day configuration.
Leaving the policy unset keeps power peak shift off.
Valid values for the <ph name="MINUTE_FIELD_NAME">minute</ph> field in <ph name="START_TIME_FIELD_NAME">start_time</ph>, <ph name="END_TIME_FIELD_NAME">end_time</ph> and <ph name="CHARGE_START_TIME_FIELD_NAME">charge_start_time</ph> are 0, 15, 30, 45.'''
},
{
'name': 'DeviceBootOnAcEnabled',
'owners': ['lamzin@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': False,
'id': 541,
'caption': '''Enable boot on AC (alternating current)''',
'tags': [],
'desc': '''Setting the policy to Enabled keeps boot on AC on, if supported on the device. Boot on AC provides an opportunity for the system to restart from Off or Hibernate after inserting the line power.
Setting the policy to Disabled keeps boot on AC off.
If you set this policy, users can't change it. If not set, boot on AC is off, and users can't turn it on.'''
},
{
'name': 'DeviceUsbPowerShareEnabled',
'owners': ['lamzin@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': True,
'id': 553,
'caption': '''Enable USB power share''',
'tags': [],
'desc': '''Setting the policy to Enabled turns on the USB power share power management policy.
Certain devices have a specific USB port with a lightning bolt or battery icon for charging devices using the system battery. This policy affects the charging behavior of this port while the system is in sleep and shut down modes. It doesn't affect the other USB ports and the charging behavior while the system is awake, when the USB port always provides power.
When sleeping, power is supplied to the USB port when the device is plugged in to the wall charger or if the battery level exceeds 50%. When shut down, power is supplied to the USB port when the device is plugged in to the wall charger.
Setting the policy to Disabled means no power is supplied.
Leaving the policy unset means the policy is on, and users can't turn it off.'''
},
{
'name': 'SignedHTTPExchangeEnabled',
'owners': ['file://content/browser/web_package/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:75-', 'chrome_os:75-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Accept web contents served as Signed HTTP Exchanges',
},
{
'value': False,
'caption': 'Prevent Signed HTTP Exchanges from loading',
},
],
'example_value': True,
'default': True,
'id': 542,
'caption': '''Enable Signed HTTP Exchange (SXG) support''',
'tags': ['filtering'],
'desc': '''Setting the policy to True or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will accept web contents served as Signed HTTP Exchanges.
Setting the policy to False prevents Signed HTTP Exchanges from loading.''',
},
{
'name': 'DeviceQuickFixBuildToken',
'owners': ['askaraitzhan@chromium.org', 'ultrotter@chromium.org'],
'type': 'string',
'schema': {
'type': 'string',
},
'supported_on': ['chrome_os:75-'],
'device_only': True,
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'sometoken',
'id': 543,
'caption': '''Provide users with Quick Fix Build''',
'desc': '''This policy controls whether or not the device should be updated to a Quick Fix Build.
If policy value is set to a token that maps to a Quick Fix Build, the device will be updated to the corresponding Quick Fix Build if the update is not blocked by another policy.
If this policy is not set, or if its value does not map to a Quick Fix Build, then the device won't be updated to a Quick Fix Build. If the device is already running a Quick Fix Build and the policy is not set anymore or its value does not map to a Quick Fix Build anymore, then the device will be updated to a regular build if the update is not blocked by another policy.''',
},
{
'name': 'SamlInSessionPasswordChangeEnabled',
'owners': ['olsen@chromium.org', 'rsorokin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:76-'],
'future': True,
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Allow SAML users to change their SAML passwords in-session at chrome://password-change',
},
{
'value': False,
'caption': 'Do not allow in-session SAML password changes at chrome://password-change',
},
{
'value': None,
'caption': 'Allow the user to decide',
},
],
'example_value': True,
'default': None,
'id': 545,
'caption': '''Enables a page for in-session change of password for SAML users''',
'desc': '''Enables a page at chrome://password-change that lets SAML users change their SAML passwords while in-session, which ensures that the SAML password and the device lockscreen password are kept in-sync.
This policy also enables notifications that warn SAML users if their SAML passwords are soon to expire so that they can deal with this immediately by doing an in-session password change.
But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow.
If this policy is set, the user cannot change or override it.''',
},
{
'name': 'SamlLockScreenReauthenticationEnabled',
'owners': ['mslus@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'future': True,
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 719,
'caption': '''Enables online re-authentication on lock screen for SAML users''',
'desc': '''Enables online user signin on a lock screen. If the policy is set to true online re-authentication on the lock screen is triggered e.g. by <ph name="POLICY">SAMLOfflineSigninTimeLimit</ph>.
The re-authentication is enforced immediately when on the lock screen or next time a user locks the screen after the condition is met.
If the policy is set to false or unset users can always unlock the screen with their local credentials.''',
},
{
'name': 'UserFeedbackAllowed',
'owners': ['apotapchuk@chromium.org', 'emaxx@chromium.org'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'items': [
{
'value': True,
'caption': 'Allow users to file feedback',
},
{
'value': False,
'caption': 'Prevent users from filing feedback',
},
],
'supported_on': ['chrome.*:77-', 'chrome_os:77-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default': True,
'id': 570,
'caption': '''Allow user feedback''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users send feedback to Google through Menu > Help > Report an Issue or key combination.
Setting the policy to Disabled means users can't send feedback to Google.'''
},
{
'name': 'SamlPasswordExpirationAdvanceWarningDays',
'owners': ['olsen@chromium.org', 'rsorokin@chromium.org'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0,
'maximum': 90
},
'supported_on': ['chrome_os:76-'],
'future': True,
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 14,
'id': 555,
'caption': '''How many days in advance to notify SAML users when their password is due to expire''',
'desc': '''This policy has no effect unless SamlInSessionPasswordChangeEnabled is true.
If that policy is true, and this policy is set to (for example) 14, that means SAML users will be notified 14 days in advance that their password is due to expire on a certain date.
Then they can deal with this immediately by doing an in-session password change and updating their password before it expires.
But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow.
Setting this policy to zero means the users will not be notified in advance - they will only be notified once the password has already expired.
If this policy is set, the user cannot change or override it.''',
},
{
'name': 'DeviceAdvancedBatteryChargeModeEnabled',
'owners': ['lamzin@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 548,
'caption': '''Enable advanced battery charge mode''',
'tags': [],
'desc': '''If <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_DAY_CONFIG_POLICY_NAME">DeviceAdvancedBatteryChargeModeDayConfig</ph> is set, setting <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_ENABLED_POLICY_NAME">DeviceAdvancedBatteryChargeModeEnabled</ph> to Enabled keeps advanced battery charge mode power management policy on (if supported on the device). Using a standard charging algorithm and other techniques outside work hours, this mode lets users maximize battery health. During work hours, the system uses an express charge, which lets the battery charge faster. Specify the time when the system is used most each day by the start time and the duration.
Setting the policy to Disabled or leaving it unset keeps advanced battery charge mode off.
Users are unable to change this setting.'''
},
{
'name': 'DeviceAdvancedBatteryChargeModeDayConfig',
'owners': ['lamzin@google.com'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'entries': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'day': { '$ref': 'WeekDay' },
'charge_start_time': {
'description': '''Time when the device will start charging, interpreted in the device's local time zone.''',
'$ref': 'Time'
},
'charge_end_time': {
'description': '''Time when the device will stop charging, interpreted in the device's local time zone.''',
'$ref': 'Time'
}
}
}
}
}
},
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'entries': [
{
'day': 'TUESDAY',
'charge_start_time': {
'hour': 20,
'minute': 30,
},
'charge_end_time': {
'hour': 23,
'minute': 0,
},
},
{
'day': 'FRIDAY',
'charge_start_time': {
'hour': 4,
'minute': 15,
},
'charge_end_time': {
'hour': 6,
'minute': 45,
},
}
],
},
'id': 549,
'caption': '''Set advanced battery charge mode day config''',
'tags': [],
'desc': '''If <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_ENABLED_POLICY_NAME">DeviceAdvancedBatteryChargeModeEnabled</ph> is set to Enabled, then setting <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_DAY_CONFIG_POLICY_NAME">DeviceAdvancedBatteryChargeModeDayConfig</ph> lets you set up advanced battery charge mode. The value for <ph name="CHARGE_START_TIME_FIELD_NAME">charge_start_time</ph> must be less than <ph name="CHARGE_END_TIME_FIELD_NAME">charge_end_time</ph>.
Leaving the policy unset keeps advanced battery charge mode off.
Valid values for <ph name="MINUTE_FIELD_NAME">minute</ph> field in <ph name="CHARGE_START_TIME_FIELD_NAME">charge_start_time</ph> and <ph name="CHARGE_END_TIME_FIELD_NAME">charge_end_time</ph> are 0, 15, 30, 45.'''
},
{
'name': 'DeviceBatteryChargeMode',
'owners': ['lamzin@google.com'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3, 4, 5 ]
},
'items': [
{
'name': 'Standard',
'value': 1,
'caption': '''Fully charge battery at a standard rate.'''
},
{
'name': 'ExpressCharge',
'value': 2,
'caption': '''Charge battery using fast charging technology.'''
},
{
'name': 'PrimarilyAcUse',
'value': 3,
'caption': '''Charge battery for devices that are primarily connected to an external power source.'''
},
{
'name': 'Adaptive',
'value': 4,
'caption': '''Adaptive charge battery based on battery usage pattern.'''
},
{
'name': 'Custom',
'value': 5,
'caption': '''Charge battery while it is within a fixed range.'''
}
],
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': 1,
'id': 550,
'caption': '''Battery charge mode''',
'tags': [],
'desc': '''Unless <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_ENABLED_POLICY_NAME">DeviceAdvancedBatteryChargeModeEnabled</ph> is specified, which overrides <ph name="DEVICE_BATTERY_CHARGE_MODE_POLICY_NAME">DeviceBatteryChargeMode</ph>, then setting <ph name="DEVICE_BATTERY_CHARGE_MODE_POLICY_NAME">DeviceBatteryChargeMode</ph> specifies battery charge mode power management policy (if supported on the device). To extend battery life, the policy dynamically controls battery charging by minimizing stress and wear-out.
Leaving the policy unset (if supported on the device) applies the standard battery charge mode, and users can't change it.
Note: If Custom battery charge mode is selected, then also specify <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_START_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStartCharging</ph> and <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph>.'''
},
{
'name': 'DeviceBatteryChargeCustomStartCharging',
'owners': ['lamzin@google.com'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 50,
'maximum': 95
},
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': 60,
'id': 551,
'caption': '''Set battery charge custom start charging in percent''',
'tags': [],
'desc': '''If <ph name="DEVICE_BATTERY_CHARGE_MODE_NAME">DeviceBatteryChargeMode</ph> is set to <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_MODE_NAME">"custom"</ph>, then setting <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_START_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStartCharging</ph> customizes when the battery starts charging, based the percentage of battery charge. The value must be at least 5 percentage points below <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph>.
Leaving the policy unset applies the standard battery charge mode.'''
},
{
'name': 'DeviceBatteryChargeCustomStopCharging',
'owners': ['lamzin@google.com'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 55,
'maximum': 100
},
'supported_on': ['chrome_os:75-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'example_value': 90,
'id': 552,
'caption': '''Set battery charge custom stop charging in percent''',
'tags': [],
'desc': '''If <ph name="DEVICE_BATTERY_CHARGE_MODE_POLICY_NAME">DeviceBatteryChargeMode</ph> is set to <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_MODE_NAME">"custom"</ph>, then setting <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph> customizes when the battery stops charging, based on the percentage of battery charge. <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_START_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStartCharging</ph> must be at least 5 percentage points below <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph>.
Leaving the policy unset applies the <ph name="DEVICE_BATTERY_CHARGE_STANDARD_MODE_NAME">"standard"</ph> battery charge mode.'''
},
{
'name': 'DeviceScheduledUpdateCheck',
'owners': ['abhishekbh@chromium.org', 'pmarko@chromium.org'],
'device_only': True,
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'update_check_time': {
'description': '''Time when the update check should happen, interpreted in the device's local time zone.''',
'$ref': 'Time'
},
'frequency': {
'description': 'Frequency with which the update check should recur.',
'type': 'string',
'enum': [
'DAILY',
'WEEKLY',
'MONTHLY'
]
},
'day_of_week': {
'description': '''Day of week when the update check should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'WEEKLY'.''',
'$ref': 'WeekDay'
},
'day_of_month': {
'description': '''Day of month [1-31] when the update check should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'MONTHLY'. If this is more than the maximum number of days in a given month then the last day of the month will be chosen.''',
'type': 'integer',
'minimum': 1,
'maximum': 31
}
},
'required': ['update_check_time', 'frequency']
},
'supported_on': ['chrome_os:75-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {'update_check_time' : {'hour': 23, 'minute': 35}, 'frequency': 'WEEKLY', 'day_of_week': 'MONDAY', 'day_of_month': 11},
'tags': [],
'id': 556,
'caption': '''Set custom schedule to check for updates''',
'desc': '''Allows setting a custom schedule to check for updates. This applies to all users, and to all interfaces on the device. Once set, the device will check for updates according to the schedule. The policy must be removed to cancel any more scheduled update checks.'''
},
{
'name': 'KerberosEnabled',
'owners': ['file://chrome/browser/chromeos/kerberos/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'future': True,
'example_value': True,
'id': 557,
'caption': '''Enable Kerberos functionality''',
'tags': ['website-sharing'],
'desc': '''Controls whether the Kerberos functionality is enabled. Kerberos is an authentication protocol that can be used to authenticate to web apps and file shares.
If this policy is enabled, Kerberos functionality is enabled. Kerberos accounts can be added either through the 'Configure Kerberos accounts' policy or through the Kerberos Accounts settings in the People settings page.
If this policy disabled or not set, the Kerberos Accounts settings are disabled. No Kerberos accounts can be added and Kerberos authentication cannot be used. All existing Kerberos accounts are deleted, all stored passwords are deleted.''',
},
{
'name': 'KerberosRememberPasswordEnabled',
'owners': ['file://chrome/browser/chromeos/kerberos/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'future': True,
'example_value': True,
'id': 558,
'caption': '''Enable 'Remember password' feature''',
'tags': ['website-sharing'],
'desc': '''Controls whether the 'Remember password' feature is enabled in the Kerberos authentication dialog. Passwords are stored encryped on disk, only accessible to the Kerberos system daemon and during a user session.
If this policy is enabled or not set, users can decide whether Kerberos passwords are remembered, so that they do not have to be entered again. Kerberos tickets are automatically fetched unless additional authentication is required (two-factor authentication).
If this policy is disabled, passwords are never remembered and all previously stored passwords are removed. Users have to enter their password every time they need to authenticate with the Kerberos system. Depending on server settings, this usually happens between every 8 hours to several months.''',
},
{
'name': 'KerberosAddAccountsAllowed',
'owners': ['file://chrome/browser/chromeos/kerberos/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:75-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'future': True,
'example_value': True,
'id': 559,
'caption': '''Users can add Kerberos accounts''',
'tags': ['website-sharing'],
'desc': '''Controls whether users may add Kerberos accounts.
If this policy is enabled or not set, users may add Kerberos accounts via the Kerberos Accounts settings in the People settings page. Users have full control over accounts they added and may modify or remove them.
If this policy is disabled, users may not add Kerberos accounts. Accounts can only be added via the 'Configure Kerberos accounts' policy. This is an effective way to lock down accounts.''',
},
{
'name': 'KerberosAccounts',
'owners': ['file://chrome/browser/chromeos/kerberos/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'principal': {
'description': '''User principal 'user@realm'. The placeholder <ph name="LOGIN_ID_PLACEHOLDER">${{LOGIN_ID}}</ph> is replaced by the username 'user'. The placeholder <ph name="LOGIN_EMAIL_PLACEHOLDER">${{LOGIN_EMAIL}}</ph> is replaced by the full principal 'user@realm'.''',
'type': 'string',
'pattern': '^(?:[^@]+@[^@]+)|(?:\\${LOGIN_ID})|(?:\\${LOGIN_EMAIL})$',
},
'password': {
'description': '''Kerberos password. The placeholder <ph name="PASSWORD_PLACEHOLDER">${{PASSWORD}}</ph> is replaced by the login password.''',
'type': 'string',
'sensitiveValue': True,
},
'remember_password': {
'description': '''Whether to remember the Kerberos password. If not set or set to false, the password is not remembered. Ignored if the password is not specified.''',
'type': 'boolean',
},
'krb5conf': {
'description': '''Kerberos configuration (one line per array item), see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.''',
'type': 'array',
'items': {
'type': 'string',
},
},
},
'required': ['principal'],
},
},
'supported_on': ['chrome_os:75-'],
'supported_chrome_os_management': ['google_cloud'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'future': True,
'example_value': [
{
"principal":"${LOGIN_EMAIL}",
"password":"${PASSWORD}"
},
{
"principal":"user1@REALM.COM",
"remember_password": True
},
{
"principal":"user2@REALM.COM",
"password":"p4zzw0rd!",
"krb5conf":[
"[libdefaults]",
" default_tgs_enctypes = aes256-cts-hmac-sha1-96",
" default_tkt_enctypes = aes256-cts-hmac-sha1-96",
" permitted_enctypes = aes256-cts-hmac-sha1-96",
" default_realm = REALM.COM",
"",
"[realms]",
" REALM.COM = {",
" kdc = us-west.realm.com",
" master_kdc = us-west.realm.com",
" kpasswd_server = us-west.realm.com",
" }"
]
}
],
'id': 560,
'caption': '''Configure Kerberos accounts''',
'tags': ['website-sharing'],
'desc': '''Adds prefilled Kerberos accounts. If the Kerberos credentials match the login credentials, an account can be configured to reuse the login credentials by specifying '<ph name="LOGIN_EMAIL_PLACEHOLDER">${{LOGIN_EMAIL}}</ph>' and <ph name="PASSWORD_PLACEHOLDER">${{PASSWORD}}</ph>' for principal and password, respectively, so that the Kerberos ticket can be retrieved automatically unless two-factor authentication is configured. Users cannot modify accounts added via this policy.
If this policy is enabled, the list of accounts defined by the policy is added to the Kerberos Accounts settings.
