blob: 38c297e2937315ca6fec57ea6500bcebef14bbe2 [file] [log] [blame]
{
# policy_templates.json - Metafile for policy templates
#
# The content of this file is evaluated as a Python expression.
#
# This file is used as input to generate the following policy templates:
# ADM, ADMX+ADML, MCX/plist and html documentation.
#
# Policy templates are user interface definitions or documents about the
# policies that can be used to configure Chrome. Each policy is a name-value
# pair where the value has a given type. Chrome looks up the values using the
# names of the policies. In the user interface where the values can be set,
# related policies might appear together in policy groups. The grouping is not
# visible to Chrome.
#
# This file contains a list of policies and groups. Each group contains a list
# of policies under the key 'policies'. All the policies and groups must have
# unique names. Group names are not exposed to Chrome at all.
#
# Each policy has a type. The currently implemented types:
# 'group': - not a real policy, contains a list of policies
# NOTE: Currently nesting groups inside other groups is not supported.
# 'string' - a string value
# 'int' - an integer value
# 'int-enum' - the user can select an integer value from a collection of
# items
# 'string-enum' - the user can select a string value from a collection of
# items
# 'string-enum-list' - the user can select a set of string values from a
# collection of items
# 'main' - a boolean value
# 'list' - a list of string values. Using this for a list of JSON strings
# is now discouraged, because the 'dict' is better for JSON.
# 'dict' - perhaps should be named JSON. An arbitrarily complex object or
# array, nested objects/arrays, etc. The user defines the value with JSON.
# 'external' - a policy that references external data.
# NOTE: This type is currently supported on Chrome OS only.
#
# NOTE to 'dict' vs 'list' - in the past, 'list' has been used for a policy
# that is an array of objects. The user supplied a list of strings, and each
# of those strings was parsed as JSON, resulting in an array of objects.
# However, there are a couple of reasons why 'dict' is better for these sorts
# of policies. Some interfaces (eg the GPO editor) only allow each list item
# to be a single-line string, which is not great for inputting a complex JSON
# object. It also means any example values shown in the documentation will
# have a hybrid syntax, with both commas and new-lines being used to delimit
# array elements - and these examples will be harder to copy and paste.
# To conclude, prefer 'dict' to 'list' if JSON is involved.
#
# Each policy is tagged with risk tags that indicate potential privacy or
# security risks. They are defined at the beginning of this file (tag
# 'risk_tag_definitions').
# Each risk tag contains the following information:
# - name: The name of the risk tag. May not contain spaces.
# - description: Description for developers so they know which tags apply to
# newly added policies.
# - user-description: A text that helps users understand what a policy with
# this tag means for their privacy and/or security.
# TODO(fhorschig|tnagel): Revisit policy tags after reviews.
#
# Policy group descriptions, policy captions and similar texts are localized
# strings taken from the <message> nodes of the .grd file. Their name attributes
# are generated from the JSON keys.
# Each item (policy or group) may have the following messages:
# - description:
# Describes the item it applies to.
# - caption
# A short, one-line summary of the item it applies to. This can appear
# both in policy or group listings or on title bars of policy-setting
# windows. (The caption should not end with a punctuation mark.)
# - label (Optional, defaults to caption if not specified.)
# A short, one-line summary of the item it applies to. The difference
# from caption is that label always appears next to the entry field
# where the value of the policy can be entered. 'main' policies on
# Windows ignore this. Policies on Mac are using this instead of caption.
#
# As a reference for translators, non-translateable strings must be tagged using
# <ph name="..."></ph> as described in [1]. As these tags are pruned before
# generating the comments for .proto files, paragraphs containing such tags
# should not be line-wrapped (use one long line per paragraph instead) to allow
# for correct re-flowing of the text.
# [1] https://www.chromium.org/developers/tools-we-use-in-chromium/grit/grit-users-guide.
#
# Generated grd names:
# Each name has two parts: the second part is either CAPTION, DESC or LABEL,
# and the first part identifies the item the text applies to:
# -For policies and groups:
# IDS_POLICY_<NAME OF THE POLICY OR GROUP>
# e.g. the name of the caption of policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_CAPTION
# or other messages of the policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_LABEL
# IDS_POLICY_HOMEPAGELOCATION_DESC
# -For enum items:
# IDS_POLICY_ENUM_<NAME OF THE ITEM>
# e.g. the name of the caption of ProxyServerDisabled:
# IDS_POLICY_ENUM_PROXYSERVERDISABLED_CAPTION
#
# Products and versions:
# Each policy has the list of products and version numbers where it is
# supported under the key 'supported_on'. Each item of this list has the
# form of 'product:since_version-until_version', which means that support
# for the policy in 'product' was introduced in 'since_version' and removed
# after 'until_version'. Product names may contain a suffix specifying a
# platform name, e.g.: 'chrome.win' is read as 'Chrome on Windows'. Version
# numbers can be any string that does not contain ':' or '-' characters.
#
# Currently supported product names:
# 'chrome_frame', 'chrome_os', 'android', 'webview_android',
# 'chrome.win', 'chrome.linux', 'chrome.mac', 'chrome.*'
# For example if 'chrome.*:5-10' is specified for a policy, then it should
# be read as:
# 'chrome.linux:5-10', 'chrome.mac:5-10', 'chrome.win:5-10'
#
# The product name also affects in which templates the policy is included:
# chrome.*, chrome.win, chrome_frame -> ADM, ADMX, ADML, doc
# chrome.*, chrome.linux -> JSON, doc
# chrome.*, chrome.mac -> plist, plist_strings, doc
# everything else -> doc
#
# The default list of policies supported by Chrome is also generated based
# on the product names:
# chrome.