If this policy is disabled or not set, no accounts are added to the Kerberos Accounts settings and all accounts previously added with this policy are removed. Users may still add accounts manually if the 'Users can add Kerberos accounts' policy is enabled.''',
},
{
'name': 'CommandLineFlagSecurityWarningsEnabled',
'owners': ['proberge@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:76-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Show security warnings when potentially dangerous command-line flags are used',
},
{
'value': False,
'caption': 'Hide security warnings when potentially dangerous command-line flags are used',
},
],
'example_value': True,
'default': True,
'id': 566,
'caption': '''Enable security warnings for command-line flags''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset means security warnings appear when potentially dangerous command-line flags are used to launch Chrome.
Setting the policy to Disabled prevents security warnings from appearing when Chrome is launched with potentially dangerous command-line flags.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'StartupBrowserWindowLaunchSuppressed',
'owners': ['jityao@chromium.org', 'hendrich@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:76-'],
'tags': [],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': True,
'id': 568,
'caption': '''Suppress launching of browser window''',
'desc': '''Setting the policy to True prevents the browser window from launching at the start of the session.
Setting the policy to False or leaving it unset allows the window to launch.
Note: The browser window might not launch due to other policies or command-line flags.''',
},
{
'id': 571,
'name': 'DevicePowerwashAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'device_only': True,
'example_value': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'supported_on': ['chrome_os:77-'],
'caption': '''Allow the device to request powerwash''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets a device trigger powerwash.
Setting the policy to Disabled doesn't let a device trigger powerwash. An exception to still allow a powerwash can occur if <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_NAME">TPMFirmwareUpdateSettings</ph> is set to a value that lets the TPM firmware update, but it hasn't updated yet.'''
},
{
'name': 'ExternalPrintServers',
'owners': ['file://chromeos/printing/OWNERS'],
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': {
'description': 'URL to a JSON file with a list of print servers.',
'type': 'string',
},
'hash': {
'description': 'The SHA-256 hash of the file.',
'type': 'string',
},
},
},
'id': 572,
'supported_on': ['chrome_os:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
"url": "https://example.com/printserverpolicy",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef"
},
'max_size': 1048576,
'caption': '''External print servers''',
'tags': [],
'desc': '''Provides configurations of available print servers.
This policy allows you to provide configuration of external print servers to <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices as JSON file.
The size of the file must not exceed 1MB and must contain an array of records (JSON objects). Each record must contain fields "id", "url" and "display_name" with strings as values. Values of "id" fields must be unique.
The file is downloaded and cached. The cryptographic hash is used to verify the integrity of the download. The file will be re-downloaded whenever the URL or the hash changes.
When this policy is set to correct value, devices will try to query specified print servers for available printers using IPP protocol.
If this policy is unset or set to incorrect value, none of the provided server printers are visible to users.
Currently, the number of print servers is limited to 16. Only the first 16 print servers from the list will be queried.
''',
},
{
'name': 'DeviceExternalPrintServers',
'owners': ['mattme@google.com', 'file://chromeos/printing/OWNERS'],
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': {
'description': 'URL to a JSON file with a list of print servers.',
'type': 'string',
},
'hash': {
'description': 'The SHA-256 hash of the file.',
'type': 'string',
},
},
},
'id': 730,
'future_on': ['chrome_os'],
# TODO(https://crbug.com/1100777): Remove |future|.
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
"url": "https://example.com/printserverpolicy",
"hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef"
},
'max_size': 1048576,
'caption': '''External print servers''',
'tags': [],
'desc': '''Provides configurations of available print servers.
This policy allows you to provide configuration of external print servers to <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices as JSON file.
The size of the file must not exceed 1MB and must contain an array of records (JSON objects). Each record must contain fields "id", "url" and "display_name" with strings as values. Values of "id" fields must be unique.
The file is downloaded and cached. The cryptographic hash is used to verify the integrity of the download. The file will be re-downloaded whenever the URL or the hash changes.
When this policy is set to correct value, devices will try to query specified print servers for available printers using IPP protocol.
If this policy is unset or set to incorrect value, none of the provided server printers are visible to users.
Currently, the number of print servers is limited to 16. Only the first 16 print servers from the list will be queried.
This policy is similar to <ph name="EXTERNAL_PRINT_SERVERS_POLICY">ExternalPrintServers</ph>, except this policy is applied by device.
''',
},
{
'name': 'VmManagementCliAllowed',
'owners': ['aoldemeier@chromium.org', 'okalitova@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:77-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 577,
'caption': '''Specify VM CLI permission''',
'tags': [],
'desc': '''Instructs <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> to enable or disable virtual machine management console tools.
If the policy is set to true or left unset, the user will be able to use VM management CLI.
Otherwise, all of VM management CLI is disabled and hidden.
''',
},
{
'name': 'CACertificateManagementAllowed',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'All',
'value': 0,
'caption': '''Allow users to manage all certificates''',
},
{
'name': 'UserOnly',
'value': 1,
'caption': '''Allow users to manage user certificates''',
},
{
'name': 'None',
'value': 2,
'caption': '''Disallow users from managing certificates''',
},
],
'supported_on': ['chrome_os:78-'],
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': 1,
'default': 0,
'id': 579,
'caption': '''Allow users to manage installed CA certificates.''',
'desc': '''Setting the policy to All (0) or leaving it unset lets users edit trust settings for all CA certificates, remove user-imported certificates, and import certificates using Certificate Manager. Setting the policy to UserOnly (1) lets users manage only user-imported certificates, but not change trust settings of built-in certificates. Setting it to None (2) lets users view (not manage) CA certificates.''',
},
{
'id': 581,
'name': 'LockScreenMediaPlaybackEnabled',
'owners': ['file://services/media_session/OWNERS'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'example_value': True,
'default': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome_os:78-'],
'caption': '''Allows users to play media when the device is locked''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset displays media controls on the lock screen if users lock the device when media is playing.
Setting the policy to Disabled turns media controls on the lock screen off.'''
},
{
'name': 'OnFileDownloadedEnterpriseConnector',
'owners': ['drubery@chromium.org', 'rogerta@chromium.org', 'mad@chromium.org', 'domfc@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'service_provider': { 'type': 'string' },
'enable': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': { 'type': 'string' },
},
'tags': {
'type': 'array',
'items': { 'type': 'string' },
}
},
}
},
'disable': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': { 'type': 'string' },
},
'tags': {
'type': 'array',
'items': { 'type': 'string' },
}
},
},
},
'block_until_verdict': { 'type': 'integer' },
'block_password_protected': { 'type': 'boolean' },
'block_large_files': { 'type': 'boolean' },
'require_justification_tags': {
'type': 'array',
'items': { 'type': 'string' },
},
'custom_messages': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'message': { 'type': 'string' },
'learn_more_url': { 'type': 'string' },
'language': { 'type': 'string' },
'tag': { 'type': 'string' },
},
},
},
},
},
},
'example_value': [{
'service_provider': 'Google',
'enable': [
{
'url_list': ['*'],
'tags': ['malware']
},
{
'url_list': ['*.them.com', '*.others.com'],
'tags': ['dlp']
},
],
'disable': [
{
'url_list': ['*.us.com'],
'tags': ['malware']
},
],
'block_until_verdict': 1,
'block_password_protected': False,
'block_large_files': True,
'require_justification_tags': ['malware', 'dlp'],
'custom_messages': [
{
'message': 'Custom message for potential sensitive data leaks.',
'learn_more_url': 'moreinfo.example.com',
'language': 'default',
'tag': 'dlp',
},
{
'message': 'Custom message for potential malware file transfer.',
'learn_more_url': 'moreinfo.example.com/en',
'language': 'en-US',
'tag': 'malware',
},
{
'message': 'Message pour le transfert de logiciel malveillant.',
'learn_more_url': 'moreinfo.example.com/fr',
'language': 'fr-CA',
'tag': 'malware',
},
],
}],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'cloud_only': True,
},
'id': 696,
'supported_on': ['chrome.*:84-', 'chrome_os:84-'],
'future': True,
'caption': '''Configuration policy for the OnFileDownloaded Chrome Enterprise Connector''',
'tags': [],
'desc': '''List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_FILE_DOWNLOADED_ENTERPRISE_CONNECTOR">OnFileDownloaded</ph> Enterprise Connector, which triggers when a file is downloaded in Chrome.
The <ph name="ENTERPRISE_CONNECTOR_URL_LIST_FIELD">url_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send a file for analysis when it is downloaded from a specific page and what tags to include in the analysis request for that file. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means Chrome will wait to get a response from the analysis service before giving the user access to the downloaded file. Any other integer value means Chrome gives the user access to the file immediately.
The <ph name="ENTERPRISE_CONNECTOR_BLOCK_PASSWORD_PROTECTED_FIELD">block_password_protected</ph> field controls whether Chrome blocks or allows files that are password protected.
The <ph name="ENTERPRISE_CONNECTOR_BLOCK_LARGE_FILES_FIELD">block_large_files</ph> fields controls whether Chrome blocks or allows files that are too large to be analyzed (50+ MB).
The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
This policy can only be set from the Google Admin console.'''
},
{
'name': 'OnFileAttachedEnterpriseConnector',
'owners': ['rogerta@chromium.org', 'mad@chromium.org', 'domfc@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'service_provider': { 'type': 'string' },
'enable': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': { 'type': 'string' },
},
'tags': {
'type': 'array',
'items': { 'type': 'string' },
}
},
}
},
'disable': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': { 'type': 'string' },
},
'tags': {
'type': 'array',
'items': { 'type': 'string' },
}
},
},
},
'block_until_verdict': { 'type': 'integer' },
'block_password_protected': { 'type': 'boolean' },
'block_large_files': { 'type': 'boolean' },
'require_justification_tags': {
'type': 'array',
'items': { 'type': 'string' },
},
'custom_messages': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'message': { 'type': 'string' },
'learn_more_url': { 'type': 'string' },
'language': { 'type': 'string' },
'tag': { 'type': 'string' },
},
},
},
},
},
},
'example_value': [{
'service_provider': 'Google',
'enable': [
{
'url_list': ['*'],
'tags': ['malware']
},
{
'url_list': ['*.them.com', '*.others.com'],
'tags': ['dlp']
},
],
'disable': [
{
'url_list': ['*.us.com'],
'tags': ['malware']
},
],
'block_until_verdict': 0,
'block_password_protected': True,
'block_large_files': False,
'require_justification_tags': ['malware', 'dlp'],
'custom_messages': [
{
'message': 'Custom message for potential sensitive data leaks.',
'learn_more_url': 'moreinfo.example.com',
'language': 'default',
'tag': 'dlp',
},
{
'message': 'Custom message for potential malware file transfer.',
'learn_more_url': 'moreinfo.example.com/en',
'language': 'en-US',
'tag': 'malware',
},
{
'message': 'Message pour le transfert de logiciel malveillant.',
'learn_more_url': 'moreinfo.example.com/fr',
'language': 'fr-CA',
'tag': 'malware',
},
],
}],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'cloud_only': True,
},
'id': 693,
'supported_on': ['chrome.*:84-', 'chrome_os:84-'],
'future': True,
'caption': '''Configuration policy for the OnFileAttached Chrome Enterprise Connector''',
'tags': [],
'desc': '''List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_FILE_ATTACHED_ENTERPRISE_CONNECTOR">OnFileAttached</ph> Enterprise Connector, which triggers when a file is attached to Chrome.
The <ph name="ENTERPRISE_CONNECTOR_URL_LIST_FIELD">url_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send a file for analysis when it is attached to a specific page and what tags to include in the analysis request for that file. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means Chrome will wait to get a response from the analysis service before giving the page access to the file. Any other integer value means Chrome gives the page access to the file immediately.
The <ph name="ENTERPRISE_CONNECTOR_BLOCK_PASSWORD_PROTECTED_FIELD">block_password_protected</ph> field controls whether Chrome blocks or allows files that are password protected.
The <ph name="ENTERPRISE_CONNECTOR_BLOCK_LARGE_FILES_FIELD">block_large_files</ph> fields controls whether Chrome blocks or allows files that are too large to be analyzed (50+ MB).
The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
This policy can only be set from the Google Admin console.'''
},
{
'name': 'OnBulkDataEntryEnterpriseConnector',
'owners': ['rogerta@chromium.org', 'mad@chromium.org', 'domfc@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'service_provider': { 'type': 'string' },
'enable': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': { 'type': 'string' },
},
'tags': {
'type': 'array',
'items': { 'type': 'string' },
}
},
}
},
'disable': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': { 'type': 'string' },
},
'tags': {
'type': 'array',
'items': { 'type': 'string' },
}
},
},
},
'block_until_verdict': { 'type': 'integer' },
'minimum_data_size': { 'type': 'integer', 'minimum': 0 },
'require_justification_tags': {
'type': 'array',
'items': { 'type': 'string' },
},
'custom_messages': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'message': { 'type': 'string' },
'learn_more_url': { 'type': 'string' },
'language': { 'type': 'string' },
'tag': { 'type': 'string' },
},
},
},
},
},
},
'example_value': [{
'service_provider': 'Google',
'enable': [
{
'url_list': ['*'],
'tags': ['malware']
},
{
'url_list': ['*.them.com', '*.others.com'],
'tags': ['dlp']
},
],
'disable': [
{
'url_list': ['*.us.com'],
'tags': ['malware']
},
],
'block_until_verdict': 0,
'minimum_data_size': 100,
'require_justification_tags': ['malware', 'dlp'],
'custom_messages': [
{
'message': 'Custom message for potential sensitive data leaks.',
'learn_more_url': 'moreinfo.example.com',
'language': 'default',
'tag': 'dlp',
},
{
'message': 'Custom message for potential malware file transfer.',
'learn_more_url': 'moreinfo.example.com/en',
'language': 'en-US',
'tag': 'malware',
},
{
'message': 'Message pour le transfert de logiciel malveillant.',
'learn_more_url': 'moreinfo.example.com/fr',
'language': 'fr-CA',
'tag': 'malware',
},
],
}],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'cloud_only': True,
},
'id': 697,
'supported_on': ['chrome.*:84-', 'chrome_os:84-'],
'future': True,
'caption': '''Configuration policy for the OnBulkDataEntry Chrome Enterprise Connector''',
'tags': [],
'desc': '''List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_BULK_DATA_ENTRY_ENTERPRISE_CONNECTOR">OnBulkDataEntry</ph> Enterprise Connector, which triggers when data is entered in Chrome from the clipboard or by drag and dropping web content.
The <ph name="ENTERPRISE_CONNECTOR_URL_LIST_FIELD">url_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send data for analysis when it is entered in a specific page and what tags to include in the analysis request for that data. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means Chrome will wait to get a response from the analysis service before giving the page access to the data. Any other integer value means Chrome gives the page access to the data immediately.
The <ph name="ENTERPRISE_CONNECTOR_MINIMUM_DATA_SIZE">minimum_data_size</ph> field indicates the minimum size (in bytes) data entered in Chrome must equal or surpass to be scanned. The default value is 100 bytes if the field is unset.
The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
This policy can only be set from the Google Admin console.'''
},
{
'name': 'OnSecurityEventEnterpriseConnector',
'owners': ['rogerta@chromium.org', 'mad@chromium.org', 'domfc@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'service_provider': { 'type': 'string' },
},
},
},
'example_value': [{
'service_provider': 'Google',
}],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'cloud_only': True,
},
'id': 699,
'supported_on': ['chrome.*:84-', 'chrome_os:84-'],
'future': True,
'caption': '''Configuration policy for the OnSecurityEvent Chrome Enterprise Connector''',
'tags': [],
'desc': '''List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_SECURITY_EVENT_ENTERPRISE_CONNECTOR">OnSecurityEvent</ph> Enterprise Connector, which triggers when a security event occurs in Chrome. This includes negative verdicts from analysis Enterprise Connectors, password reuse, navigations to unsafe pages and other security sensitive user actions.
The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which reporting service provider the settings correspond to.
This policy can only be set from the Google Admin console.'''
},
{
'name': 'EnterpriseRealTimeUrlCheckMode',
'owners': ['xinghuilu@chromium.org', 'file://components/safe_browsing/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'Disabled',
'value': 0,
'caption': '''Real time URL check is disabled.''',
},
{
'name': 'Enabled',
'value': 1,
'caption': '''Real time check for main frame URLs is enabled.''',
},
],
'supported_on': [
'chrome.*:86-',
'chrome_os:86-'
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'cloud_only': True,
},
'default': 0,
'example_value': 1,
'id': 728,
'caption': '''Check Safe Browsing status of URLs in real time''',
'tags': [],
'desc': '''This policy controls checking URLs in real time to identify unsafe URLs.
If this policy is left not set or set to Disabled’, the consumer Safe Browsing checks will be applied. Consumer Safe Browsing checks can still include real time lookups, depending on the value of the Make searches and browsing better setting and the value of the UrlKeyedAnonymizedDataCollectionEnabled policy.
If this policy is set to Enabled’, URLs will be sent to be scanned in real time under enterprise ToS. It will result in Chrome sending URLs to Google Cloud or third parties of your choosing to check them in real time. The consumer version of Safe Browsing real time lookup will be switched off.
This policy can only be set from the Google Admin console.''',
},
{
'name': 'RendererCodeIntegrityEnabled',
'owners': ['wfh@chromium.org', 'adetaylor@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:78-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 598,
'caption': '''Enable Renderer Code Integrity''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset turns Renderer Code Integrity on.
Setting the policy to Disabled has a detrimental effect on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s security and stability as unknown and potentially hostile code can load inside <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s renderer processes. Only turn off the policy if there are compatibility issues with third-party software that must run inside <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s renderer processes.
Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md#Process-mitigation-policies ).''',
},
{
'name': 'HSTSPolicyBypassList',
'owners': ['nharper@chromium.org', 'rsleevi@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'pattern': '^[a-z0-9-]*$',
},
},
'supported_on': ['chrome.*:78-','android:78-','chrome_os:78-'],
'features': {
'per_profile': True,
'dynamic_refresh': False,
},
'example_value': ['meet'],
'id': 601,
'caption': '''List of names that will bypass the HSTS policy check''',
'tags': ['system-security'],
'desc': '''Setting the policy specifies a list of hostnames that are exempt from the HSTS policy check that could upgrade requests from http to https. Only single-label hostnames are allowed in this policy. Hostnames must be canonicalized: Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific hostnames specified, not to subdomains of those names.''',
},
{
'name': 'AllowSyncXHRInPageDismissal',
'owners': ['kdillon@chromium.org, panicker@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:78-', 'chrome_os:78-', 'android:78-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'default_for_enterprise_users': True,
'example_value': False,
'id': 604,
'caption': '''Allows a page to perform synchronous XHR requests during page dismissal.''',
'tags': [],
'desc': '''This policy allows an admin to specify that a page may send synchronous XHR requests during page dismissal.