* -> Chrome policy definition list
# chrome_os -> Chrome policy definition list, when building OS_CHROMEOS
#
# Annotations:
# Additional information is specified under keys 'features' and
# 'example_value'. These are used in the generated documentation and example
# policy configuration files. Examples must cover the entire schema, i.e. use
# every defined property at least once.
# 'dynamic_refresh' controls if the generated documentation should state that
# the policy supports dynamic refresh or not. Supporting dynamic refresh means
# that Chrome respects the changes to the policy immediately, without the need
# for restart.
# 'can_be_mandatory' Set to False to suppress the policy in the generated
# mandatory policy templates. The generated documentation for the policy
# will contain a suitable hint for administrators.
# 'can_be_recommended' Set to True to include the policy in the generated
# recommended policy templates. The generated documentation for the policy
# will contain a suitable hint for administrators.
# Policies settings in the mandatory template override user preferences, while
# recommended policies provide a default setting that may be overridden by the
# user. By default, each policy is mandatory and not recommended.
# 'per_profile' controls whether a user policy applies to every user logging
# into the browser or only one profile.
#
# The 'max_size' key is used to specify the maximal size of the external data
# that a policy can reference, in bytes. This annotation is compulsory for
# policies of type 'external'. It is ignored for all other policy types.
#
# The 'future' key is used to indicate that a policy isn't yet ready for
# usage. It defaults to False, and currently affects the generated policy
# templates and documentation. The policy definition list that Chrome sees
# will include policies marked with 'future'. If a WIP policy isn't meant to
# be seen by the policy providers either, the 'supported_on' key should be set
# to an empty list.
#
# Schemas:
# All policies have a key 'schema' which describes the schema of the policy.
# This schema supports a subset of the JSON Schema standard
# (https://json-schema.org/understanding-json-schema/index.html). For more
# information see //components/policy/tools/schema_validator.py. This
# validator is also used during presubmit to validate all schemas,
# validation_schemas and the example_values. On the client-side we use
# //components/policy/core/common/schema.h to validate policy values against
# the provided schemas in this file. This validator supports the same subset
# of features supported by the python schema validator used during presubmit.
#
# For many policies this is simply a type eg 'boolean' or 'string', but for
# 'dict' policies this describes the types of not only the root object, but
# also all of its descendants. This schema data is used to validate 'dict'
# policies, if a SchemaValidatingPolicyHandler is configured appropriately in
# configuration_policy_handler_list_factory.cc
#
# Some policies at first seem to have simple schema e.g. a string or a list of
# strings, but those strings are actually JSON strings, and this JSON has
# another schema. This type of policy is deprecated. When adding new policies,
# make sure the entire schema is described by the 'schema' field and that
# there are no strings which contain JSON.
# The legacy policies which contain JSON strings have an extra field, the
# 'validation_schema' which is used to validate not only the schema of the
# policy itself, but also the content of the JSON strings inside the policy.
# Do not use this field when adding new policies.
#
# IDs:
# Since a Protocol Buffer definition is generated from this file, unique and
# persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format!
# For your editing convenience:
# The highest ID currently used is always set in the
# 'highest_id_currently_used' value at the end of this file.
# And don't forget to also update the EnterprisePolicies enum of
# histograms.xml (run 'python tools/metrics/histograms/update_policies.py').
# A policy can be deleted from this file if and only if it is never launched;
# in which case its id must be added to the 'deleted_policy_ids' list to
# prevent reuse.
#
# Placeholders:
# The following placeholder strings are automatically substituted:
# $1 -> Google Chrome / Chromium
# $2 -> Google Chrome OS / Chromium OS
# $3 -> Google Chrome Frame / Chromium Frame
# $6 is reserved for doc_writer
#
# Device Policy:
# An additional flag 'device_only' (optional, defaults to False) indicates
# that this policy is only supported as a device-level Cloud Policy. In that
# case no entry in the UserPolicy Protobuf is generated and it is assumed that
# it will be added to the DevicePolicy Protobuf manually. Device policy only
# exists on Chrome OS.
#
# Management Type:
# Chrome OS devices can either be managed through the Google cloud or through
# Active Directory. Most policies are supported for both management types, but
# some are not. To indicate supported management types, use
# 'supported_chrome_os_management': ['google_cloud', 'active_directory'],
# where
# 'google_cloud' = Policy is supported for Google cloud management.
# 'active_directory' = Policy is supported for Active Directory management.
# This setting applies to Chrome OS only. If the setting is missing, both
# types are assumed. The array must not be empty.
#
# Enterprise defaults for user policy:
# For managed users on Chrome OS (i.e. users receiving user policy from the
# cloud), if the optional key 'default_for_enterprise_users' is set, its value
# is applied as mandatory policy unless a different setting is received from
# the cloud. This default value handling is automatically enforced by the
# policy stack when filling the PolicyMap (specifically, by the generated
# function SetEnterpriseUsersDefaults).
#
# Enterprise defaults for device policy:
# The optional key 'default_for_managed_devices_doc_only' can be used to
# document a differing default value for devices enrolled into enterprise
# management. This is for documentation only - the enrollment-dependent
# handling must be manually implemented.
'risk_tag_definitions' : [
# All following tags are ordered by severity of their impact.
# TODO(fhorschig|tnagel): Revisit user-descriptions after reviews.
{
'name': 'full-admin-access',
'description': '''Policies with this tag enable an administrator to
execute arbitrary code or configure a machine in a way that a
man-in-the-middle situation can occur.''',
'user-description': '''Your administrator has set up certificates or applications that could potentially access all of your data.