When the policy is set to enabled, pages are allowed to send synchronous XHR requests during page dismissal.
When the policy is set to disabled or not set, pages are not allowed to send synchronous XHR requests during page dismissal.
This policy will be removed in Chrome 88.
See https://www.chromestatus.com/feature/4664843055398912 .''',
},
{
'name': 'TotalMemoryLimitMb',
'owners': ['catan-team@chromium.org'],
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 1024,
},
'supported_on': ['chrome.win:79-', 'chrome.mac:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 2048,
'id': 616,
'caption': '''Set limit on megabytes of memory a single Chrome instance can use.''',
'tags': [],
'desc': '''Configures the amount of memory that a single <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> instance can use before tabs start being discarded (I.E. the memory used by the tab will be freed and the tab will have to be reloaded when switched to) to save memory.
If the policy is set, browser will begin to discard tabs to save memory once the limitation is exceeded. However, there is no guarantee that the browser is always running under the limit. Any value under 1024 will be rounded up to 1024.
If this policy is not set, the browser will only begin attempts to save memory once it has detected that the amount of physical memory on its machine is low.''',
'label': '''Set memory limit for Chrome instances''',
},
{
'id': 626,
'name': 'TLS13HardeningForLocalAnchorsEnabled',
'owners': ['file://net/ssl/OWNERS'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'example_value': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'supported_on': ['chrome.*:79-85', 'chrome_os:79-85', 'android:79-85'],
'deprecated': True,
'caption': '''Enable a TLS 1.3 security feature for local trust anchors.''',
'tags': ['system-security'],
'desc': '''This policy controls a security feature in TLS 1.3 which protects connections against downgrade attacks. It is backwards-compatible and will not affect connections to compliant TLS 1.2 servers or proxies. However, older versions of some TLS-intercepting proxies have an implementation flaw which causes them to be incompatible.
If this policy is set to True or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will enable these security protections for all connections.
If this policy is set to False, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will disable these security protections for connections authenticated with locally-installed CA certificates. These protections are always enabled for connections authenticated with publicly-trusted CA certificates.
The default value for this policy was changed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 81 from false to true. Affected proxies are expected to fail connections with an error code of ERR_TLS13_DOWNGRADE_DETECTED. Administrators who need more time to upgrade affected proxies may use this policy to temporarily disable this security feature. This policy was removed in version 86.
'''
},
{
'name': 'AudioSandboxEnabled',
'owners': ['file://services/audio/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:79-', 'chrome.linux:79-', 'chrome.mac:79-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 627,
'caption': '''Allow the audio sandbox to run''',
'tags': ['system-security'],
'desc': '''This policy controls the audio process sandbox.
If this policy is enabled, the audio process will run sandboxed.
If this policy is disabled, the audio process will run unsandboxed and the WebRTC audio-processing module will run in the renderer process.
This leaves users open to security risks related to running the audio subsystem unsandboxed.
If this policy is not set, the default configuration for the audio sandbox will be used, which may differ per platform.
This policy is intended to give enterprises flexibility to disable the audio sandbox if they use security software setups that interfere with the sandbox.'''
},
{
'name': 'CorsMitigationList',
'owners': ['toyoshim@chromium.org', 'yhirano@chromium.org', 'kinuko@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:79-83', 'chrome_os:79-83'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['x-googapps-allowed-domains', 'youtube-restrict'],
'id': 629,
'caption': '''Enable <ph name="CORS">CORS</ph> check mitigations in the new <ph name="CORS">CORS</ph> implementation''',
'tags': [],
'desc': '''Enable <ph name="CORS">CORS</ph> check mitigations in the new <ph name="CORS">CORS</ph> implementation, allowing Extensions to keep compatible behavior, and allowing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to send specified headers without <ph name="CORS">CORS</ph> checks.
If this list is set to empty, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> tries to run Extensions in compatible manners, and does not introduce <ph name="API">API</ph> changes for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 79 as explained at <ph name="WEB_REQUEST_API_MANUAL">https://developer.chrome.com/extensions/webRequest</ph>.
If this list is set to have <ph name="HTTP">HTTP</ph> request header names, <ph name="CORS">CORS</ph> inspection will ignore the listed headers in addition to enable the mitigation for Extensions.
If this list is not set, both mitigations explained above are not applied.
For details on <ph name="CORS">CORS</ph>, visit: <ph name="CORS_HELP_URL">https://www.chromestatus.com/feature/5768642492891136</ph>.
Note that this policy was announced to be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 82, but removed in version 84.'''
},
{
'name': 'CorsLegacyModeEnabled',
'owners': ['toyoshim@chromium.org', 'yhirano@chromium.org', 'kinuko@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:79-83', 'chrome_os:79-83'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 630,
'caption': '''Use the legacy <ph name="CORS">CORS</ph> implementation rather than new <ph name="CORS">CORS</ph>''',
'tags': [],
'desc': '''Use the legacy <ph name="CORS">CORS</ph> implementation rather than new <ph name="CORS">CORS</ph>.
If this setting is set to True, the legacy implementation is used that should be compatible with previous versions.
If this setting is set to False, or is not set, the new implementation is used that might cause enterprise specific compatibility issues potentially.
This policy will be removed after a couple of milestones.
For details on <ph name="CORS">CORS</ph>, visit: <ph name="CORS_HELP_URL">https://www.chromestatus.com/feature/5768642492891136</ph>.
Note that this policy was announced to be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 82, but removed in version 84.'''
},
{
'name': 'ExternalPrintServersWhitelist',
'owners': ['file://chromeos/printing/OWNERS'],
'supported_on': ['chrome_os:79-'],
'id': 631,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'deprecated': True,
'example_value': ["id1", "id2", "id3"],
'caption': '''Enabled external print servers''',
'tags': [],
'desc': '''Specifies the subset of print servers that will be queried for server printers.
If this policy is used, only the server printers with ids matching the values in this policy are available to the user.
The ids must correspond to the "id" field in the file specified in <ph name="EXTERNAL_PRINT_SERVERS_POLICY">ExternalPrintServers</ph>.
If this policy is not set, filtering is omitted and all print servers are taken into account.
This policy is deprecated, please use <ph name="EXTERNAL_PRINT_SERVERS_ALLOWLIST">ExternalPrintServersAllowlist</ph> instead.'''
},
{
'name': 'ExternalPrintServersAllowlist',
'owners': ['file://chromeos/printing/OWNERS'],
'supported_on': ['chrome_os:86-'],
'id': 750,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'example_value': ["id1", "id2", "id3"],
'caption': '''Enabled external print servers''',
'tags': [],
'desc': '''Specifies the subset of print servers that will be queried for server printers.
If this policy is used, only the server printers with ids matching the values in this policy are available to the user.
The ids must correspond to the "id" field in the file specified in <ph name="EXTERNAL_PRINT_SERVERS_POLICY">ExternalPrintServers</ph>.
If this policy is not set, filtering is omitted and all print servers are taken into account.'''
},
{
'name': 'DeviceExternalPrintServersAllowlist',
'owners': ['mattme@google.com', 'file://chromeos/printing/OWNERS'],
'future_on': ['chrome_os'],
# TODO(https://crbug.com/1100777): Remove |future|.
'id': 731,
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'example_value': ["id1", "id2", "id3"],
'caption': '''Enabled external print servers''',
'tags': [],
'desc': '''Specifies the subset of print servers that will be queried for server printers. This applies only to the <ph name="DEVICE_EXTERNAL_PRINT_SERVERS_POLICY">DeviceExternalPrintServers</ph> policy.
If this policy is used, only the server printers with ids matching the values in this policy are available to the user through device policy.
The ids must correspond to the "id" field in the file specified in <ph name="DEVICE_EXTERNAL_PRINT_SERVERS_POLICY">DeviceExternalPrintServers</ph>.
If this policy is not set, filtering is omitted and all print servers provided by <ph name="DEVICE_EXTERNAL_PRINT_SERVERS_POLICY">DeviceExternalPrintServers</ph> are taken into account.'''
},
{
'name': 'ExternalProtocolDialogShowAlwaysOpenCheckbox',
'owners': ['ydago@chromium.org', 'mkwst@chromium.org'],
'type': 'main',
'schema': {
'type': 'boolean',
},
'example_value': True,
'default': True,
'id': 632,
'supported_on': ['chrome.*:79-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Allow users to select "Always allow" when an external protocol dialog is shown to skip future confirmation prompts',
},
{
'value': False,
'caption': 'Always require users to confrim external protocol prompts',
},
],
'caption': '''Show an "Always open" checkbox in external protocol dialog.''',
'tags': [],
'desc': ''' This policy controls whether or not the "Always open" checkbox is shown on external protocol launch confirmation prompts.
If this policy is set to True or not set, when an external protocol confirmation is shown, the user can select "Always allow" to skip all future confirmation prompts for the protocol on this site.
If this policy is set to False, the "Always allow" checkbox is not displayed and the user will be prompted each time an external protocol is invoked.'''
},
{
'name': 'DefaultInsecureContentSetting',
'owners': ['carlosil@chromium.org', 'estark@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockInsecureContent',
'value': 2,
'caption': '''Do not allow any site to load mixed content''',
},
{
'name': 'AllowExceptionsInsecureContent',
'value': 3,
'caption': '''Allow users to add exceptions to allow mixed content''',
},
],
'supported_on': ['chrome.*:79-', 'chrome_os:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 633,
'caption': '''Control use of insecure content exceptions''',
'tags': [],
'desc': '''Allows you to set whether users can add exceptions to allow mixed content for specific sites.
This policy can be overridden for specific URL patterns using the 'InsecureContentAllowedForUrls' and 'InsecureContentBlockedForUrls' policies.
If this policy is left not set, users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.''',
},
{
'name': 'InsecureContentAllowedForUrls',
'owners': ['carlosil@chromium.org', 'estark@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:79-', 'chrome_os:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 634,
'caption': '''Allow insecure content on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites) and for which optionally blockable mixed content upgrades will be disabled.
If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, and users will be allowed to set exceptions to allow it for specific sites.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'InsecureContentBlockedForUrls',
'owners': ['carlosil@chromium.org', 'estark@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:79-', 'chrome_os:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 635,
'caption': '''Block insecure content on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites), and for which optionally blockable (i.e. passive) mixed content will be upgraded.
If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, but users will be allowed to set exceptions to allow it for specific sites.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.''',
},
{
'name': 'DeviceWebBasedAttestationAllowedUrls',
'owners': ['miersh@google.com', 'pmarko@chromium.org', 'file://chrome/browser/chromeos/login/OWNERS'],
'device_only': True,
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': ['https://www.example.com/', 'https://[*.]example.edu/'],
'id': 636,
'caption': '''URLs that will be granted access to perform the device attestation during SAML authentication''',
'tags': [],
'desc': '''This policy configures which URLs will be granted access to use remote attestation of device identity during the SAML flow on the sign-in screen.
Specifically, if a URL matches one of the patterns provided through this policy, it will be allowed to receive a HTTP header containing a response to a remote attestation challenge, attesting device identity and device state.
If this policy is not set or is set to an empty list, no URL is allowed to use remote attestation on the sign-in screen.
URLs must have HTTPS scheme, e.g. "https://example.com".
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.'''
},
{
'name': 'DeviceShowNumericKeyboardForPassword',
'owners': ['raleksandrov@google.com', 'file://chrome/browser/chromeos/login/OWNERS'],
'type' : 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:80-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 638,
'caption': '''Show numeric keyboard for password''',
'tags': [],
'desc': '''Setting the policy to true displays numeric keyboard by default for entering password on the login screen. Users still could switch to the normal keyboard.
If you set the policy, users can't change it. If not set or set to false, it has no effect.'''
},
{
'name': 'PerAppTimeLimits',
'owners': ['agawronska@chromium.org', 'cros-families-eng@google.com'],
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'app_limits': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'app_info': {
'type': 'object',
'properties': {
'app_id': {
'type': 'string'
},
'app_type': {
'type': 'string',
'enum': [
'ARC',
'BUILT-IN',
'EXTENSION',
'WEB',
'CROSTINI'
]
}
}
},
'restriction': {
'type': 'string',
'enum': [
'BLOCK',
'TIME_LIMIT'
]
},
'daily_limit_mins': {
'type': 'integer',
'minimum': 0,
'maximum': 1440,
},
'last_updated_millis': {
'type': 'string',
'description': '''UTC timestamp for the last time this entry was updated. Sent as a string because the timestamp would not fit in an integer''',
}
}
}
},
'reset_at': {
'type': 'object',
'description' : '''The time of the day in local time when usage quota is renewed.''',
'properties': {
'hour': {
'type': 'integer',
'minimum': 0,
'maximum': 23
},
'minute': {
'type': 'integer',
'minimum': 0,
'maximum': 59
}
}
},
'activity_reporting_enabled' : {
'type': 'boolean',
'description': '''The value of app activity collection toggle. If set to true user app activity will be reported to the server with purpose of being displayed in child and parent <ph name="PRODUCT_NAME">$1<ex>Family Link</ex></ph> app. If set to false Per-app time limits feature will still work, but no data will be reported to the server and therefore displayed in <ph name="PRODUCT_NAME">$1<ex>Family Link</ex></ph>.'''
},
}
},
'supported_on': ['chrome_os: 80-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': {
'app_limits': [
{
'app_info': {
'app_id': 'com.example.myapp',
'app_type': 'ARC'
},
'restriction': 'TIME_LIMIT',
'daily_limit_mins': 30,
'last_updated_millis': '1570223060437'
},
{
'app_info': {
'app_id': 'pjkljhegncpnkpknbcohdijeoejaedia',
'app_type': 'EXTENSION'
},
'restriction': 'TIME_LIMIT',
'daily_limit_mins': 10,
'last_updated_millis': '1570223000000'
},
{
'app_info': {
'app_id': 'iniodglblcgmngkgdipeiclkdjjpnlbn',
'app_type': 'BUILT-IN'
},
'restriction': 'BLOCK',
'last_updated_millis': '1570223000000'
}
],
'reset_at': {
'hour': 6,
'minute': 0
},
'activity_reporting_enabled': False
},
'id': 641,
'caption': '''Per-App Time Limits''',
'tags': [],
'desc': '''Allows to set per-app usage restrictions.
Usage restrictions can be applied to the apps installed on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> for the given user.
Restrictions should be passed in |app_limits| list. Only one entry per-app is allowed. Apps not included in the list have no restrictions.
It is not possible to block apps that are essential for the operating system, the restrictions for such apps will be ignored.
App is uniquely identified by |app_id|. Since different types of apps can use different id format |app_type| needs to be specified next to |app_id|.
Per-App Time Limits only support |ARC| apps currently. Android package name is used as |app_id|.
Support for other types of applications will be added in the future, for now they can be specified in the policy, but the restrictions will take no effect.
There are two types of available restrictions: |BLOCK| and |TIME_LIMIT|.
|BLOCK| makes app unavailable for the user. If |daily_limit_mins| is specified with |BLOCK| restriction |daily_limit_mins| will be ignored.
|TIME_LIMITS| applies daily usage limit and makes app unavailable after the limit is reached on the given day. Usage limit is specified in |daily_limit_mins|. Usage limit is reset daily at the UTC time passed in |reset_at|.
This policy is only used for child users.
This policy is complementary to 'UsageTimeLimit'. Restrictions specified in 'UsageTimeLimit' like screen time and bedtime will be enforced regardless of 'PerAppTimeLimits'.'''
},
{
'name': 'WebComponentsV0Enabled',
'owners': ['masonfreed@chromium.org', 'chrishtr@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'example_value': True,
'id': 644,
'supported_on': ['chrome.*:80-84', 'chrome_os:80-84', 'android:80-84', 'webview_android:80-84'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'caption': '''Re-enable Web Components v0 API until M84.''',
'tags': [],
'desc': ''' The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were deprecated in 2018, and have been disabled by default starting in M80. This policy allows these features to be selectively re-enabled until M84.
If this policy is set to True, the Web Components v0 features will be enabled for all sites.
If this policy is set to False or not set, the Web Components v0 features will be disabled by default, starting in M80.
This policy will be removed after Chrome 84.'''
},
{
'name': 'UseLegacyFormControls',
'owners': ['masonfreed@chromium.org', 'chrishtr@chromium.org', 'hwi@chromium.org', 'nsull@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'example_value': True,
'id': 683,
'supported_on': ['chrome.*:81-84', 'chrome_os:81-84', 'android:81-84', 'webview_android:81-84'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'caption': '''Use Legacy Form Controls until M84.''',
'tags': [],
'desc': ''' Starting in M81, the standard form control elements (e.g. &lt;select&gt;, &lt;button&gt;, &lt;input type=date&gt;) were given a refreshed look and feel, with improved accessibility and better platform uniformity. This policy restores the old "legacy" form control elements until M84.
If this policy is set to True, the "legacy" form control elements will be used for all sites.
If this policy is set to False or not set, the form control elements will be enabled as they are launched in M81, M82, and M83.
This policy will be removed after Chrome 84.'''
},
{
'name': 'ClickToCallEnabled',
'owners': ['knollr@chromium.org', 'mvanouwerkerk@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:79-', 'chrome_os:79-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 645,
'caption': '''Enable the Click to Call Feature''',
'tags': [],
'desc': '''Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in. For more information, see help center article: https://support.google.com/chrome/answer/9430554?hl=en.
If this policy is set to enabled, the capability of sending phone numbers to Android devices will be enabled for the Chrome user.
If this policy is set to disabled, the capability of sending phone numbers to Android devices will be disabled for the Chrome user.
If you set this policy, users cannot change or override it.
If this policy is left unset, the Click to Call feature is enabled by default.''',
},
{
'name': 'UserDataSnapshotRetentionLimit',
'owners': ['ydago@chromium.org', 'grt@chromium.org'],
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 0 },
'supported_on': ['chrome.*:83-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'default': 3,
'example_value': 3,
'id': 673,
'caption': '''Limits the number of user data snapshots retained for use in case of emergency rollback.''',
'tags': [],
'desc': '''Following each major version update, Chrome will create a snapshot of certain portions of the user's browsing data for use in case of a later emergency version rollback. If an emergency rollback is performed to a version for which a user has a corresponding snapshot, the data in the snapshot is restored. This allows users to retain such settings as bookmarks and autofill data.