This could possibly allow inspecting and modifying all data sent and received by Chrome.'''
},
{
'name': 'system-security',
'description': '''Policies with this tag can make the user vulnerable
against attacks which are not possible when the policies are unset.
This includes execution of deprecated code or unsafe configuration of
network settings and proxies.''',
'user-description': '''Policy set by your administrator could enable functionality that is outdated or that could reduce the security of the system in other ways.'''
},
{
'name': 'website-sharing',
'description': '''Setting Policies with this tag will allow sharing
information with a server that would normally not be allowed.
Those information can include geolocation, audio/video device inputs or
data that can be used to identify the user.''',
'user-description': '''Policy set by your administrator could enable sharing of data with websites.
Some of these data might suffice to identify you or could be used to record private information.'''
},
{
'name': 'admin-sharing',
'description': '''Policies with this tag enable an administrator to log
the user's activity or traffic.''',
'user-description': '''Policy configured by your administrator might allow them to gather general information about your device and your activity.'''
},
{
'name': 'filtering',
'description': '''Policies with this tag can restrict the information a
user can query from the world-wide web. This includes blocked websites,
enforced search settings and partly data synchronization.''',
'user-description': '''Your administrator has set up policy that may restrict your access to websites, services or search results.'''
},
{
'name': 'local-data-access',
'description': '''Policies with this tag can cause storing data to or
reading data from a local file system without the user's knowledge. This
includes import of existing settings to the cloud or avoiding clean-up of
local history data.''',
'user-description': '''Your administrator has set up policy that could cause private data to be imported from your system or could cause private data to be written to an admin-specified place.'''
},
{
'name': 'google-sharing',
'description': '''Set policies might enforce sharing data with google,
like crash reports or history.''',
'user-description': '''There are policies set by your administrator which can affect the communication with Google services.
Therefore, some services could either be unreachable or you might not be able to restrict sent data.'''
}
],
'policy_definitions': [
{
'name': 'Homepage',
'type': 'group',
'caption': '''Home page''',
'desc': '''Configure the default home page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing it.
The user's home page settings are only completely locked down, if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.''',
'policies': [
'HomepageLocation',
'HomepageIsNewTabPage',
],
},
{
'name': 'NewTabPage',
'type': 'group',
'caption': '''New Tab Page''',
'desc': '''Configure the default New Tab page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'policies': [
'NewTabPageLocation',
],
},
{
'name': 'RemoteAccess',
'type': 'group',
'caption': '''Configure remote access options''',
'desc': '''Configure remote access options in Chrome Remote Desktop host.
Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application. The native service is packaged and executed separately from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browser.
These policies are ignored unless the
Chrome Remote Desktop host is installed.''',
'policies': [
'RemoteAccessClientFirewallTraversal',
'RemoteAccessHostClientDomain',
'RemoteAccessHostClientDomainList',
'RemoteAccessHostFirewallTraversal',
'RemoteAccessHostDomain',
'RemoteAccessHostDomainList',
'RemoteAccessHostRequireTwoFactor',
'RemoteAccessHostTalkGadgetPrefix',
'RemoteAccessHostRequireCurtain',
'RemoteAccessHostAllowClientPairing',
'RemoteAccessHostAllowGnubbyAuth',
'RemoteAccessHostAllowRelayedConnection',
'RemoteAccessHostUdpPortRange',
'RemoteAccessHostMatchUsername',
'RemoteAccessHostTokenUrl',
'RemoteAccessHostTokenValidationUrl',
'RemoteAccessHostTokenValidationCertificateIssuer',
'RemoteAccessHostDebugOverridePolicies',
'RemoteAccessHostAllowUiAccessForRemoteAssistance',
],
},
{
'name': 'PasswordManager',
'type': 'group',
'caption': '''Password manager''',
'desc': '''Configures the password manager.''',
'policies': [
'PasswordManagerEnabled',
'PasswordManagerAllowShowPasswords',
],
},
{
'name': 'Proxy',
'type': 'group',
'caption': '''Proxy server''',
'desc': '''Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to auto detect the proxy server, all other options are ignored.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and ARC-apps ignore all proxy-related options specified from the command line.
Leaving these policies not set will allow the users to choose the proxy settings on their own.''',
'policies': [
'ProxyMode',
'ProxyServerMode',
'ProxyServer',
'ProxyPacUrl',
'ProxyBypassList',
],
},
{
'name': 'HTTPAuthentication',
'type': 'group',
'caption': '''Policies for HTTP authentication''',
'desc': '''Policies related to integrated HTTP authentication.''',
'policies': [
'AuthSchemes',
'DisableAuthNegotiateCnameLookup',
'EnableAuthNegotiatePort',
'AuthServerWhitelist',
'AuthNegotiateDelegateWhitelist',
'GSSAPILibraryName',
'AuthAndroidNegotiateAccountType',
'AllowCrossOriginAuthPrompt',
'NtlmV2Enabled',
],
},
{
'name': 'Extensions',
'type': 'group',
'caption': '''Extensions''',
'desc': '''Configures extension-related policies. The user is not allowed to install blacklisted extensions unless they are whitelisted. You can also force <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to automatically install extensions by specifying them in <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph>. Force-installed extensions are installed regardless whether they are present in the blacklist.''',
'policies': [
'ExtensionInstallBlacklist',
'ExtensionInstallWhitelist',
'ExtensionInstallForcelist',
'ExtensionInstallSources',
'ExtensionAllowedTypes',
'ExtensionSettings',
],
},
{
'name': 'RestoreOnStartupGroup',
'type': 'group',
'caption': '''Startup pages''',
'desc': '''Allows you to configure the pages that are loaded on startup.
The contents of the list 'URLs to open at startup' are ignored unless you select 'Open a list of URLs' in 'Action on startup'.''',
'policies': [
'RestoreOnStartup',
'RestoreOnStartupURLs',
],
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106683
'name': 'DefaultSearchProvider',
'type': 'group',
'caption': '''Default search provider''',
'desc': '''Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.''',
'policies': [
'DefaultSearchProviderEnabled',
'DefaultSearchProviderName',
'DefaultSearchProviderKeyword',
'DefaultSearchProviderSearchURL',
'DefaultSearchProviderSuggestURL',
'DefaultSearchProviderInstantURL',
'DefaultSearchProviderIconURL',
'DefaultSearchProviderEncodings',
'DefaultSearchProviderAlternateURLs',
'DefaultSearchProviderSearchTermsReplacementKey',
'DefaultSearchProviderImageURL',
'DefaultSearchProviderNewTabURL',
'DefaultSearchProviderSearchURLPostParams',
'DefaultSearchProviderSuggestURLPostParams',
'DefaultSearchProviderInstantURLPostParams',
'DefaultSearchProviderImageURLPostParams',
],
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106682
'name': 'ContentSettings',
'type': 'group',
'caption': '''Content Settings''',
'desc': '''Content Settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.''',
'policies': [
'DefaultCookiesSetting',
'DefaultImagesSetting',
'DefaultJavaScriptSetting',
'DefaultPluginsSetting',
'DefaultPopupsSetting',
'DefaultNotificationsSetting',
'DefaultGeolocationSetting',
'DefaultMediaStreamSetting',
'DefaultWebBluetoothGuardSetting',
'DefaultKeygenSetting',
'DefaultWebUsbGuardSetting',
'AutoSelectCertificateForUrls',
'CookiesAllowedForUrls',
'CookiesBlockedForUrls',
'CookiesSessionOnlyForUrls',
'ImagesAllowedForUrls',
'ImagesBlockedForUrls',
'JavaScriptAllowedForUrls',
'JavaScriptBlockedForUrls',
'KeygenAllowedForUrls',
'KeygenBlockedForUrls',
'PluginsAllowedForUrls',
'PluginsBlockedForUrls',
'PopupsAllowedForUrls',
'RegisteredProtocolHandlers',
'PopupsBlockedForUrls',
'NotificationsAllowedForUrls',
'NotificationsBlockedForUrls',
"WebUsbAllowDevicesForUrls",
'WebUsbAskForUrls',
'WebUsbBlockedForUrls',
],
},
{
'name': 'NativeMessaging',
'type': 'group',
'caption': '''Native Messaging''',
'desc': '''Configures policies for Native Messaging. Blacklisted native messaging hosts won't be allowed unless they are whitelisted.''',
'policies': [
'NativeMessagingBlacklist',
'NativeMessagingWhitelist',
'NativeMessagingUserLevelHosts',
],
},
{
'name': 'ChromeFrameRendererSettings',
'type': 'group',
'caption': '''Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'desc': '''Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
The default setting is to allow the host browser do the rendering, but you can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> render HTML pages by default.''',
'policies': [
'ChromeFrameRendererSettings',
'RenderInChromeFrameList',
'RenderInHostList',
'AdditionalLaunchParameters',
'SkipMetadataCheck',
],
},
{
'name': 'ChromeFrameContentTypes',
'type': 'group',
'caption': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types''',
'desc': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types.''',
'policies': [
'ChromeFrameContentTypes',
],
},
{
'name': 'Drive',
'type': 'group',
'caption': '''Configure Google Drive options''',
'desc': '''Configure Google Drive in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'DriveDisabled',
'DriveDisabledOverCellular',
],
},
{
'name': 'PowerManagement',
'type': 'group',
'caption': '''Power management''',
'desc': '''Configure power management in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
These policies let you configure how <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> behaves when the user remains idle for some amount of time.''',
'policies': [
'ScreenDimDelayAC',
'ScreenOffDelayAC',
'ScreenLockDelayAC',
'IdleWarningDelayAC',
'IdleDelayAC',
'ScreenDimDelayBattery',
'ScreenOffDelayBattery',
'ScreenLockDelayBattery',
'IdleWarningDelayBattery',
'IdleDelayBattery',
'IdleAction',
'IdleActionAC',
'IdleActionBattery',
'LidCloseAction',
'PowerManagementUsesAudioActivity',
'PowerManagementUsesVideoActivity',
'PresentationIdleDelayScale',
'PresentationScreenDimDelayScale',
'AllowWakeLocks',
'AllowScreenWakeLocks',
'UserActivityScreenDimDelayScale',
'WaitForInitialUserActivity',
'PowerManagementIdleSettings',
'ScreenLockDelays',
'PowerSmartDimEnabled',
'ScreenBrightnessPercent',
],
},
{
'name': 'Accessibility',
'type': 'group',
'caption': '''Accessibility settings''',
'desc': '''Configure <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> accessibility features.''',
'policies': [
'ShowAccessibilityOptionsInSystemTrayMenu',
'LargeCursorEnabled',
'SpokenFeedbackEnabled',
'HighContrastEnabled',
'VirtualKeyboardEnabled',
'KeyboardDefaultToFunctionKeys',
'ScreenMagnifierType',
'DeviceLoginScreenDefaultLargeCursorEnabled',
'DeviceLoginScreenDefaultSpokenFeedbackEnabled',
'DeviceLoginScreenDefaultHighContrastEnabled',
'DeviceLoginScreenDefaultVirtualKeyboardEnabled',