If this policy is not set, the default value of 3 is used
If the policy is set, old snapshots are deleted as needed to respect the limit. If the policy is set to 0, no snapshots will be taken'''
},
{
'name': 'PrinterTypeDenyList',
'owners': ['file://printing/OWNERS'],
'type': 'string-enum-list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'privet',
'extension',
'pdf',
'local',
'cloud',
],
},
},
'items': [
{
'name': 'privet',
'value': 'privet',
'caption': '''Zeroconf-based (mDNS + DNS-SD) protocol destinations''',
},
{
'name': 'extension',
'value': 'extension',
'caption': '''Extension-based destinations''',
},
{
'name': 'pdf',
'value': 'pdf',
'caption': '''The 'Save as PDF' destination''',
},
{
'name': 'local',
'value': 'local',
'caption': '''Local printer destinations''',
},
{
'name': 'cloud',
'value': 'cloud',
'caption': '''<ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> and 'Save to Google Drive' destinations''',
},
],
'supported_on': ['chrome_os:80-', 'chrome.*:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['cloud', 'privet'],
'id': 647,
'caption': '''Disable printer types on the deny list''',
'tags': [],
'desc': '''The printers of types placed on the deny list will be disabled from being discovered or having their capabilities fetched.
Placing all printer types on the deny list effectively disables printing, as there would be no available destinations to send a document for printing.
Including <ph name="POLICY_ENUM_PRINTERTYPEDENYLIST_CLOUD">cloud</ph> on the deny list has the same effect as setting the <ph name="POLICY_CLOUDPRINTSUBMITENABLED">CloudPrintSubmitEnabled</ph> policy to false. In order to keep <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> destinations discoverable, the <ph name="POLICY_CLOUDPRINTSUBMITENABLED">CloudPrintSubmitEnabled</ph> policy must be set to true and <ph name="POLICY_ENUM_PRINTERTYPEDENYLIST_CLOUD">cloud</ph> must not be on the deny list.
If the policy is not set, or is set to an empty list, all printer types will be available for discovery.
Extension printers are also known as print provider destinations, and include any destination that belongs to a <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extension.
Local printers are also known as native printing destinations, and include destinations available to the local machine and shared network printers.'''
},
{
'name': 'PrintRasterizationMode',
'owners': ['thestig@chromium.org', 'file://printing/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'Full',
'value': 0,
'caption': '''Full''',
},
{
'name': 'Fast',
'value': 1,
'caption': '''Fast''',
},
],
'supported_on': ['chrome.win:84-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'default': 0,
'id': 706,
'caption': '''Print Rasterization Mode''',
'tags': [],
'desc': '''Controls how <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> prints on Windows.
When printing to a non-PostScript printer on Windows, sometimes print jobs need to be rasterized to print correctly.
When this policy is set to Full, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will do full page rasterization if necessary.
When this policy is set to Fast, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will avoid rasterization if possible, reducing the amount of rasterization can help reduce print job sizes and increase printing speed.
When this policy is not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will be in Full mode.'''
},
{
'name': 'DeletePrintJobHistoryAllowed',
'owners': ['jimmyxgong@chromium.org', 'file://printing/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'default': True,
'example_value': False,
'id': 720,
'caption': '''Allow print job history to be deleted''',
'tags': [],
'desc': '''Controls whether print job history can be deleted.
Locally stored print jobs can be deleted through the print management app or through deleting the users's browser history.
When this policy is enabled or unset, the user will be able to delete their print job history through the print mangement app or through deleting their browser history.
When this policy is disabled, the user will not be able to delete their print job history through the print management app or through deleting their browser history.'''
},
{
'name': 'AmbientAuthenticationInPrivateModesEnabled',
'owners': ['rhalavati@chromium.org', 'roagarwal@chromium.org', 'chrome-privacy-core@google.com'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [0,1,2,3],
},
'items': [
{
'name': 'RegularOnly',
'value': 0,
'caption': '''Enable ambient authentication in regular sessions only.''',
},
{
'name': 'IncognitoAndRegular',
'value': 1,
'caption': '''Enable ambient authentication in incognito and regular sessions.''',
},
{
'name': 'GuestAndRegular',
'value': 2,
'caption': '''Enable ambient authentication in guest and regular sessions.''',
},
{
'name': 'All',
'value': 3,
'caption': '''Enable ambient authentication in regular, incognito and guest sessions.''',
},
],
'supported_on': ['chrome.*:80-', 'chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 0,
'id': 650,
'caption': '''Enable Ambient Authentication for profile types.''',
'tags': [],
'desc': '''Configuring this policy will allow/disallow ambient authentication for Incognito and Guest profiles in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Ambient Authentication is http authentication with default credentials if explicit credentials are not provided via NTLM/Kerberos/Negotiate challenge/response schemes.
Setting the <ph name="REGULAR_ONLY_OPTION_NAME">RegularOnly</ph> (value 0), allows ambient authentication for Regular sessions only. Incognito and Guest sessions wouldn't be allowed to ambiently authenticate.
Setting the <ph name="INCOGNITO_AND_REGULAR_OPTION_NAME">IncognitoAndRegular</ph> (value 1), allows ambient authentication for Incognito and Regular sessions. Guest sessions wouldn't be allowed to ambiently authenticate.
Setting the <ph name="GUEST_AND_REGULAR_OPTION_NAME">GuestAndRegular</ph> (value 2), allows ambient authentication for Guest and Regular sessions. Incognito sessions wouldn't be allowed to ambiently authenticate.
Setting the <ph name="ALL_OPTION_NAME">All</ph> (value 3), allows ambient authentication for all sessions.
Note that, ambient authentication is always allowed on regular profiles.
In <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 81 and later, if the policy is left not set, ambient authentication will be enabled in regular sessions only.'''
},
{
'name': 'PaymentMethodQueryEnabled',
'owners': ['file://components/payments/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-', 'chrome_os:80-', 'android:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 651,
'caption': '''Allow websites to query for available payment methods.''',
'tags': [],
'desc': '''Allows you to set whether websites are allowed to check if the user has payment methods saved.
If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.
If the setting is enabled or not set then websites are allowed to check if the user has payment methods saved.'''
},
{
'name': 'StricterMixedContentTreatmentEnabled',
'owners': ['carlosil@chromium.org', 'estark@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-', 'chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 652,
'caption': '''Enable stricter treatment for mixed content''',
'tags': [],
'desc': '''This policy has been removed as of M85, please use <ph name="POLICY_NAME">InsecureContentAllowedForUrls</ph> to allow insecure content on a per-site basis instead.
This policy controls the treatment for mixed content (HTTP content in HTTPS sites) in the browser.
If the policy is set to true or unset, audio and video mixed content will be autoupgraded to HTTPS (i.e. the URL will be rewritten as HTTPS, without a fallback if the resource is not available over HTTPS) and a 'Not Secure' warning will be shown in the URL bar for image mixed content.
If the policy is set to false, autoupgrades will be disabled for audio and video, and no warning will be shown for images.
This policy does not affect other types of mixed content other than audio, video, and images.
This policy will no longer take effect starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 84.''',
},
{
'name': 'PerAppTimeLimitsWhitelist',
'owners': ['yilkal@chromium.org', 'cros-families-eng@google.com'],
'id': 658,
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'deprecated': True,
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': {
'type': 'string',
}
},
'app_list': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'app_id': {
'type': 'string'
},
'app_type': {
'type': 'string',
'enum': [
'ARC',
'BUILT-IN',
'EXTENSION',
'WEB',
'CROSTINI'
],
}
},
}
}
}
},
'example_value': {
'url_list': [
"chrome://*",
"file://*",
"https://www.support.google.com",
"https://www.policies.google.com"
],
'app_list': [
{
'app_id': 'pjkljhegncpnkpknbcohdijeoejaedia',
'app_type': 'EXTENSION'
},
{
'app_id': 'iniodglblcgmngkgdipeiclkdjjpnlbn',
'app_type': 'BUILT-IN'
}
]
},
'caption': '''Per-App Time Limits Whitelist''',
'tags': [],
'supported_on': ['chrome_os: 80-'],
'desc': '''This policy specifies which applications and URLs should be whitelisted for per-app usage restrictions.
The configured whitelist are applied to the apps installed on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> for the given user with per-app time limits.
The configured whitelist can only be applied to child user accounts and take effect when <ph name="PER_APP_TIME_LIMITS_POLICY_NAME">PerAppTimeLimits</ph> policy is set.
The configured whitelist are applied to applications and URLs so that they will not be blocked by per-app time limits.
Accessing whitelisted URLs will not count towards the chrome time limit.
Add url regular expressions to |url_list| to whitelist urls that match any of the regular expressions in the list.
Add an application with its |app_id| and |app_type| to |app_list| to whitelist the application.
This policy is deprecated, please use <ph name="PER_APP_TIME_LIMITS_ALLOWLIST">PerAppTimeLimitsAllowlist</ph> instead.
'''
},
{
'name': 'PerAppTimeLimitsAllowlist',
'owners': ['yilkal@chromium.org', 'cros-families-eng@google.com'],
'id': 762,
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'url_list': {
'type': 'array',
'items': {
'type': 'string',
}
},
'app_list': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'app_id': {
'type': 'string'
},
'app_type': {
'type': 'string',
'enum': [
'ARC',
'BUILT-IN',
'EXTENSION',
'WEB',
'CROSTINI'
],
}
},
}
}
}
},
'example_value': {
'url_list': [
"chrome://*",
"file://*",
"https://www.support.google.com",
"https://www.policies.google.com"
],
'app_list': [
{
'app_id': 'pjkljhegncpnkpknbcohdijeoejaedia',
'app_type': 'EXTENSION'
},
{
'app_id': 'iniodglblcgmngkgdipeiclkdjjpnlbn',
'app_type': 'BUILT-IN'
}
]
},
'caption': '''Per-App Time Limits Allowlist''',
'tags': [],
'supported_on': ['chrome_os: 86-'],
'desc': '''This policy specifies which applications and URLs should be allowed for per-app usage restrictions.
The configured allowlist is applied to the apps installed on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> for the given user with per-app time limits.
The configured allowlist can only be applied to child user accounts and take effect when <ph name="PER_APP_TIME_LIMITS_POLICY_NAME">PerAppTimeLimits</ph> policy is set.
The configured allowlist is applied to applications and URLs so that they will not be blocked by per-app time limits.
Accessing allowed URLs will not count towards the chrome time limit.
Add url regular expressions to |url_list| to allow urls that match any of the regular expressions in the list.
Add an application with its |app_id| and |app_type| to |app_list| to allow the application.
'''
},
{
'name': 'LocalDiscoveryEnabled',
'owners': ['file://cloud_print/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:81-87', 'chrome_os:81-87'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Allow local device discover',
},
{
'value': False,
'caption': 'Prevent local device discovery',
},
],
'example_value': True,
'default': True,
'id': 662,
'caption': '''Enable <ph name="CHROME_DEVICES_LINK">chrome://devices</ph>''',
'tags': [],
'desc': '''This policy controls access to controllable features in the local discovery UI (<ph name="CHROME_DEVICES_LINK">chrome://devices</ph>) which shows discoverable devices near the user as well as cloud devices registered to them. On all operating systems except for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>, the local discovery UI also allows users to add classic printers connected to their computers to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>.
Leaving this policy unset leaves this feature Enabled.''',
},
{
'name': 'ScreenCaptureAllowed',
'owners': ['guidou@chromium.org', 'marinaciocea@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:81-', 'chrome_os:81-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'default': True,
'example_value': False,
'id': 666,
'caption': '''Allow or deny screen capture''',
'tags': [],
'desc': '''If enabled or not configured (default), a Web page can use
screen-share APIs (e.g., getDisplayMedia() or the Desktop Capture extension API)
to prompt the user to select a tab, window or desktop to capture.
When this policy is disabled, any calls to screen-share APIs will fail
with an error.''',
},
{
'name': 'AdvancedProtectionDeepScanningEnabled',
'owners': ['file://chrome/browser/safe_browsing/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:81-81'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 667,
'caption': '''Enable sending downloads to Google for deep scanning for users enrolled in the Advanced Protection program''',
'tags': [],
'desc': '''This policy is deprecated, and has been replaced with AdvancedProtectionAllowed.
This policy controls whether users enrolled in the Advanced Protection program are allowed to send their downloads to Google for malware scanning. If set to True or not set, enrolled users will be be prompted to send their files to Google for deep scanning. If the user selects 'Scan', their download will be sent to Google. If set to False, users will not be prompted and their downloads will not be sent to Google.''',
},
{
'name': 'SystemProxySettings',
'owners': ['acostinas@google.com', 'pmarko@chromium.org'],
'supported_on': ['chrome_os:87-'],
'device_only': True,
'id': 672,
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'system_proxy_enabled': {
'type': 'boolean',
},
'system_services_username': {
'description': '''The username for authenticating system services to the remote web proxy.''',
'type': 'string',
'sensitiveValue': True,
},
'system_services_password': {
'description': '''The password for authenticating system services to the remote web proxy.''',
'type': 'string',
'sensitiveValue': True,
},
'policy_credentials_auth_schemes': {
'description': '''The authentication schemes for which the policy credentials can be applied. Can be one of:
* basic
* digest
* ntlm
Leaving this option empty will allow all three schemes to be used.''',
'type': 'array',
'items' : {
'type': 'string',
'enum': [
'basic',
'digest',
'ntlm',
],
},
},
},
},
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'system_proxy_enabled': True,
'system_services_username': 'test_user',
'system_services_password': '0000',
'policy_credentials_auth_schemes': ['basic','ntlm']
},
'caption': '''Configures System-proxy service for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'tags': [],
'desc': '''Configures the availability of System-proxy service and the proxy credentials for system services.
If the policy is not set, System-proxy service will not be available.''',
},
{
'name': 'DeviceLoginScreenPrivacyScreenEnabled',
'owners': ['lamzin@google.com', 'gildekel@chromium.org'],
'device_only': True,
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:83-'],
'features': {
'can_be_mandatory' : True,
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'default':None,
'example_value': True,
'id': 676,
'caption': '''Set the state of privacy screen on the login screen''',
'tags': [],
'desc': '''Set the state of the privacy screen feature on the login screen.
If this policy is set to True, privacy screen will be enabled when the login screen is shown.
If this policy is set to False, privacy screen will be disabled when the login screen is shown.
When this policy is set, the user cannot override the value when the login screen is shown.
If this policy is left unset, the privacy screen is disabled initially, but remains controllable by the user when the login screen is shown.''',
},
{
'name': 'PrivacyScreenEnabled',
'owners': ['lamzin@google.com', 'gildekel@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:83-'],
'features': {
'can_be_mandatory' : True,
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'default': None,
'example_value': True,
'id': 677,
'caption': '''Enable privacy screen''',
'tags': [],
'desc': '''Enable/disable the privacy screen feature.
If this policy is set to True, privacy screen will always be enabled.
If this policy is set to False, privacy screen will always be disabled.
When this policy is set, the user cannot override the value.
If this policy is left unset, privacy screen is disabled initially but can be controlled by the user.''',
},
{
'name': 'AllowNativeNotifications',
'owners': ['file://chrome/browser/notifications/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.linux:83-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'default': True,
'example_value': True,
'id': 678,
'caption': '''Allows native notifications''',
'tags': [],
'desc': '''Configures whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> on Linux will use native notifications.
If set to True or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is allowed to use native notifications.
If set to False, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use native notifications. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Message Center will be used as a fallback.''',
},
{
'name': 'RequiredClientCertificateForUser',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'name' : {
'description': 'The name of the certificate profile.',
'type': 'string'
},
'cert_profile_id': {
'description': 'The identifier for this client certificate.',
'type': 'string'
},
'key_algorithm': {
'description': 'The algorithm for key pair generation.',
'type': 'string',
'enum': [ 'rsa' ]
},
'renewal_period_seconds': {
'description': 'Number of seconds before expiration of a certificate when renewal should be triggered',
'type': 'integer'
},
'policy_version': {
'description': 'The client should not interpret this data and should forward it verbatim. The DMServer uses policy_version to verify that the policy view of DMServer matches the view of Chrome OS device.',
'type': 'string'
},
'enable_remote_attestation_check': {
'description': 'Enable an additional security check based on remote attestation (optional, default: True).',
'type': 'boolean'
}
},
'required': ['cert_profile_id', 'key_algorithm']
}
},
'supported_on': ['chrome_os:83-'],
'device_only': False,
'features': {
'dynamic_refresh': True,
'per_profile': True,
'can_be_recommended': False,
'can_be_mandatory' : True,
},
'example_value': [{'name': 'Certificate Profile 1', 'cert_profile_id':'cert_profile_id_1', 'key_algorithm':'rsa', 'renewal_period_seconds': 2592000, 'policy_version': 'some_hash', 'enable_remote_attestation_check': True}],
'id': 680,
'caption': '''Required Client Certificates''',
'tags': [],
'desc': '''Specifies client certificates that should be enrolled using the device management protocol.''',
},
{
'name': 'RequiredClientCertificateForDevice',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'name' : {
'description': 'The name of the certificate profile.',
'type': 'string'
},
'cert_profile_id': {
'description': 'The identifier for this client certificate.',
'type': 'string'
},
'key_algorithm': {
'description': 'The algorithm for key pair generation.',
'type': 'string',
'enum': [ 'rsa' ]
},
'renewal_period_seconds': {
'description': 'Number of seconds before expiration of a certificate when renewal should be triggered',
'type': 'integer'
},
'policy_version': {
'description': 'The client should not interpret this data and should forward it verbatim. The DMServer uses policy_version to verify that the policy view of DMServer matches the view of Chrome OS device.',
'type': 'string'
},
'enable_remote_attestation_check': {
'description': 'Enable an additional security check based on remote attestation (optional, default: True).',
'type': 'boolean'
}
},
'required': ['cert_profile_id', 'key_algorithm']
}
},
'supported_on': ['chrome_os:84-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
'per_profile': False,
'can_be_recommended': False,
'can_be_mandatory' : True,
},
'example_value': [{'name': 'Certificate Profile 1', 'cert_profile_id':'cert_profile_id_1', 'key_algorithm':'rsa', 'renewal_period_seconds': 2592000, 'policy_version': 'some_hash', 'enable_remote_attestation_check': True}],
'id': 681,
'caption': '''Required device-wide Client Certificates''',
'tags': [],
'desc': '''Specifies device-wide client certificates that should be enrolled using the device management protocol.''',
},
{
'name': 'AdvancedProtectionAllowed',
'owners': ['file://chrome/browser/safe_browsing/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:83-', 'chrome_os:83-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'default': True,
'example_value': True,
'id': 685,
'caption': '''Enable additional protections for users enrolled in the Advanced Protection program''',
'tags': [],
'desc': '''This policy controls whether users enrolled in the Advanced Protection program receive extra protections. Some of these features may involve the sharing of data with Google (for example, Advanced Protection users will be able to send their downloads to Google for malware scanning). If set to True or not set, enrolled users will receive extra protections. If set to False, Advanced Protection users will receive only the standard consumer features.''',
},
{
'name': 'ScrollToTextFragmentEnabled',
'owners': ['dlibby@microsoft.com', 'bokan@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:83-', 'chrome_os:83-', 'android:83-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'default': True,
'example_value': False,
'id': 687,
'caption': '''Enable scrolling to text specified in URL fragments''',
'tags': [],
'desc': '''This feature allows for hyperlinks and address bar URL navigations to target specific text within a web page, which will be scrolled to once the loading of the web page is complete.