'DeviceLoginScreenDefaultScreenMagnifierType',
],
},
{
'name': 'Attestation',
'type': 'group',
'caption': 'Remote Attestation',
'desc': 'Configure the remote attestation with TPM mechanism.',
'policies': [
'AttestationEnabledForDevice',
'AttestationEnabledForUser',
'AttestationExtensionWhitelist',
'AttestationForContentProtectionEnabled',
],
},
{
'name': 'LocallyManagedUsers',
'type': 'group',
'caption': '''Locally managed users settings''',
'desc': '''Configure settings for managed users.''',
'policies': [
'ContentPackDefaultFilteringBehavior',
'ContentPackManualBehaviorHosts',
'ContentPackManualBehaviorURLs',
'SupervisedUsersEnabled',
'SupervisedUserCreationEnabled',
'SupervisedUserContentProviderEnabled',
],
},
{
'name': 'GoogleCast',
'type': 'group',
'caption': '''<ph name="PRODUCT_NAME">Google Cast</ph>''',
'desc': '''Configure policies for <ph name="PRODUCT_NAME">Google Cast</ph>, a feature that allows users to send the contents of tabs, sites or the desktop from the browser to remote displays and sound systems.''',
'policies': [
'EnableMediaRouter',
'ShowCastIconInToolbar',
],
},
{
'name': 'QuickUnlock',
'type': 'group',
'caption': '''Quick unlock policies''',
'desc': '''Configures quick unlock related policies.''',
'policies': [
'QuickUnlockModeWhitelist',
'QuickUnlockTimeout',
'PinUnlockMinimumLength',
'PinUnlockMaximumLength',
'PinUnlockWeakPinsAllowed',
],
},
{
'name': 'CastReceiver',
'type': 'group',
'caption': '''Cast Receiver''',
'desc': '''Configure the Cast Receiver in <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'CastReceiverEnabled',
'CastReceiverName',
]
},
{
'name': 'SafeBrowsing',
'type': 'group',
'caption': '''Safe Browsing settings''',
'desc': '''Configure Safe Browsing related policies.''',
'policies': [
'SafeBrowsingEnabled',
'SafeBrowsingExtendedReportingEnabled',
'SafeBrowsingExtendedReportingOptInAllowed',
'SafeBrowsingWhitelistDomains',
'PasswordProtectionWarningTrigger',
'PasswordProtectionLoginURLs',
'PasswordProtectionChangePasswordURL',
],
},
{
'name': 'NetworkFileShares',
'type': 'group',
'caption': '''Network File Shares settings''',
'desc': '''Configure Network File Share related policies.''',
'policies': [
'NetworkFileSharesAllowed',
'NetBiosShareDiscoveryEnabled',
'NTLMShareAuthenticationEnabled',
'NetworkFileSharesPreconfiguredShares',
],
},
{
'name': 'ChromeReportingExtension',
'type': 'group',
'caption': '''Chrome Reporting Extension''',
'desc': '''Configure Chrome Reporting Extension related policies.
This policy is only effective when the <ph name="CHROME_REPORTING_EXTENSION_NAME">Chrome Reporting Extension</ph> is enabled, and the machine is enrolled with <ph name="MACHINE_LEVEL_USER_CLOUD_POLICY_ENROLLMENT_TOKEN_POLICY_NAME">MachineLevelUserCloudPolicyEnrollmentToken</ph>.''',
'policies': [
'ReportVersionData',
'ReportPolicyData',
'ReportMachineIDData',
'ReportUserIDData',
'ReportExtensionsAndPluginsData',
'ReportSafeBrowsingData',
'CloudReportingEnabled',
],
},
{
'name': 'BrowserSwitcher',
'type': 'group',
'caption': '''<ph name="LBS_PRODUCT_NAME">Legacy Browser Support</ph>''',
'desc': '''Configure policies to switch between browsers.
Configured websites will automatically open in another browser than <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'policies': [
'AlternativeBrowserPath',
'AlternativeBrowserParameters',
'BrowserSwitcherUrlList',
'BrowserSwitcherUrlGreylist',
'BrowserSwitcherUseIeSitelist',
],
},
{
'name': 'HomepageLocation',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.chromium.org',
'id': 1,
'caption': '''Configure the home page URL''',
'tags': [],
'desc': '''Configures the default home page URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing it.
The home page is the page opened by the Home button. The pages that open on startup are controlled by the RestoreOnStartup policies.
The home page type can either be set to a URL you specify here or set to the New Tab Page. If you select the New Tab Page, then this policy does not take effect.
If you enable this setting, users cannot change their home page URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, but they can still choose the New Tab Page as their home page.
Leaving this policy not set will allow the user to choose their home page on their own if HomepageIsNewTabPage is not set too.
This policy is not available on Windows instances that are not joined
to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain.''',
'label': '''Home page URL''',
},
{
'name': 'HomepageIsNewTabPage',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 2,
'caption': '''Use New Tab Page as homepage''',
'tags': [],
'desc': '''Configures the type of the default home page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing home page preferences. The home page can either be set to a URL you specify or set to the New Tab Page.
If you enable this setting, the New Tab Page is always used for the home page, and the home page URL location is ignored.