If you enable or don't configure this policy, web page scrolling to specific text fragments via URL will be enabled.
If you disable this policy, web page scrolling to specific text fragments via URL will be disabled.''',
},
{
'name': 'LoginDisplayPasswordButtonEnabled',
'owners': ['tellier@google.com', 'rsorokin@chromium.org', 'cros-oac@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:86-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'default_for_enterprise_users': False,
'id': 701,
'caption': '''Show the display password button on the login and lock screen''',
'tags': [],
'desc': '''When enabled, this feature shows a button on the login and lock screen that allows the password to be displayed.
It is represented as an eye icon on the password textfield. The button is absent when the feature is disabled.
''',
},
{
'name': 'AccessibilityImageLabelsEnabled',
'owners': ['file://ui/accessibility/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:84-', 'chrome.*:84-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Use an anonymous Google service to provide automatic descriptions for unlabeled images',
},
{
'value': False,
'caption': 'Do not use Google services to provide automatic image descriptions',
},
{
'value': None,
'caption': 'Let users choose to use an anonymous Google service to provide automatic descriptions for unlabeled images',
},
],
'example_value': False,
'default': None,
'id': 703,
'caption': '''Enable <ph name="PRODUCT_NAME">Get Image Descriptions from Google</ph>.''',
'tags': ['google-sharing'],
'desc': '''The <ph name="PRODUCT_NAME">Get Image Descriptions from Google</ph>
accessibility feature enables visually-impaired screen reader users to
get descriptions of unlabeled images on the web. Users who choose to enable it
will have the option of using an anonymous Google service to provide
automatic descriptions for unlabeled images they encounter on the web.
If this feature is enabled, the content of images will be sent to Google
servers in order to generate a description. No cookies or other user
data is sent, and Google does not save or log any image content.
If this policy is set to true, the
<ph name="PRODUCT_NAME">Get Image Descriptions from Google</ph>
feature will be enabled, though it will only affect users who are using a
screen reader or other similar assistive technology.
If this policy is set to false, users will not have the option of enabling
the feature.
If you set this policy, users cannot change or override it.''',
},
{
'name': 'IntensiveWakeUpThrottlingEnabled',
'owners': ['file://components/performance_manager/OWNERS', 'chrisha@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-', 'chrome.*:85-', 'android:85-'],
'features': {
'per_profile': False,
'dynamic_refresh': True,
},
'default': None,
'example_value': True,
'id': 713,
'caption': '''Control the <ph name="PRODUCT_NAME">IntensiveWakeUpThrottling</ph> feature.''',
'tags': [],
'desc': '''When enabled the <ph name="PRODUCT_NAME">IntensiveWakeUpThrottling</ph> feature causes Javascript timers in background tabs to be aggressively throttled and coalesced, running no more than once per minute after a page has been backgrounded for 5 minutes or more.
This is a web standards compliant feature, but it may break functionality
on some websites by causing certain actions to be delayed by up to a
minute. However, it results in significant CPU and battery savings when
enabled. See https://bit.ly/30b1XR4 for more details.
If this policy is set to enabled then the feature will be force enabled, and
users will not be able to override this.
If this policy is set to disabled then the feature will be force disabled, and
users will not be able to override this.
If this policy is left unset then the feature will be controlled by its
own internal logic, which can be manually configured by users.
Note that the policy is applied per renderer process, with the most recent
value of the policy setting in force when a renderer process starts. A full
restart is required to ensure that all loaded tabs receive a consistent
policy setting. It is harmless for processes to be running with different
values of this policy.
''',
},
{
'name': 'BackForwardCacheEnabled',
'owners': ['chrome-bfcache@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:86-'],
'features': {
'per_profile': False,
'dynamic_refresh': True,
},
'items': [
{
'value': True,
'caption': 'Allow the back-forward cache to be used',
},
{
'value': False,
'caption': 'Do not allow the back-forward cache to be used',
},
],
'example_value': True,
'default': True,
'id': 758,
'caption': '''Control the <ph name="PRODUCT_NAME">BackForwardCache</ph> feature.''',
'tags': [],
'desc': '''When enabled the <ph name="PRODUCT_NAME">BackForwardCache</ph> feature allows the use of the back-forward cache. When navigating away from a page, its current state (document tree, script, etc.) may be preserved in the back-forward cache. If the browser navigates back to the page, the page may be restored from the back-forward cache and displayed in the state it was in before being cached.
This feature might cause issues for some websites that do not expect this caching. In particular, some websites depend on the "<ph name="UNLOAD_HANDLER_NAME">unload</ph>" event being dispatched when the browser navigates away from the page. The "<ph name="UNLOAD_HANDLER_NAME">unload</ph>" event will not be dispatched if the page enters the back-forward cache.
If this policy is set to enabled or not set,
the <ph name="PRODUCT_NAME">BackForwardCache</ph> feature will be enabled.
If this policy is set to disabled then the feature will be force disabled.
''',
},
{
'name': 'PinUnlockAutosubmitEnabled',
'owners': ['rrsilva@google.com', 'cros-oac@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:86-'],
'features': {
'can_be_recommended' : True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 718,
'caption': '''Enable PIN auto-submit feature on the lock and login screen.''',
'tags': [],
'desc': '''The PIN auto-submit feature changes how PINs are entered in Chrome OS.
Instead of showing the same textfield that is used for password input, this
feature shows a special UI that clearly shows to the user how many
digits are necessary for their PIN. As a consequence, the user's PIN length
will be stored outside the user encrypted data. Only supports PINs that are
between 6 and 12 digits long.
If this policy is set to false, users will not have the option of enabling
the feature on the Settings page.''',
},
{
'name': 'EmojiSuggestionEnabled',
'owners': ['myy@chromium.org', 'essential-inputs-team@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'default_for_enterprise_users': False,
'id': 721,
'caption': '''Enable Emoji Suggestion''',
'tags': [],
'desc': '''This policy enables <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> to suggest emojis when users type text with their virtual or physical keyboards.
If this policy is set to true, the feature will be enabled, and users will be able to change it.
This policy is defaulted to false, no emoji will be suggested and users cannot override it.''',
},
{
'name': 'UserAgentClientHintsEnabled',
'owners': ['file://components/client_hints/OWNERS', 'yoavweiss@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:84-', 'chrome.*:84-', 'android:84-'],
'features': {
'per_profile': False,
'dynamic_refresh': True,
},
'default': True,
'example_value': True,
'id': 725,
'caption': '''Control the <ph name="PRODUCT_NAME">User-Agent Client Hints</ph> feature.''',
'tags': [],
'desc': '''When enabled the <ph name="PRODUCT_NAME">User-Agent Client Hints</ph> feature sends granular request headers providing information about the user browser and environment.
This is an additive feature, but the new headers may break some websites that restrict the characters that requests may contain.
If this policy is enabled or not set the <ph name="PRODUCT_NAME">User-Agent Client Hints</ph> feature is enabled. If the policy is disabled the feature is unavailable.
This enterprise policy is for short-term adaptation purposes and will be available at least until Chrome 91.''',
},
{
'name': 'SuggestedContentEnabled',
'owners': ['wrong@chromium.org', 'chrome-knowledge-eng@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:85-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'default_for_enterprise_users': False,
'id': 726,
'caption': 'Enable Suggested Content',
'tags': [],
'desc': '''This feature enables suggestions for new content to explore. Includes apps, webpages, and more.
If this policy is set to True, then suggestions for new content to explore will be enabled.
If this policy is set to False, then suggestions for new content to explore will be disabled.
If this policy is left unset, then suggestions for new content to explore will be disabled for managed users and enabled for other users.
'''
},
{
'name': 'ShowFullUrlsInAddressBar',
'owners': ['livvielin@chromium.org', 'enamelites@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'default': None,
'example_value': False,
'default_for_enterprise_users': False,
'id': 739,
'caption': 'Show Full URLs',
'tags': [],
'desc': '''This feature enables display of the full URL in the address bar.
If this policy is set to True, then the full URL will be shown in the address bar, including schemes and subdomains.
If this policy is set to False, then the default URL display will apply.
If this policy is left unset, then the default URL display will apply and the user will be able to toggle between default and full URL display with a context menu option.
'''
},
{
'name': 'InsecureFormsWarningsEnabled',
'owners': ['carlosil@chromium.org', 'estark@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:86-', 'chrome_os:86-', 'android:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'default': True,
'example_value': True,
'id': 748,
'caption': '''Enable warnings for insecure forms''',
'tags': [],
'desc': '''This policy controls the treatment for insecure forms (forms that submit over HTTP) embedded in secure (HTTPS) sites in the browser.
If the policy is enabled or unset, a full page warning will be shown when an insecure form is submitted. Additionally, a warning bubble will be shown next to the form fields when they are focused, and autofill will be disabled for those forms.
If the policy is disabled, warnings will not be shown for insecure forms, and autofill will work normally.''',
},
{
'name': 'LookalikeWarningAllowlistDomains',
'owners': ['file://chrome/browser/lookalikes/OWNERS'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:86-', 'chrome_os:86-', 'android:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['foo.example.com','example.org'],
'id': 782,
'caption': '''Suppress lookalike domain warnings on domains''',
'tags': ['system-security', 'website-sharing'],
'desc': '''This policy prevents the display of lookalike URL warnings on the sites listed. These warnings are typically shown on sites that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> believes might be trying to spoof another site the user is familiar with.
If the policy is enabled and set to one or more domains, no lookalike warnings pages will be shown when the user visits pages on that domain.
If the policy is disabled, not set, or set to an empty list, warnings may appear on any site the user visits.
A hostname can be allowed with a complete host match, or any domain match. For example, a URL like "https://foo.example.com/bar" may have warnings suppressed if this list includes either "foo.example.com" or "example.com".'''
},
{
'name': 'CCTToSDialogEnabled',
'owners': ['skym@chromium.org', 'wenyufu@chromium.org', 'twellington@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:86-86'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'platform_only': True,
},
'deprecated': True,
'example_value': True,
'id': 760,
'caption': 'Enable ToS during first-run for CCT',
'tags': [],
'desc': '''This policy is deprecated, please use the <ph name="TOS_DIALOG_BEHAVIOR_POLICY_NAME">ToSDialogBehavior</ph> policy instead.
By default the Terms of Service are shown when CCT is first-run. Setting this policy to Disabled will cause the Terms of Service dialog to not appear during the first-run-experience or subsequent runs. Setting this policy to Enabled or leaving it unset will cause the Terms of Service dialog to appear during the first-run-experience. The other caveats are:
- This policy only works on fully managed Android devices that can be configured by Unified Endpoint Management vendors.
- If this policy is Disabled the BrowserSignin policy will have no effect.
- If this policy is Disabled metrics will not be sent to the server.
- If this policy is Disabled the browser will have limited functionality.
- If this policy is Disabled admins must communicate this to end users of the device.''',
},
{
'name': 'TosDialogBehavior',
'owners': ['skym@chromium.org', 'wenyufu@chromium.org', 'twellington@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2],
},
'items': [
{
'name': 'Unset',
'value': 0,
'caption': '''Use default browser behavior, shows the ToS and waits for the user to accept.''',
},
{
'name': 'StandardTosDialog',
'value': 1,
'caption': '''Use default browser behavior, shows the ToS and waits for the user to accept.''',
},
{
'name': 'SkipTosDialog',
'value': 2,
'caption': '''Automatically skips ToS and loads the browser.''',
}
],
'supported_on': ['android:87-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
'platform_only': True,
},
'default': 1,
'example_value': 2,
'id': 801,
'caption': 'Configuring the ToS behavior during first-run for CCT',
'tags': [],
'desc': '''By default the Terms of Service are shown when CCT is first-run. Setting this policy to <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> will cause the Terms of Service dialog to not appear during the first-run-experience or subsequent runs. Setting this policy to <ph name="STANDARD_TOS_DIALOG">StandardTosDialog</ph> or leaving it unset will cause the Terms of Service dialog to appear during the first-run-experience. The other caveats are:
- This policy only works on fully managed Android devices that can be configured by Unified Endpoint Management vendors.
- If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> the BrowserSignin policy will have no effect.
- If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> metrics will not be sent to the server.
- If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> the browser will have limited functionality.
- If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> admins must communicate this to end users of the device.''',
},
{
'name': 'CloudPrintWarningsSuppressed',
'owners': ['file://printing/OWNERS'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:86-90', 'chrome_os:86-90'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Hide <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation warnings',
},
{
'value': False,
'caption': 'Show <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation warnings',
},
],
'example_value': True,
'default': False,
'id': 781,
'caption': '''Suppress <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation messages''',
'tags': [],
'desc': '''This policy controls whether <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation warnings are shown to users in the print preview dialog or settings pages.
Setting this policy to True will hide the deprecation warnings.
Setting this policy to False or leaving it unset will show the deprecation warnings.''',
},
{
'name': 'DataLeakPreventionRulesList',
'owners': ['file://chrome/browser/chromeos/policy/dlp/OWNERS'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'name': {
'type': 'string'
},
'description': {
'type': 'string'
},
'sources': {
'type': 'object',
'properties': {
'urls': {
'type': 'array',
'items': {'type': 'string'}
}
}
},
'destinations': {
'type': 'object',
'properties': {
'urls': {
'type': 'array',
'items': {
'type': 'string'
}
},
'components': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'ARC',
'CROSTINI',
'PLUGIN_VM'
]
}
}
},
},
'restrictions': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'class': {
'type': 'string',
'enum': [
'CLIPBOARD',
'SCREENSHOT',
'PRINTING',
'PRIVACY_SCREEN',
'SCREEN_SHARE'
]
},
'level': {
'type': 'string',
'enum': [
'BLOCK',
'ALLOW'
]
}
}
}
}
}
}
},
'future_on': ['chrome_os'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': [
{
'name': 'Support agent work flows',
'description': 'Allow copy and paste for work purposes but block screenshots, screen share and printing',
'sources': {
'urls': [
'salesforce.com',
'gmail.com',
'docs.google.com',
'drive.google.com',
'company.com'
]
},
'destinations': {
'urls': [
'salesforce.com',
'gmail.com',
'docs.google.com',
'drive.google.com',
'company.com'
]
},
'restrictions': [
{
'class': 'CLIPBOARD',
'level': 'ALLOW'
},
{
'class': 'SCREENSHOT',
'level': 'BLOCK'
},
{
'class': 'PRINTING',
'level': 'BLOCK'
},
{
'class': 'PRIVACY_SCREEN',
'level': 'BLOCK'
},
{
'class': 'SCREEN_SHARE',
'level': 'BLOCK'
}
]
},
{
'name': 'Non agent work flows',
'description': 'Block copy and paste from work flows to other sites and external drives',
'sources': {
'urls': [
'salesforce.com',
'gmail.com',
'docs.google.com',
'company.com'
]
},
'destinations': {
'urls': ["*"],
'components': [
'ARC',
'CROSTINI',
'PLUGIN_VM'
]
},
'restrictions': [
{
'class': 'CLIPBOARD',
'level': 'BLOCK'
}
]
}
],
'id': 786,
'caption': '''Sets a list of data leak prevention rules.''',
'tags': [],
'desc': '''Configures a list of rules to prevent data leak on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
Data leak can happen by copying and pasting data, transferring files, printing, screensharing, or taking screenshots ...etc.
Each rule consists of the following:
- A list of sources defined as URLs. Any data in the sources will be considered confidential data, to which the restrictions will be applied.
- A list of destinations defined as URLs or components, to which the confidential data is either allowed or disallowed to be shared.
- A list of restrictions to be applied on the data of the sources.
Rules can be added to:
- Control the clipboard data shared between the sources and the destinations.
- Control taking screenshots of any of the sources.
- Control printing of any of the sources.
- Control the privacy screen when any of the sources is visible.
- Control screen sharing of any of the sources.
The restriction level can be set to BLOCK, ALLOW.
- If the restriction is set to BLOCK, the action won't be allowed.
- If the resriction is set to ALLOW, the action will be allowed.
Notes:
- PRIVACY_SCREEN restriction doesn't block the ability to turn on privacy screen, but enforces it when the restriction class is set to BLOCK.
- Destinations cannot be empty in case one of the restrictions is CLIPBOARD, but they don't make any difference for the remaining restrictions.
- Format the URL patterns according to this format ( https://www.chromium.org/administrators/url-blacklist-filter-format ).
If the policy is left not set, no restrictions will be applied.''',
},
{
'name': 'WebRtcAllowLegacyTLSProtocols',
'owners': ['hta@chromium.org', 'guidou@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:87-', 'chrome_os:87-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Allow WebRTC to use obsolete versions of the TLD/DTLS protocol',
},
{
'value': False,
'caption': 'Prevent WebRTC from using obsolete versions of TLS/DTLS',
},
],
'example_value': False,
'default': False,
'id': 787,
'caption': '''Allow legacy TLS/DTLS downgrade in WebRTC''',
'tags': [],
'desc': '''If enabled, WebRTC peer connections can downgrade to obsolete
versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols.
When this policy is disabled or not set, these TLS/DTLS versions are
disabled.