If you disable this setting, the user's homepage will never be the New Tab Page, unless its URL is set to 'chrome://newtab'.
If you enable or disable this setting, users cannot change their homepage type in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Leaving this policy not set will allow the user to choose whether the new tab page is their home page on their own.
This policy is not available on Windows instances that are not joined
to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain.''',
},
{
'name': 'NewTabPageLocation',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:58-', 'chrome_os:58-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.chromium.org',
'id': 360,
'caption': '''Configure the New Tab page URL''',
'tags': [],
'desc': '''Configures the default New Tab page URL and prevents users from changing it.
The New Tab page is the page opened when new tabs are created (including the one opened in new windows).
This policy does not decide which pages are to be opened on start up. Those are controlled by the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policies. Yet this policy does affect the Home Page if that is set to open the New Tab page, as well as the startup page if that is set to open the New Tab page.
If the policy is not set or left empty the default new tab page is used.
This policy is not available on Windows instances that are not joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain.''',
'label': '''New Tab page URL''',
},
{
'name': 'DefaultBrowserSettingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 3,
'caption': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
'tags': [],
'desc': '''Configures the default browser checks in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing them.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always check on startup whether it is the default browser and automatically register itself if possible.
If this setting is disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will never check if it is the default browser and will disable user controls for setting this option.
If this setting is not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will allow the user to control whether it is the default browser and whether user notifications should be shown when it isn't.
Note for administrators of <ph name="MS_WIN_NAME">Microsoft® Windows</ph>: Enabling this setting will only work for machines running Windows 7. For versions of Windows starting with Windows 8, you must deploy a "default application associations" file that makes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> the handler for the <ph name="HHTPS_PROTOCOL">https</ph> and <ph name="HTTP_PROTOCOL">http</ph> protocols (and, optionally, the <ph name="FTP_PROTOCOL">ftp</ph> protocol and file formats such as <ph name="HTML_EXTENSION">.html</ph>, <ph name="HTM_EXTENSION">.htm</ph>, <ph name="PDF_EXTENSION">.pdf</ph>, <ph name="SVG_EXTENSION">.svg</ph>, <ph name="WEBP_EXTENSION">.webp</ph>, etc...). See <ph name="SUPPORT_URL">https://support.google.com/chrome?p=make_chrome_default_win</ph> for more information.''',
'label': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
},
{
'name': 'ApplicationLocaleValue',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:8-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'en',
'id': 4,
'caption': '''Application locale''',
'tags': [],
'desc': '''Configures the application locale in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing the locale.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the specified locale. If the configured locale is not supported, 'en-US' is used instead.
If this setting is disabled or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses either the user-specified preferred locale (if configured), the system locale or the fallback locale 'en-US'.''',
'label': '''Application locale''',
},
{
'name': 'AlternateErrorPagesEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 5,
'caption': '''Enable alternate error pages''',
'tags': [],
'desc': '''Enables the use of alternate error pages that are built into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> (such as 'page not found') and prevents users from changing this setting.
If you enable this setting, alternate error pages are used.
If you disable this setting, alternate error pages are never used.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'SearchSuggestEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 6,
'caption': '''Enable search suggestions''',
'tags': [],
'desc': '''Enables search suggestions in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s omnibox and prevents users from changing this setting.
If you enable this setting, search suggestions are used.
If you disable this setting, search suggestions are never used.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'DnsPrefetchingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-53', 'chrome_os:11-53', 'android:30-53'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 7,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''This policy is deprecated in M48 in favor of <ph name="NETWORK_PREDICTION_OPTIONS_POLICY_NAME">NetworkPredictionOptions</ph>, and removed in M54.
Enables network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. The policy name refers to DNS prefetching for historical reasons.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'NetworkPredictionOptions',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'NetworkPredictionAlways',
'value': 0,
'caption': '''Predict network actions on any network connection''',
},
{
'name': 'NetworkPredictionWifiOnly',
'value': 1,
'caption': '''Predict network actions on any network that is not cellular.
(Deprecated in 50, removed in 52. After 52, if value 1 is set, it will be treated as 0 - predict network actions on any network connection.)''',
},
{
'name': 'NetworkPredictionNever',
'value': 2,
'caption': '''Do not predict network actions on any network connection''',
},
],
'supported_on': ['chrome.*:38-', 'chrome_os:38-', 'android:38-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 273,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''Enables network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
This controls DNS prefetching, TCP and SSL preconnection and prerendering of web pages.
If you set this policy, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, network prediction will be enabled but the user will be able to change it.''',
},
{
'name': 'WPADQuickCheckEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [ 'chrome.*:35-', 'chrome_os:35-' ],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 261,
'caption': '''Enable WPAD optimization''',
'tags': ['system-security'],
'desc': '''Allows to turn off WPAD (Web Proxy Auto-Discovery) optimization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is set to false, WPAD optimization is disabled causing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to wait longer for DNS-based WPAD servers. If the policy is not set or is enabled, WPAD optimization is enabled.
Independent of whether or how this policy is set, the WPAD optimization setting cannot be changed by users.''',
},
{
'name': 'DisableSpdy',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-53', 'chrome_os:11-53', 'android:30-53'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 8,
'caption': '''Disable SPDY protocol''',
'tags': [],
'desc': '''This policy is deprecated in M53 and removed in M54, because SPDY/3.1 support is removed.
Disables use of the SPDY protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is enabled the SPDY protocol will not be available in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting this policy to disabled will allow the usage of SPDY.
If this policy is left not set, SPDY will be available.''',
},
{
'name': 'DisabledSchemes',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:12-', 'chrome_os:12-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['file', 'https'],
'id': 85,
'caption': '''Disable URL protocol schemes''',
'tags': [],
'desc': '''This policy is deprecated, please use URLBlacklist instead.
Disables the listed protocol schemes in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
URLs using a scheme from this list will not load and can not be navigated to.
If this policy is left not set or the list is empty all schemes will be accessible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''List of disabled protocol schemes''',
},
{
'name': 'Http09OnNonDefaultPortsEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:54-', 'chrome_os:54-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 345,
'caption': '''Enable HTTP/0.9 support on non-default ports''',
'tags': [],
'desc': '''This policy enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS.
This policy is disabled by default, and if enabled, leaves users open to the security issue https://crbug.com/600352.
This policy is intended to give enterprises a chance to migrate exising servers off of HTTP/0.9, and will be removed in the future.
If this policy is not set, HTTP/0.9 will be disabled on non-default ports.''',
},
{
'name': 'JavascriptEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 9,
'caption': '''Enable JavaScript''',
'tags': [],
'desc': '''This policy is deprecated, please use DefaultJavaScriptSetting instead.
Can be used to disabled JavaScript in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.
If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.''',
},
{
'name': 'IncognitoEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 10,
'caption': '''Enable Incognito mode''',
'tags': [],
'desc': '''This policy is deprecated. Please, use IncognitoModeAvailability instead.
Enables Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is enabled or not configured, users can open web pages in incognito mode.
If this setting is disabled, users cannot open web pages in incognito mode.
If this policy is left not set, this will be enabled and the user will be able to use incognito mode.''',
},
{
'name': 'IncognitoModeAvailability',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Enabled',
'value': 0,
'caption': '''Incognito mode available''',
},
{
'name': 'Disabled',
'value': 1,
'caption': '''Incognito mode disabled''',
},
{
'name': 'Forced',
'value': 2,
'caption': '''Incognito mode forced''',
},
],
'supported_on': [
'chrome.*:14-',
'chrome_os:14-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 93,
'caption': '''Incognito mode availability''',
'tags': ['filtering'],
'desc': '''Specifies whether the user may open pages in Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.
If 'Disabled' is selected, pages may not be opened in Incognito mode.
If 'Forced' is selected, pages may be opened ONLY in Incognito mode.''',
},
{
'name': 'SavingBrowserHistoryDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 11,
'caption': '''Disable saving browser history''',
'tags': [],
'desc': '''Disables saving browser history in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
If this setting is enabled, browsing history is not saved. This setting also disables tab syncing.
If this setting is disabled or not set, browsing history is saved.''',
},
{
'name': 'AllowDeletingBrowserHistory',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:57-', 'chrome_os:57-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 187,
'caption': '''Enable deleting browser and download history''',
'tags': ['local-data-access', 'admin-sharing'],
'desc': '''Enables deleting browser history and download history in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
Note that even with this policy disabled, the browsing and download history are not guaranteed to be retained: users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.
If this setting is enabled or not set, browsing and download history can be deleted.
If this setting is disabled, browsing and download history cannot be deleted.''',
},
{
'name': 'AllowDinosaurEasterEgg',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:48-', 'chrome.*:48-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 309,
'default_for_enterprise_users': False,
'caption': '''Allow Dinosaur Easter Egg Game''',
'tags': [],
'desc': '''Allow users to play dinosaur easter egg game when device is offline.
If this policy is set to False, users will not be able to play the dinosaur easter egg game when device is offline. If this setting is set to True, users are allowed to play the dinosaur game. If this policy is not set, users are not allowed to play the dinosaur easter egg game on enrolled Chrome OS, but are allowed to play it under other circumstances.''',
},
{
'name': 'RemoteAccessClientFirewallTraversal',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-16', 'chrome_os:14-16'],
'features': {
'dynamic_refresh': True,
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 94,
'caption': '''Enable firewall traversal from remote access client''',
'tags': [],
'desc': '''This policy is no longer supported.
Enables usage of STUN and relay servers when connecting to a remote client.
If this setting is enabled, then this machine can discover and connect to remote host machines even if they are separated by a firewall.
If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine can only connect to host machines within the local network.''',
},
{
'name': 'RemoteAccessHostClientDomain',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 'my-awesome-domain.com',
'id': 316,
'caption': '''Configure the required domain name for remote access clients''',
'tags': [],
'desc': '''This policy is deprecated. Please use RemoteAccessHostClientDomainList instead.''',
},
{
'name': 'RemoteAccessHostClientDomainList',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:60-', 'chrome_os:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
'id': 369,
'caption': '''Configure the required domain names for remote access clients''',
'tags': [],
'desc': '''Configures the required client domain names that will be imposed on remote access clients and prevents users from changing it.
If this setting is enabled, then only clients from one of the specified domains can connect to the host.
If this setting is disabled or not set, then the default policy for the connection type is applied. For remote assistance, this allows clients from any domain to connect to the host; for anytime remote access, only the host owner can connect.
This setting will override RemoteAccessHostClientDomain, if present.
See also RemoteAccessHostDomainList.''',
},
{
'name': 'RemoteAccessHostFirewallTraversal',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 95,
'caption': '''Enable firewall traversal from remote access host''',
'tags': [],
'desc': '''Enables usage of STUN servers when remote clients are trying to establish a connection to this machine.
If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall.
If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network.