This policy is temporary and will be removed in a future version
of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
},
{
'name': 'MediaRecommendationsEnabled',
'owners': ['beccahughes@chromium.org', 'steimel@chromium.org', 'mlamouri@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:87-', 'chrome_os:87-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default': True,
'items': [
{
'value': True,
'caption': 'Show media recommendations to the user',
},
{
'value': False,
'caption': 'Hide media recommendations from the user',
},
],
'id': 788,
'caption': 'Enable Media Recommendations',
'tags': [],
'desc': '''By default the browser will show media recommendations that are personalized to the user. Setting this policy to Disabled will result in these recommendations being hidden from the user. Setting this policy to Enabled or leaving it unset will result in the media recommendations being shown to the user.''',
},
{
'name': 'DeviceFamilyLinkAccountsAllowed',
'owners': ['agawronska@chromium.org', 'cros-families-eng@google.com'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:87-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'default': False,
'example_value': False,
'id': 789,
'caption': '''Allow addition of Family Link accounts to the device''',
'tags': [],
'desc': '''Controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> allows new Family Link user accounts to be added on the device.
This policy is only useful in combination with <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph>. It allows Family Link accounts additionally to the accounts defined in the allowlist.
This policy does not affect the behavior of other sign-in policies. Particularly it will not have any effect when:
- Adding new users to the device is disabled with <ph name="DEVICE_ALLOW_NEW_USERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy.
- Adding all users is allowed with <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph> policy.
If this policy is set to false (or not configured), no additional rules will be applied to Family Link accounts.
If this policy is set to true, new Family Link user accounts will be allowed additionally to those defined in <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph>.''',
},
{
'name': 'EduCoexistenceToSVersion',
'owners': ['agawronska@chromium.org', 'danan@chromium.org', 'yilkal@chromium.org', 'cros-families-eng@google.com'],
'type': 'string',
'schema': {
'type': 'string',
'description': '''The valid version of Terms of Service derived from Google3 cl that introduced new Terms version.'''
},
'future_on': ['chrome_os'],
'tags': [],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '333024512',
'id': 790,
'caption': '''The valid version of Edu Coexistence Terms of Service''',
'desc': '''This policy indicates current valid version of Edu Coexistence Terms of Service.
It is compared with the version last accepted by the parent and used to prompt parent permission renewal when needed.
When this policy is set Terms of Service version can be validated.
When this policy is unset it is not possible to verify validity of Edu Coexistence Terms of Service.
This policy is only used for Family Link users.''',
},
{
'name': 'BrowsingDataLifetime',
'owners': ['ydago@chromium.org', 'pastarmovj@chromium.org'],
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'time_to_live_in_hours': { 'type': 'integer', 'minimum': 1 },
'data_types': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'browsing_history',
'download_history',
'cookies_and_other_site_data',
'cached_images_and_files',
'password_signin',
'autofill',
'site_settings',
'hosted_app_data',
],
},
},
},
},
},
'future_on': ['android'],
'supported_on': ['chrome.*:89-', 'chrome_os:89-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
{
'time_to_live_in_hours': 24,
'data_types': ['browsing_history'],
},
{
'time_to_live_in_hours': 12,
'data_types': ['password_signin', 'autofill'],
},
],
'id': 791,
'caption': 'Browsing Data Lifetime Settings',
'tags': [],
'desc': '''Configures browsing data lifetime settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy controls the time to live of selected browsing data.
The available data types are <ph name="DATA_TYPE_BROWSING_HISTORY">'browsing_history'</ph>, <ph name="DATA_TYPE_DOWNLOAD_HISTORY">'download_history'</ph>, <ph name="DATA_TYPE_COOKIES_AND_OTHER_SITE_DATA">'cookies_and_other_site_data'</ph>, <ph name="DATA_TYPE_CACHED_IMAGES_AND_FILES">'cached_images_and_files'</ph>, <ph name="DATA_TYPE_PASSWORD">'password_signin'</ph>, <ph name="DATA_TYPE_AUTOFILL">'autofill'</ph>, <ph name="DATA_TYPE_SITE_SETTINGS">'site_settings'</ph> and <ph name="DATA_TYPE_HOSTED_APP_DATA">'hosted_app_data'</ph>.
Chrome will regularly remove data of selected types that is older than <ph name="TIME_TO_LIVE_IN_HOURS">'time_to_live_in_hours'</ph>. As this deletion only happens in certain intervals, some data might live for slightly longer but never more than twice its expected <ph name="TIME_TO_LIVE_IN_HOURS">'time_to_live_in_hours'</ph>.
This policy requires the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy to be set to true, otherwise it will be ignored.
If this policy is set at platform level, Sync should be disabled at platform level.
If this policy is set at user level, Sync should be disabled for that user in order for this policy to take effect.
'''
},
{
'name': 'LacrosAllowed',
'owners': ['igorcov@chromium.org', 'okalitova@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:88-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Allow users to use the <ph name="LACROS_NAME">Lacros</ph> browser',
},
{
'value': False,
'caption': 'Prevent users from using the <ph name="LACROS_NAME">Lacros</ph> browser',
},
],
'example_value': False,
'default': False,
'id': 793,
'default_for_enterprise_users': False,
'caption': '''Allow usage of <ph name="LACROS_NAME">Lacros</ph>''',
'tags': [],
'desc': '''This setting allows users to use the <ph name="LACROS_NAME">Lacros</ph> browser.
If this policy is set to Disabled or unset, the user cannot use <ph name="LACROS_NAME">Lacros</ph>.
If this policy is set to Enabled, the user can use the <ph name="LACROS_NAME">Lacros</ph> browser.''',
},
{
'name': 'IntegratedWebAuthenticationAllowed',
'owners': ['acostinas@chromium.org', 'pmarko@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:89-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'The <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> login credentials will be used for network authentication to a managed proxy.',
},
{
'value': False,
'caption': 'The <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> login credentials will not be used for network authentication.',
},
],
'example_value': True,
'id': 808,
'default': False,
'caption': '''Allow reusing the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> login credentials for network authentication''',
'tags': [],
'desc': '''This setting allows users to authenticate to a managed proxy secured with NTLM authentication using the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> login credentials.
If this policy is set to False or unset, the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> login credentials will not be used for network authentication.
If this policy is set to True, the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> login credentials will be used for network authentication to a managed proxy. In case the authentication with the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> login credentials fails, the user will be prompted for credentials.''',
},
{
'name': 'ClearBrowsingDataOnExitList',
'owners': ['ydago@chromium.org', 'pastarmovj@chromium.org'],
'type': 'string-enum-list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'browsing_history',
'download_history',
'cookies_and_other_site_data',
'cached_images_and_files',
'password_signin',
'autofill',
'site_settings',
'hosted_app_data',
],
},
},
'items': [
{
'name': 'browsing_history',
'value': 'browsing_history',
'caption': '''Browsing history''',
},
{
'name': 'download_history',
'value': 'download_history',
'caption': '''Download history''',
},
{
'name': 'cookies_and_other_site_data',
'value': 'cookies_and_other_site_data',
'caption': '''Cookies and other site data''',
},
{
'name': 'cached_images_and_files',
'value': 'cached_images_and_files',
'caption': '''Cached images and files''',
},
{
'name': 'password_signin',
'value': 'password_signin',
'caption': '''Password signin''',
},
{
'name': 'autofill',
'value': 'autofill',
'caption': '''Autofill''',
},
{
'name': 'site_settings',
'value': 'site_settings',
'caption': '''Site settings''',
},
{
'name': 'hosted_app_data',
'value': 'hosted_app_data',
'caption': '''Hosted apps data''',
},
],
'future_on': ['android'],
'supported_on': ['chrome.*:89-', 'chrome_os:89-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
'browsing_history',
'download_history',
'cookies_and_other_site_data',
'cached_images_and_files',
'password_signin',
'autofill',
'site_settings',
'hosted_app_data',
],
'id': 809,
'caption': 'Clear Browsing Data on Exit',
'tags': [],
'desc': '''Configures a list of browsing data types that should be deleted when the browser is closed.
The available data types are browsing history (<ph name="DATA_TYPE_BROWSING_HISTORY">browsing_history</ph>), download history (<ph name="DATA_TYPE_DOWNLOAD_HISTORY">download_history</ph>), cookies (<ph name="DATA_TYPE_COOKIES_AND_OTHER_SITE_DATA">cookies_and_other_site_data</ph>), cache<ph name="DATA_TYPE_CACHED_IMAGES_AND_FILES"> (cached_images_and_files)</ph>, autofill (<ph name="DATA_TYPE_AUTOFILL">autofill</ph>), passwords (<ph name="DATA_TYPE_PASSWORD">password_signin</ph>), site settings (<ph name="DATA_TYPE_SITE_SETTINGS">site_settings</ph>) and hosted apps data (<ph name="DATA_TYPE_HOSTED_APP_DATA">hosted_app_data</ph>).
This policy does not take precedence over <ph name="ALLOW_DELETING_BROWSER_HISTORY_POLICY_NAME">AllowDeletingBrowserHistory</ph>.
This policy requires the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy to be set to true, otherwise it will be ignored.
If this policy is set at platform level, Sync should be disabled at platform level.
If this policy is set at user level, Sync should be disabled for that user in order for this policy to take effect.
'''
},
{
'name': 'ProfilePickerOnStartupAvailability',
'owners': ['file://components/policy/resources/OWNERS'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Enabled',
'value': 0,
'caption': '''Profile picker available at startup''',
},
{
'name': 'Disabled',
'value': 1,
'caption': '''Profile picker disabled at startup''',
},
{
'name': 'Forced',
'value': 2,
'caption': '''Profile picker forced at startup''',
},
],
'supported_on': [
'chrome.*:89-',
],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'default': 0,
'example_value': 0,
'id': 810,
'caption': '''Profile picker availabily on startup''',
'tags': [],
'desc': '''Specifies whether the profile picker is enabled, disabled or forced at the browser startup.
By default the profile picker is not shown if the browser starts in guest or incognito mode, a profile directory and/or urls are specified by command line, an app is explicitly requested to open, the browser was launched by a native notification, there is only one profile available or the policy ForceBrowserSignin is set to true.
If 'Enabled' (0) is selected or the policy is left unset, the profile picker will be shown at startup by default, but users will be able to enable/disable it.
If 'Disabled' (1) is selected, the profile picker will never be shown, and users will not be able to change the setting.
If 'Forced' (2) is selected, the profile picker cannot be suppressed by the user. The profile picker will be shown even if there is only one profile available.''',
},
{
'name': 'SigninInterceptionEnabled',
'owners': ['ydago@chromium.org', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:89-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable signin interception',
},
{
'value': False,
'caption': 'Disable signin interception',
},
{
'value': None,
'caption': 'Enable signin interception',
},
],
'example_value': True,
'id': 811,
'default': None,
'caption': '''Enable signin interception''',
'tags': [],
'desc': '''This settings enables or disables signin interception.
When this policy not set or is set to True, the signin interception dialog triggers when a Google account is added on the web, and the user may benefit from moving this account to another (new or existing) profile.
When this is set to False, the signin interception dialog does not trigger.''',
}
],
'messages': {
# Messages that are not associated to any policies.
'win_supported_all': {
'desc': '''A label specifying the oldest possible compatible version of Windows. This text will appear right next to a label containing the text 'Supported on:'.''',
'text': '''Microsoft Windows 7 or later'''
},
'win_supported_win7': {
'desc': '''A label specifying the policy compatibles with Windows 7. This text will appear right next to a label containing the text 'Supported on:'.''',
'text': '''Microsoft Windows 7'''
},
'mac_chrome_preferences': {
'desc': '''A text indicating in Mac OS X Workgroup Manager, that currently the preferences of Chromium are being edited''',
'text': '''<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> preferences'''
},
'doc_data_type': {
'desc': '''Caption text of the field 'data type' in the summary chart of a policy in the generated documentation''',
'text': '''Data type:'''
},
'doc_win_reg_loc': {
'desc': '''Caption text of the field 'windows registry location' in the summary chart of a policy in the generated documentation''',
'text': '''Windows registry location for Windows clients:'''
},
'doc_oma_uri': {
'desc': '''Caption text of the field 'oma-uri' in the summary chart of a policy in the generated documentation''',
'text': '''<ph name="OMA_URI">OMA-URI</ph>:'''
},
'doc_chrome_os_reg_loc': {
'desc': '''Caption text of the field '<ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> registry location' in the summary chart of a policy in the generated documentation''',
'text': '''Windows registry location for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> clients:'''
},
'doc_mac_linux_pref_name': {
'desc': '''Caption text of the field 'mac/linux preference name' in the summary chart of a policy in the generated documentation''',
'text': '''Mac/Linux preference name:'''
},
'doc_android_restriction_name': {
'desc': '''Caption text of the field 'android restriction name' in the summary chart of a policy in the generated documentation''',
'text': '''Android restriction name:'''
},
'doc_android_webview_restriction_name': {
'desc': '''Caption text of the field 'android webview restriction name' in the summary chart of a policy in the generated documentation''',
'text': '''Android WebView restriction name:'''
},
'doc_supported_on': {
'desc': '''Caption text of the list of 'products, platforms and versions where this policy is supported' in the summary chart of a policy in the generated documentation''',
'text': '''Supported on:'''
},
'doc_since_version': {
'desc': '''Text in the summary chart of a policy that specifies the version number in which the policy was introduced.''',
'text': '''since version <ph name="SINCE_VERSION">$6<ex>8</ex></ph>'''
},
'doc_until_version': {
'desc': '''Text in the summary chart of a policy that specifies the version number after which the policy was dropped.''',
'text': '''until version <ph name="UNTIL_VERSION">$6<ex>10</ex></ph>'''
},
'doc_supported_features': {
'desc': '''Caption text of the list of 'policy features that this policy supports' in the summary chart of a policy in the generated documentation''',
'text': '''Supported features:'''
},
'doc_description': {
'desc': '''Caption text of the 'description text' in the summary chart of a policy in the generated documentation''',
'text': '''Description:'''
},
'doc_arc_support': {
'desc': '''Caption text of the field in the generated documentation that describes how a policy affects Android applications on Chrome OS''',
'text': '''Note for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices supporting Android apps:'''
},
'doc_schema': {
'desc': '''Caption text of the 'schema' in the summary chart of a policy in the generated documentation''',
'text': '''Schema:'''
},
'doc_url_schema': {
'desc': '''Caption text of the field with the link to expanded schema description in the summary chart of a policy in the generated documentation''',
'text': '''Expanded schema description:'''
},
'doc_example_value': {
'desc': '''Caption text of the field 'example value' in the summary chart of a policy in the generated documentation''',
'text': '''Example value:'''
},
'doc_win_example_value': {
'desc': '''Caption text of the field 'windows (windows clients)' in the summary chart of a policy in the generated documentation''',
'text': '''Windows (Windows clients):'''
},
'doc_chrome_os_example_value': {
'desc': '''Caption text of the field 'windows (Chrome OS clients)' in the summary chart of a policy in the generated documentation''',
'text': '''Windows (<ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> clients):'''
},
'doc_banner': {
'desc': '''A banner shown at the top of the policy documentation''',
'text': '''The Chrome Enterprise policy list is moving! Please update your bookmarks to <ph name="POLICY_DOCUMENTATION_URL">https://cloud.google.com/docs/chrome-enterprise/policies/<ex>https://cloud.google.com/docs/chrome-enterprise/policies/</ex></ph>.'''
},
'doc_intro': {
'desc': '''Introduction text for the generated policy documentation''',
'text': '''Both Chromium and Google Chrome support the same set of policies. Please note that this document may include unreleased policies (i.e. their 'Supported on' entry refers to a not-yet released version of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>) which are subject to change or removal without notice and for which no guarantees of any kind are provided, including no guarantees with respect to their security and privacy properties.
These policies are strictly intended to be used to configure instances of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> internal to your organization. Use of these policies outside of your organization (for example, in a publicly distributed program) is considered malware and will likely be labeled as malware by Google and anti-virus vendors.
These settings don't need to be configured manually! Easy-to-use templates for Windows, Mac and Linux are available for download from <ph name="POLICY_TEMPLATE_DOWNLOAD_URL">https://www.chromium.org/administrators/policy-templates<ex> https://www.chromium.org/administrators/policy-templates</ex></ph>.
The recommended way to configure policy on Windows is via GPO, although provisioning policy via registry is still supported for Windows instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain.'''
},
'doc_group_intro': {
'desc': '''Introduction text for the generated policy atomic group documentation''',
'text': '''Both Chromium and Google Chrome have some groups of policies that depend on each other to provide control over a feature. These sets are represented by the following policy groups. Given that policies can have multiple sources, only values coming from the highest priority source will be applied. Values coming from a lower priority source in the same group will be ignored. The order of priority is defined in <ph name="POLICY_PRIORITY_DOC_URL">https://support.google.com/chrome/a/?p=policy_order<ex>https://support.google.com/chrome/a/?p=policy_order</ex></ph>.'''
},
'doc_policy_in_atomic_group': {
'desc': '''Label notifying that a policy is part of an atomic policy group''',
'text': '''This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) :'''
},
'doc_policy_atomic_group': {
'desc': '''Caption text of the 'policy atomic group' in the summary chart of a policy in the generated documentation''',
'text': '''Policy atomic group:'''
},
'doc_back_to_top': {
'desc': '''Text of a link in the generated policy documentation, that takes the user to the top of the page''',
'text': '''Back to top'''
},
'doc_supported': {
'desc': '''Appears next to the name of each supported feature in the 'list of supported policy features' in the generated policy documentation''',
'text': '''Yes'''
},
'doc_not_supported': {
'desc': '''Appears next to the name of each unsupported feature in the 'list of supported policy features' in the generated policy documentation''',
'text': '''No'''
},
'doc_name_column_title': {
'desc': '''Appears at the top of the policy summary table, over the column of policy names, in the generated policy documentation''',
'text': '''Policy Name'''
},
'doc_description_column_title': {
'desc': '''Appears at the top of the policy summary table, over the column of short policy descriptions, in the generated policy documentation''',
'text': '''Description'''
},
'doc_feature_dynamic_refresh': {
'desc': '''The name of the feature that indicates for a given policy that changes to it are respected by Chromium without a browser restart''',
'text': '''Dynamic Policy Refresh'''
},
'doc_feature_can_be_recommended': {
'desc': '''The name of the feature that indicates for a given policy that it can be recommended, instead of mandatory''',
'text': '''Can Be Recommended'''
},
'doc_feature_can_be_mandatory': {
'desc': '''The name of the feature that indicates for a given policy that it can be mandatory, instead of recommended''',
'text': '''Can Be Mandatory'''
},
'doc_feature_per_profile': {
'desc': '''The name of the feature that indicates whether a policy is applicable to browser Profiles individually or whether it affects the entire browser.''',
'text': '''Per Profile'''
},
'doc_feature_cloud_only': {
'desc': '''The name of the fature that indicates whether a policy can only be set from Admin Console.''',
'text': '''Cloud Only'''
},
'doc_feature_platform_only': {
'desc': '''The name of the feature that indicates whether a policy can only be set with platfrom policy.''',
'text': '''Platform Only'''
},
'doc_feature_internal_only': {
'desc': '''The name of the feature that indicates whether a policy is used for internal development or testing purposes.''',
'text': '''Internal Only'''
},
'doc_feature_unlisted': {
'desc': '''The name of the feature that indicates whether a policy is set from cloud without any user interface.''',
'text': '''Unlisted'''
},
'doc_deprecated': {
'desc': '''Text appended in parentheses to the policy name to indicate that it has been deprecated''',
'text': 'Deprecated',
},
'doc_recommended': {
'desc': '''Text appended in parentheses next to the policies top-level container to indicate that those policies are of the Recommended level''',
'text': 'Default Settings (users can override)',
},
'doc_complex_policies_on_windows': {
'desc': '''Text pointing the user to a help article for complex policies on Windows''',
'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POLICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<ex>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>''',
},
'doc_reference_link': {
'desc': '''Text pointing the user to the reference page for this policy, which may have more info (since it doesn't have a size limit)''',
'text': '''Reference: <ph name="REFERENCE_URL">$6<ex>https://cloud.google.com/docs/chrome-enterprise/policies/?policy=WallpaperImage</ex></ph>''',
},
'doc_legacy_single_line_label': {
'desc': '''A label for the legacy single-line textbox for a policy also has a more user-friendly multi-line textbox. See http://crbug/829328''',
'text': '''<ph name="POLICY_NAME">$6<ex>Wallpaper Image</ex></ph> (The single-line field is deprecated and will be removed in the future. Please start using the multi-line textbox below.)''',
},
'doc_policy_restriction': {
'desc': '''Caption text of the field 'restrictions' in the summary chart of a policy in the generated documentation''',
'text': '''Restrictions:'''
},
'doc_range_minimum': {
'desc': '''Caption text of the field 'minimum' in the summary chart of a policy in the generated documentation. Present only if policy has a minimum range restriction.''',
'text': '''Minimum:'''
},
'doc_range_maximum': {
'desc': '''Caption text of the field 'maximum' in the summary chart of a policy in the generated documentation. Present only if policy has a maximum range restriction.''',
'text': '''Maximum:'''
},
'doc_schema_description_link': {
'desc': '''Text pointing the user to the expanded documentation page for this policy, containing the information about schema and formatting.''',
'text': '''See <ph name="REFERENCE_URL">$6<ex>https://cloud.google.com/docs/chrome-enterprise/policies/?policy=WallpaperImage</ex></ph> for more information about schema and formatting.'''
},
'deprecated_policy_group_caption': {
'desc': '''Localized name for the deprecated policies folder, for Microsoft's Group Policy Editor.''',
'text': '''Deprecated policies''',
},
'deprecated_policy_group_desc': {
'desc': '''Localized description for the deprecated policies folder, for Microsoft's Group Policy Editor.''',
'text': '''These policies are included here to make them easy to remove.''',
},
'deprecated_policy_desc': {
'desc': '''Description shared by all deprecated policies, in Microsoft Windows' Group Policy Editor.''',
'text': '''This policy is deprecated. Its usage is discouraged. Read more at https://support.google.com/chrome/a/answer/7643500'''
},
'removed_policy_group_caption': {
'desc': '''Localized name for the removed policies folder, for Microsoft's Group Policy Editor.''',
'text': '''Removed policies''',
},
'removed_policy_group_desc': {
'desc': '''Localized description for the removed policies folder, for Microsoft's Group Policy Editor.''',
'text': '''These policies are included here to make them easy to remove.''',
},
'removed_policy_desc': {
'desc': '''Description shared by all removed policies, in Microsoft Windows' Group Policy Editor.''',
'text': '''This policy is removed. It is not compatible with this version of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Read more at https://support.google.com/chrome/a/answer/7643500'''
},
},
# Legacy device policies that don't have a 1:1 mapping between template and
# chrome_device_policy.proto or where the types don't map the same way as for
# user policy, so that code is not (easily) generatable. Do not add new device
# policies here, make sure the proto is set up the same way as the (generated)
# user policy proto.
# Add deprecated policies here, though, if the proto field got deleted.
'legacy_device_policy_proto_map': [
# Deprecated device policies where the proto field got deleted.
['DeviceStartUpUrls', ''],
['DeviceIdleLogoutTimeout', ''],
['DeviceIdleLogoutWarningDuration', ''],
['DeviceLoginScreenSaverId', ''],
['DeviceLoginScreenSaverTimeout', ''],
['DeviceAppPack', ''],
['DeviceStartUpFlags', ''],
# Proto fields with unknown policy.
['', 'device_reporting.report_running_kiosk_app'],
['', 'camera_enabled.camera_enabled'],
# Not an actual policy.
['', 'auto_update_settings.target_version_display_name'],
# TPMFirmwareUpdateSettings is one-to-many and uses a strongly typed proto.
['TPMFirmwareUpdateSettings', 'tpm_firmware_update_settings.auto_update_mode'],
['TPMFirmwareUpdateSettings', 'tpm_firmware_update_settings.allow_user_initiated_powerwash'],
['TPMFirmwareUpdateSettings', 'tpm_firmware_update_settings.allow_user_initiated_preserve_device_state'],
# DeviceOffHours is one-to-many and uses a strongly typed proto.
['DeviceOffHours', 'device_off_hours.intervals'],
['DeviceOffHours', 'device_off_hours.timezone'],
['DeviceOffHours', 'device_off_hours.ignored_policy_proto_tags'],
# UsbDetachableWhitelist is a strongly typed proto.
['UsbDetachableWhitelist', 'usb_detachable_whitelist.id'],
# UsbDetachableAllowlist is a strongly typed proto.
['UsbDetachableAllowlist', 'usb_detachable_allowlist.id'],
# DeviceUpdateAllowedConnectionTypes is not generatable since the proto
# uses enums, whereas the schema uses strings.
['DeviceUpdateAllowedConnectionTypes', 'auto_update_settings.allowed_connection_types'],
# NetworkThrottlingEnabled is one-to-many and uses a strongly typed proto.
['NetworkThrottlingEnabled', 'network_throttling.enabled'],
['NetworkThrottlingEnabled', 'network_throttling.upload_rate_kbits'],
['NetworkThrottlingEnabled', 'network_throttling.download_rate_kbits'],
],
# Mapping between device policies and fields in chrome_device_policy.proto.
# Code for these policies can be generated. Add new device policies here!
'device_policy_proto_map': {
'DeviceGuestModeEnabled': 'guest_mode_enabled.guest_mode_enabled',
'DeviceRebootOnShutdown': 'reboot_on_shutdown.reboot_on_shutdown',
'DeviceShowUserNamesOnSignin': 'show_user_names.show_user_names',
'DeviceAllowNewUsers': 'allow_new_users.allow_new_users',
'DeviceUserWhitelist': 'user_whitelist.user_whitelist',
'DeviceUserAllowlist': 'user_allowlist.user_allowlist',
'DeviceEphemeralUsersEnabled': 'ephemeral_users_enabled.ephemeral_users_enabled',
'LoginAuthenticationBehavior': 'login_authentication_behavior.login_authentication_behavior',
'DeviceAllowBluetooth': 'allow_bluetooth.allow_bluetooth',
'DeviceLoginScreenExtensions': 'device_login_screen_extensions.device_login_screen_extensions',
'DeviceLoginScreenDomainAutoComplete': 'login_screen_domain_auto_complete.login_screen_domain_auto_complete',
'DeviceLoginScreenLocales': 'login_screen_locales.login_screen_locales',
'DeviceLoginScreenInputMethods': 'login_screen_input_methods.login_screen_input_methods',
'DeviceLoginScreenSystemInfoEnforced': 'device_login_screen_system_info_enforced.value',
'DeviceShowNumericKeyboardForPassword' : 'device_show_numeric_keyboard_for_password.value',
'DeviceSamlLoginAuthenticationType': 'saml_login_authentication_type.saml_login_authentication_type',
'DeviceDataRoamingEnabled': 'data_roaming_enabled.data_roaming_enabled',
'AllowKioskAppControlChromeVersion': 'allow_kiosk_app_control_chrome_version.allow_kiosk_app_control_chrome_version',
'DevicePolicyRefreshRate': 'device_policy_refresh_rate.device_policy_refresh_rate',
'DeviceMetricsReportingEnabled': 'metrics_enabled.metrics_enabled',
'SystemUse24HourClock': 'use_24hour_clock.use_24hour_clock',
'UptimeLimit': 'uptime_limit.uptime_limit',
'DeviceAllowRedeemChromeOsRegistrationOffers': 'allow_redeem_offers.allow_redeem_offers',
'ExtensionCacheSize': 'extension_cache_size.extension_cache_size',
'DeviceShowLowDiskSpaceNotification': 'device_show_low_disk_space_notification.device_show_low_disk_space_notification',
'DisplayRotationDefault': 'display_rotation_default.display_rotation_default',
'DeviceQuirksDownloadEnabled': 'quirks_download_enabled.quirks_download_enabled',
'UnaffiliatedArcAllowed': 'unaffiliated_arc_allowed.unaffiliated_arc_allowed',
'VirtualMachinesAllowed': 'virtual_machines_allowed.virtual_machines_allowed',
'DeviceUnaffiliatedCrostiniAllowed': 'device_unaffiliated_crostini_allowed.device_unaffiliated_crostini_allowed',
'PluginVmAllowed': 'plugin_vm_allowed.plugin_vm_allowed',
'DeviceLoginScreenAutoSelectCertificateForUrls': 'device_login_screen_auto_select_certificate_for_urls.login_screen_auto_select_certificate_rules',
'DeviceTransferSAMLCookies': 'saml_settings.transfer_saml_cookies',
'LoginVideoCaptureAllowedUrls': 'login_video_capture_allowed_urls.urls',
'DeviceHostnameTemplate': 'network_hostname.device_hostname_template',
'DeviceKerberosEncryptionTypes': 'device_kerberos_encryption_types.types',
'LogUploadEnabled': 'device_log_upload_settings.system_log_upload_enabled',
'DeviceVariationsRestrictParameter': 'variations_parameter.parameter',
'DeviceBlockDevmode': 'system_settings.block_devmode',
'DeviceSecondFactorAuthentication': 'device_second_factor_authentication.mode',
'CastReceiverName': 'cast_receiver_name.name',
'DeviceNativePrintersAccessMode': 'native_device_printers_access_mode.access_mode',
'MinimumRequiredChromeVersion': 'minimum_required_version.chrome_version',
'DeviceUserPolicyLoopbackProcessingMode': 'device_user_policy_loopback_processing_mode.mode',
'DeviceLoginScreenIsolateOrigins': 'device_login_screen_isolate_origins.isolate_origins',
'DeviceLoginScreenSitePerProcess': 'device_login_screen_site_per_process.site_per_process',
'DeviceMachinePasswordChangeRate': 'device_machine_password_change_rate.rate_days',
'DeviceNativePrintersBlacklist': 'native_device_printers_blacklist.blacklist',
'DeviceNativePrintersWhitelist': 'native_device_printers_whitelist.whitelist',
'DevicePrinters': 'device_printers.external_policy',
'DevicePrintersAccessMode': 'device_printers_access_mode.access_mode',
'DevicePrintersBlocklist': 'device_printers_blocklist.blocklist',
'DevicePrintersAllowlist': 'device_printers_allowlist.allowlist',
'HeartbeatEnabled': 'device_heartbeat_settings.heartbeat_enabled',
'HeartbeatFrequency': 'device_heartbeat_settings.heartbeat_frequency',
'ChromeOsReleaseChannel': 'release_channel.release_channel',
'ChromeOsReleaseChannelDelegated': 'release_channel.release_channel_delegated',
'DeviceReleaseLtsTag': 'release_channel.release_lts_tag',
'DeviceChannelDowngradeBehavior': 'auto_update_settings.channel_downgrade_behavior',
'DeviceAutoUpdateDisabled': 'auto_update_settings.update_disabled',
'DeviceTargetVersionPrefix': 'auto_update_settings.target_version_prefix',
'DeviceRollbackToTargetVersion': 'auto_update_settings.rollback_to_target_version',
'DeviceRollbackAllowedMilestones': 'auto_update_settings.rollback_allowed_milestones',
'DeviceUpdateScatterFactor': 'auto_update_settings.scatter_factor_in_seconds',
'DeviceUpdateHttpDownloadsEnabled': 'auto_update_settings.http_downloads_enabled',
'RebootAfterUpdate': 'auto_update_settings.reboot_after_update',
'DeviceAutoUpdateP2PEnabled': 'auto_update_settings.p2p_enabled',
'DeviceLoginScreenDefaultLargeCursorEnabled': 'accessibility_settings.login_screen_default_large_cursor_enabled',
'DeviceLoginScreenLargeCursorEnabled': 'accessibility_settings.login_screen_large_cursor_enabled',
'DeviceLoginScreenShowOptionsInSystemTrayMenu': 'accessibility_settings.login_screen_show_options_in_system_tray_menu_enabled',
'DeviceLoginScreenSpokenFeedbackEnabled': 'accessibility_settings.login_screen_spoken_feedback_enabled',
'DeviceLoginScreenDefaultSpokenFeedbackEnabled': 'accessibility_settings.login_screen_default_spoken_feedback_enabled',
'DeviceLoginScreenDefaultHighContrastEnabled': 'accessibility_settings.login_screen_default_high_contrast_enabled',
'DeviceLoginScreenHighContrastEnabled': 'accessibility_settings.login_screen_high_contrast_enabled',
'DeviceLoginScreenAccessibilityShortcutsEnabled': 'accessibility_settings.login_screen_shortcuts_enabled',
'DeviceLoginScreenDefaultScreenMagnifierType': 'accessibility_settings.login_screen_default_screen_magnifier_type',
'DeviceLoginScreenScreenMagnifierType': 'accessibility_settings.login_screen_screen_magnifier_type',
'DeviceLoginScreenDefaultVirtualKeyboardEnabled': 'accessibility_settings.login_screen_default_virtual_keyboard_enabled',
'DeviceLoginScreenPrimaryMouseButtonSwitch': 'login_screen_primary_mouse_button_switch.value',
'DeviceLoginScreenVirtualKeyboardEnabled': 'accessibility_settings.login_screen_virtual_keyboard_enabled',
'DeviceLoginScreenDictationEnabled': 'accessibility_settings.login_screen_dictation_enabled',
'DeviceLoginScreenSelectToSpeakEnabled': 'accessibility_settings.login_screen_select_to_speak_enabled',
'DeviceLoginScreenCursorHighlightEnabled': 'accessibility_settings.login_screen_cursor_highlight_enabled',
'DeviceLoginScreenCaretHighlightEnabled': 'accessibility_settings.login_screen_caret_highlight_enabled',
'DeviceLoginScreenMonoAudioEnabled': 'accessibility_settings.login_screen_mono_audio_enabled',
'DeviceLoginScreenAutoclickEnabled': 'accessibility_settings.login_screen_autoclick_enabled',
'DeviceLoginScreenStickyKeysEnabled': 'accessibility_settings.login_screen_sticky_keys_enabled',
'DeviceLoginScreenKeyboardFocusHighlightEnabled': 'accessibility_settings.login_screen_keyboard_focus_highlight_enabled',
'AttestationEnabledForDevice': 'attestation_settings.attestation_enabled',
'AttestationForContentProtectionEnabled': 'attestation_settings.content_protection_enabled',
'SystemTimezone': 'system_timezone.timezone',
'SystemTimezoneAutomaticDetection': 'system_timezone.timezone_detection_type',
'ReportDeviceActivityTimes': 'device_reporting.report_activity_times',
'ReportDeviceBootMode': 'device_reporting.report_boot_mode',
'ReportDeviceLocation': 'device_reporting.report_location',
'ReportDeviceNetworkInterfaces': 'device_reporting.report_network_interfaces',
'ReportDeviceUsers': 'device_reporting.report_users',
'ReportDeviceHardwareStatus': 'device_reporting.report_hardware_status',
'ReportDeviceSessionStatus': 'device_reporting.report_session_status',
'ReportDeviceGraphicsStatus': 'device_reporting.report_graphics_status',
'ReportDeviceCrashReportInfo': 'device_reporting.report_crash_report_info',
'ReportDeviceOsUpdateStatus': 'device_reporting.report_os_update_status',
'ReportDeviceVersionInfo': 'device_reporting.report_version_info',
'ReportDeviceAppInfo': 'device_reporting.report_app_info',
'ReportDeviceBluetoothInfo': 'device_reporting.report_bluetooth_info',
'ReportDeviceFanInfo': 'device_reporting.report_fan_info',
'ReportDeviceVpdInfo': 'device_reporting.report_vpd_info',
'ReportDeviceSystemInfo': 'device_reporting.report_system_info',
'ReportUploadFrequency': 'device_reporting.device_status_frequency',
'DeviceLoginScreenPowerManagement': 'login_screen_power_management.login_screen_power_management',
'DeviceChromeVariations': 'device_chrome_variations_type.value',
'DeviceDisplayResolution': 'device_display_resolution.device_display_resolution',
'DeviceWallpaperImage': 'device_wallpaper_image.device_wallpaper_image',
'DeviceNativePrinters': 'native_device_printers.external_policy',
'DeviceExternalPrintServers': 'external_print_servers.external_policy',
'DeviceExternalPrintServersAllowlist': 'external_print_servers_allowlist.allowlist',
'DeviceAutoUpdateTimeRestrictions': 'auto_update_settings.disallowed_time_intervals',
'DeviceUpdateStagingSchedule': 'auto_update_settings.staging_schedule',
'DeviceLocalAccounts': 'device_local_accounts.account',
'DeviceLocalAccountAutoLoginId': 'device_local_accounts.auto_login_id',
'DeviceLocalAccountAutoLoginDelay': 'device_local_accounts.auto_login_delay',
'DeviceLocalAccountAutoLoginBailoutEnabled': 'device_local_accounts.enable_auto_login_bailout',
'DeviceLocalAccountPromptForNetworkWhenOffline': 'device_local_accounts.prompt_for_network_when_offline',
'DevicePowerPeakShiftEnabled': 'device_power_peak_shift.enabled',
'DevicePowerPeakShiftBatteryThreshold': 'device_power_peak_shift.battery_threshold',
'DevicePowerPeakShiftDayConfig': 'device_power_peak_shift.day_configs',
'DeviceWilcoDtcAllowed': 'device_wilco_dtc_allowed.device_wilco_dtc_allowed',
'DeviceWilcoDtcConfiguration': 'device_wilco_dtc_configuration.device_wilco_dtc_configuration',
'PluginVmLicenseKey': 'plugin_vm_license_key.plugin_vm_license_key',
'DeviceAuthDataCacheLifetime': 'device_auth_data_cache_lifetime.lifetime_hours',
'DeviceGpoCacheLifetime': 'device_gpo_cache_lifetime.lifetime_hours',
'DeviceRebootOnUserSignout': 'device_reboot_on_user_signout.reboot_on_signout_mode',
'DeviceEcryptfsMigrationStrategy': 'device_ecryptfs_migration_strategy.migration_strategy',
'DeviceWiFiFastTransitionEnabled': 'device_wifi_fast_transition_enabled.device_wifi_fast_transition_enabled',
'DeviceWiFiAllowed': 'device_wifi_allowed.device_wifi_allowed',
'AutoCleanUpStrategy': 'auto_clean_up_settings.clean_up_strategy',
'SupervisedUsersEnabled': 'supervised_users_settings.supervised_users_enabled',
'ReportDeviceBoardStatus': 'device_reporting.report_board_status',
'ReportDeviceCpuInfo': 'device_reporting.report_cpu_info',
'ReportDeviceTimezoneInfo': 'device_reporting.report_timezone_info',
'ReportDeviceMemoryInfo': 'device_reporting.report_memory_info',
'ReportDeviceBacklightInfo': 'device_reporting.report_backlight_info',
'ReportDeviceStorageStatus': 'device_reporting.report_storage_status',
'ReportDevicePowerStatus': 'device_reporting.report_power_status',
'DeviceOpenNetworkConfiguration': 'open_network_configuration.open_network_configuration',
'DeviceBootOnAcEnabled': 'device_boot_on_ac.enabled',
'DeviceQuickFixBuildToken': 'auto_update_settings.device_quick_fix_build_token',
'DeviceDockMacAddressSource': 'device_dock_mac_address_source.source',
'DeviceUsbPowerShareEnabled': 'device_usb_power_share.enabled',
'DeviceAdvancedBatteryChargeModeEnabled': 'device_advanced_battery_charge_mode.enabled',
'DeviceAdvancedBatteryChargeModeDayConfig': 'device_advanced_battery_charge_mode.day_configs',
'DeviceBatteryChargeMode': 'device_battery_charge_mode.battery_charge_mode',
'DeviceBatteryChargeCustomStartCharging': 'device_battery_charge_mode.custom_charge_start',
'DeviceBatteryChargeCustomStopCharging': 'device_battery_charge_mode.custom_charge_stop',
'DeviceScheduledUpdateCheck': 'device_scheduled_update_check.device_scheduled_update_check_settings',
'DevicePowerwashAllowed': 'device_powerwash_allowed.device_powerwash_allowed',
'DeviceLoginScreenWebUsbAllowDevicesForUrls': 'device_login_screen_webusb_allow_devices_for_urls.device_login_screen_webusb_allow_devices_for_urls',
'DeviceWebBasedAttestationAllowedUrls': 'device_web_based_attestation_allowed_urls.value',
'DeviceMinimumVersion': 'device_minimum_version.value',
'SystemProxySettings': 'system_proxy_settings.system_proxy_settings',
'DeviceLoginScreenPrivacyScreenEnabled': 'device_login_screen_privacy_screen_enabled.enabled',
'RequiredClientCertificateForDevice': 'required_client_certificate_for_device.required_client_certificate_for_device',
'DeviceCrostiniArcAdbSideloadingAllowed': 'device_crostini_arc_adb_sideloading_allowed.mode',
'DeviceMinimumVersionAueMessage': 'device_minimum_version_aue_message.value',
'ManagedGuestSessionPrivacyWarningsEnabled': 'managed_guest_session_privacy_warnings.enabled',
'DeviceFamilyLinkAccountsAllowed': 'family_link_accounts_allowed.family_link_accounts_allowed',
'DeviceArcDataSnapshotHours': 'arc_data_snapshot_hours.arc_data_snapshot_hours',
},
'policy_atomic_group_definitions': [
{
'id': 1,
'name': 'Homepage',
'caption': '''Homepage''',
'policies': [
'HomepageLocation',
'HomepageIsNewTabPage',
'NewTabPageLocation',
'ShowHomeButton',
],
},
{
'id': 2,
'name': 'RemoteAccess',
'caption': '''Remote access''',
'policies': [
'RemoteAccessClientFirewallTraversal',
'RemoteAccessHostClientDomain',
'RemoteAccessHostClientDomainList',
'RemoteAccessHostFirewallTraversal',
'RemoteAccessHostDomain',
'RemoteAccessHostDomainList',
'RemoteAccessHostRequireTwoFactor',
'RemoteAccessHostTalkGadgetPrefix',
'RemoteAccessHostRequireCurtain',
'RemoteAccessHostAllowClientPairing',
'RemoteAccessHostAllowGnubbyAuth',
'RemoteAccessHostAllowRelayedConnection',
'RemoteAccessHostUdpPortRange',
'RemoteAccessHostMatchUsername',
'RemoteAccessHostTokenUrl',
'RemoteAccessHostTokenValidationUrl',
'RemoteAccessHostTokenValidationCertificateIssuer',
'RemoteAccessHostDebugOverridePolicies',
'RemoteAccessHostAllowUiAccessForRemoteAssistance',
'RemoteAccessHostAllowFileTransfer',
'RemoteAccessHostEnableUserInterface',
'RemoteAccessHostAllowRemoteAccessConnections',
],
},
{
'id': 3,
'name': 'PasswordManager',
'caption': '''Password manager''',
'policies': [
'PasswordManagerEnabled',
'PasswordManagerAllowShowPasswords',
],
},
{
'id': 4,
'name': 'Proxy',
'caption': '''Proxy''',
'policies': [
'ProxyMode',
'ProxyServerMode',
'ProxyServer',
'ProxyPacUrl',
'ProxyBypassList',
'ProxySettings',
],
},
{
'id': 5,
'name': 'Extensions',
'caption': '''Extensions''',
'policies': [
'ExtensionInstallAllowlist',
'ExtensionInstallBlocklist',
'ExtensionInstallBlacklist',
'ExtensionInstallWhitelist',
'ExtensionInstallForcelist',
'ExtensionInstallSources',
'ExtensionAllowedTypes',
'ExtensionAllowInsecureUpdates',
'ExtensionSettings',
],
},
{
'id': 6,
'name': 'RestoreOnStartup',
'owners': ['file://components/policy/resources/OWNERS'],
'caption': '''Action on startup''',
'policies': [
'RestoreOnStartup',
'RestoreOnStartupURLs',
],
},
{
'id': 7,
'name': 'DefaultSearchProvider',
'caption': '''Default search provider''',
'policies': [
'DefaultSearchProviderEnabled',
'DefaultSearchProviderName',
'DefaultSearchProviderKeyword',
'DefaultSearchProviderSearchURL',
'DefaultSearchProviderSuggestURL',
'DefaultSearchProviderInstantURL',
'DefaultSearchProviderIconURL',
'DefaultSearchProviderEncodings',
'DefaultSearchProviderAlternateURLs',
'DefaultSearchProviderSearchTermsReplacementKey',
'DefaultSearchProviderImageURL',
'DefaultSearchProviderNewTabURL',
'DefaultSearchProviderSearchURLPostParams',
'DefaultSearchProviderSuggestURLPostParams',
'DefaultSearchProviderInstantURLPostParams',
'DefaultSearchProviderImageURLPostParams',
],
},
{
'id': 8,
'name': 'ImageSettings',
'caption': '''Image settings''',
'policies': [
'DefaultImagesSetting',
'ImagesAllowedForUrls',
'ImagesBlockedForUrls',
],
},
{
'id': 9,
'name': 'CookiesSettings',
'caption': '''Cookies settings''',
'policies': [
'DefaultCookiesSetting',
'CookiesAllowedForUrls',
'CookiesBlockedForUrls',
'CookiesSessionOnlyForUrls',
],
},
{
'id': 10,
'name': 'JavascriptSettings',
'caption': '''Javascript settings''',
'policies': [
'DefaultJavaScriptSetting',
'JavaScriptAllowedForUrls',
'JavaScriptBlockedForUrls',
],
},
{
'id': 11,
'name': 'PluginsSettings',
'caption': '''Plugins settings''',
'policies': [
'DefaultPluginsSetting',
'PluginsAllowedForUrls',
'PluginsBlockedForUrls',
],
},
{
'id': 12,
'name': 'PopupsSettings',
'caption': '''Popups settings''',
'policies': [
'DefaultPopupsSetting',
'PopupsAllowedForUrls',
'PopupsBlockedForUrls',
],
},
{
'id': 13,
'name': 'KeygenSettings',
'caption': '''Keygen settings''',
'policies': [
'DefaultKeygenSetting',
'KeygenAllowedForUrls',
'KeygenBlockedForUrls',
],
},
{
'id': 14,
'name': 'NotificationsSettings',
'caption': '''Notification settings''',
'policies': [
'DefaultNotificationsSetting',
'NotificationsAllowedForUrls',
'NotificationsBlockedForUrls',
],
},
{
'id': 15,
'name': 'WebUsbSettings',
'caption': '''Web USB settings''',
'policies': [
'DefaultWebUsbGuardSetting',
'DeviceLoginScreenWebUsbAllowDevicesForUrls',
'WebUsbAllowDevicesForUrls',
'WebUsbAskForUrls',
'WebUsbBlockedForUrls',
],
},
{
'id': 16,
'name': 'NativeMessaging',
'caption': '''Native messaging''',
'policies': [
'NativeMessagingBlacklist',
'NativeMessagingBlocklist',
'NativeMessagingAllowlist',
'NativeMessagingWhitelist',
'NativeMessagingUserLevelHosts',
],
},
{
'id': 17,
'name': 'Drive',
'caption': '''Drive''',
'policies': [
'DriveDisabled',
'DriveDisabledOverCellular',
],
},
{
'id': 18,
'name': 'Attestation',
'caption': '''Attestation''',
'policies': [
'AttestationEnabledForDevice',
'AttestationEnabledForUser',
'AttestationExtensionAllowlist',
'AttestationExtensionWhitelist',
'AttestationForContentProtectionEnabled',
],
},
{
'id': 20,
'name': 'SupervisedUsers',
'caption': '''Supervised users''',
'policies': [
'SupervisedUsersEnabled',
'SupervisedUserCreationEnabled',
'SupervisedUserContentProviderEnabled',
],
},
{
'id': 21,
'name': 'GoogleCast',
'caption': '''Google Cast''',
'policies': [
'CastReceiverEnabled',
'CastReceiverName',
],
},
{
'id': 22,
'name': 'QuickUnlock',
'caption': '''Quick unlock''',
'policies': [
'QuickUnlockModeAllowlist',
'QuickUnlockModeWhitelist',
'QuickUnlockTimeout',
],
},
{
'id': 23,
'name': 'PinUnlock',
'caption': '''Pin unlock''',
'policies': [
'PinUnlockMinimumLength',
'PinUnlockMaximumLength',
'PinUnlockWeakPinsAllowed',
'PinUnlockAutosubmitEnabled',
],
},
{
'id': 24,
'name': 'SafeBrowsing',
'caption': '''Safe Browsing settings''',
'policies': [
'SafeBrowsingEnabled',
'SafeBrowsingExtendedReportingEnabled',
'SafeBrowsingProtectionLevel',
'SafeBrowsingWhitelistDomains',
'SafeBrowsingAllowlistDomains',
],
},
{
'id': 25,
'name': 'PasswordProtection',
'caption': '''Password protection''',
'policies': [
'PasswordProtectionWarningTrigger',
'PasswordProtectionLoginURLs',
'PasswordProtectionChangePasswordURL',
],
},
{
'id': 26,
'name': 'NetworkFileShares',
'caption': '''Network File Shares settings''',
'policies': [
'NetworkFileSharesAllowed',
'NetBiosShareDiscoveryEnabled',
'NTLMShareAuthenticationEnabled',
'NetworkFileSharesPreconfiguredShares',
],
},
{
'id': 27,
'name': 'CloudReporting',
'caption': '''Cloud Reporting''',
'policies': [
'ReportVersionData',
'ReportPolicyData',
'ReportMachineIDData',
'ReportUserIDData',
'ReportExtensionsAndPluginsData',
'CloudExtensionRequestEnabled',
'CloudReportingEnabled',
],
},
{
'id': 28,
'name': 'BrowserSwitcher',
'caption': '''Legacy Browser Support''',
'policies': [
'AlternativeBrowserPath',
'AlternativeBrowserParameters',
'BrowserSwitcherChromePath',
'BrowserSwitcherChromeParameters',
'BrowserSwitcherDelay',
'BrowserSwitcherEnabled',
'BrowserSwitcherExternalSitelistUrl',
'BrowserSwitcherExternalGreylistUrl',
'BrowserSwitcherKeepLastChromeTab',
'BrowserSwitcherUrlList',
'BrowserSwitcherUrlGreylist',
'BrowserSwitcherUseIeSitelist',
],
},
{
'id': 29,
'name': 'PluginVm',
'caption': '''PluginVm''',
'policies': [
'PluginVmAllowed',
'PluginVmDataCollectionAllowed',
'PluginVmImage',
'PluginVmLicenseKey',
'PluginVmRequiredFreeDiskSpace',
'PluginVmUserId',
'UserPluginVmAllowed',
],
},
{
'id': 30,
'name': 'SAML',
'caption': '''SAML''',
'policies': [
'DeviceSamlLoginAuthenticationType',
'DeviceTransferSAMLCookies',
],
},
{
'id': 31,
'name': 'LoginScreenOrigins',
'caption': '''Login and screen origins''',
'policies': [
'DeviceLoginScreenIsolateOrigins',
'DeviceLoginScreenSitePerProcess',
],
},
{
'id': 32,
'name': 'UserAndDeviceReporting',
'caption': '''User and device reporting''',
'policies': [
'ReportDeviceVersionInfo',
'ReportDeviceBootMode',
'ReportDeviceUsers',
'ReportDeviceActivityTimes',
'ReportDeviceLocation',
'ReportDeviceNetworkInterfaces',
'ReportDeviceHardwareStatus',
'ReportDeviceSessionStatus',
'ReportDeviceGraphicsStatus',
'ReportDeviceCrashReportInfo',
'ReportDeviceOsUpdateStatus',
'ReportDeviceBoardStatus',
'ReportDeviceCpuInfo',
'ReportDeviceTimezoneInfo',
'ReportDeviceMemoryInfo',
'ReportDeviceBacklightInfo',
'ReportDevicePowerStatus',
'ReportDeviceStorageStatus',
'ReportDeviceAppInfo',
'ReportDeviceBluetoothInfo',
'ReportDeviceFanInfo',
'ReportDeviceVpdInfo',
'ReportDeviceSystemInfo',
'ReportUploadFrequency',
'ReportArcStatusEnabled',
'HeartbeatEnabled',
'HeartbeatFrequency',
'LogUploadEnabled',
'DeviceMetricsReportingEnabled',
],
},
{
'id': 33,
'name': 'WiFi',
'caption': '''WiFi''',
'policies': [
'DeviceWiFiFastTransitionEnabled',
'DeviceWiFiAllowed'
],
},
{
'id': 34,
'name': 'Kiosk',
'caption': '''Kiosk settings''',
'policies': [
'DeviceLocalAccounts',
'DeviceLocalAccountAutoLoginId',
'DeviceLocalAccountAutoLoginDelay',
'DeviceLocalAccountAutoLoginBailoutEnabled',
'DeviceLocalAccountPromptForNetworkWhenOffline',
],
},
{
'id': 35,
'name': 'DateAndTime',
'caption': '''Date and time''',
'policies': [
'SystemTimezone',
'SystemTimezoneAutomaticDetection',
]
},
{
'id': 36,
'name': 'Display',
'caption': '''Display''',
'policies': [
'DeviceDisplayResolution',
'DisplayRotationDefault',
]
},
{
'id': 37,
'name': 'ActiveDirectoryManagement',
'caption': '''<ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> management settings''',
'policies': [
'DeviceMachinePasswordChangeRate',
'DeviceUserPolicyLoopbackProcessingMode',
'DeviceKerberosEncryptionTypes',
'DeviceGpoCacheLifetime',
'DeviceAuthDataCacheLifetime',
]
},
{
'id': 38,
'name': 'LegacySameSiteCookieBehaviorSettings',
'caption': '''Legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> cookie behavior settings''',
'policies': [
'LegacySameSiteCookieBehaviorEnabled',
'LegacySameSiteCookieBehaviorEnabledForDomainList',
],
},
{
'id': 39,
'name': 'SensorsSettings',
'caption': '''Sensors settings''',
'policies': [
'DefaultSensorsSetting',
'SensorsAllowedForUrls',
'SensorsBlockedForUrls',
],
},
{
'id': 40,
'name': 'PrivateNetworkRequestSettings',
'caption': '''Private network request settings''',
'policies': [
'InsecurePrivateNetworkRequestsAllowed',
'InsecurePrivateNetworkRequestsAllowedForUrls',
],
},
],
'placeholders': [],
'deleted_policy_ids': [114, 115, 204, 205, 206, 412, 476, 544, 546, 562, 569, 578, 583, 585, 586, 587, 588, 589, 590, 591, 600, 668, 669],
'deleted_atomic_policy_group_ids': [19],
'highest_id_currently_used': 813,
'highest_atomic_group_id_currently_used': 40
}