If this policy is left not set the setting will be enabled.''',
},
{
'name': 'RemoteAccessHostDomain',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 'my-awesome-domain.com',
'id': 154,
'caption': '''Configure the required domain name for remote access hosts''',
'tags': [],
'desc': '''This policy is deprecated. Please use RemoteAccessHostDomainList instead.''',
},
{
'name': 'RemoteAccessHostDomainList',
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string' },
},
'supported_on': ['chrome.*:60-', 'chrome_os:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
'id': 368,
'caption': '''Configure the required domain names for remote access hosts''',
'tags': [],
'desc': '''Configures the required host domain names that will be imposed on remote access hosts and prevents users from changing it.
If this setting is enabled, then hosts can be shared only using accounts registered on one of the specified domain names.
If this setting is disabled or not set, then hosts can be shared using any account.
This setting will override RemoteAccessHostDomain, if present.
See also RemoteAccessHostClientDomainList.''',
},
{
'name': 'RemoteAccessHostRequireTwoFactor',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:22-22'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 155,
'caption': '''Enable two-factor authentication for remote access hosts''',
'tags': [],
'desc': '''Enables two-factor authentication for remote access hosts instead of a user-specified PIN.
If this setting is enabled, then users must provide a valid two-factor code when accessing a host.
If this setting is disabled or not set, then two-factor will not be enabled and the default behavior of having a user-defined PIN will be used.''',
},
{
'name': 'RemoteAccessHostTalkGadgetPrefix',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'chromoting-host',
'id': 156,
'caption': '''Configure the TalkGadget prefix for remote access hosts''',
'tags': [],
'desc': '''Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.
If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.
If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.
If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.
Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.''',
},
{
'name': 'RemoteAccessHostRequireCurtain',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:23-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 157,
'caption': '''Enable curtaining of remote access hosts''',
'tags': ['system-security'],
'desc': '''Enables curtaining of remote access hosts while a connection is in progress.
If this setting is enabled, then hosts' physical input and output devices are disabled while a remote connection is in progress.
If this setting is disabled or not set, then both local and remote users can interact with the host when it is being shared.''',
},
{
'name': 'RemoteAccessHostAllowClientPairing',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:30-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 234,
'caption': '''Enable or disable PIN-less authentication for remote access hosts''',
'tags': [],
'desc': '''If this setting is enabled or not configured, then users can opt to pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
If this setting is disabled, then this feature will not be available.''',
},
{
'name': 'RemoteAccessHostAllowGnubbyAuth',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:35-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 257,
'caption': '''Allow gnubby authentication for remote access hosts''',
'tags': [],
'desc': '''If this setting is enabled, then gnubby authentication requests will be proxied across a remote host connection.
If this setting is disabled or not configured, gnubby authentication requests will not be proxied.''',
},
{
'name': 'RemoteAccessHostAllowRelayedConnection',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 263,
'caption': '''Enable the use of relay servers by the remote access host''',
'tags': [],
'desc': '''Enables usage of relay servers when remote clients are trying to establish a connection to this machine.
If this setting is enabled, then remote clients can use relay servers to connect to this machine when a direct connection is not available (e.g. due to firewall restrictions).
Note that if the policy <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is disabled, this policy will be ignored.
If this policy is left not set the setting will be enabled.''',
},
{
'name': 'RemoteAccessHostUdpPortRange',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '12400-12409',
'id': 264,
'caption': '''Restrict the UDP port range used by the remote access host''',
'tags': [],
'desc': '''Restricts the UDP port range used by the remote access host in this machine.
If this policy is left not set, or if it is set to an empty string, the remote access host will be allowed to use any available port, unless the policy <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is disabled, in which case the remote access host will use UDP ports in the 12400-12409 range.''',
},
{
'name': 'RemoteAccessHostMatchUsername',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.linux:25-', 'chrome.mac:25-', 'chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 285,
'caption': '''Require that the name of the local user and the remote access host owner match''',
'tags': [],
'desc': '''If this setting is enabled, then the remote access host compares the name of the local user (that the host is associated with) and the name of the Google account registered as the host owner (i.e. "johndoe" if the host is owned by "johndoe@example.com" Google account). The remote access host will not start if the name of the host owner is different from the name of the local user that the host is associated with. RemoteAccessHostMatchUsername policy should be used together with RemoteAccessHostDomain to also enforce that the Google account of the host owner is associated with a specific domain (i.e. "example.com").
If this setting is disabled or not set, then the remote access host can be associated with any local user.''',
},
{
'name': 'RemoteAccessHostTokenUrl',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-','chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'https://example.com/issue',
'id': 286,
'caption': '''URL where remote access clients should obtain their authentication token''',
'tags': ['website-sharing'],
'desc': '''If this policy is set, the remote access host will require authenticating clients to obtain an authentication token from this URL in order to connect. Must be used in conjunction with RemoteAccessHostTokenValidationUrl.
This feature is currently disabled server-side.''',
},
{
'name': 'RemoteAccessHostTokenValidationUrl',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-','chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'https://example.com/validate',
'id': 287,
'caption': '''URL for validating remote access client authentication token''',
'tags': ['website-sharing'],
'desc': '''If this policy is set, the remote access host will use this URL to validate authentication tokens from remote access clients, in order to accept connections. Must be used in conjunction with RemoteAccessHostTokenUrl.
This feature is currently disabled server-side.''',
},
{
'name': 'RemoteAccessHostTokenValidationCertificateIssuer',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-','chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'Example Certificate Authority',
'id': 288,
'caption': '''Client certificate for connecting to RemoteAccessHostTokenValidationUrl''',
'tags': [],
'desc': '''If this policy is set, the host will use a client certificate with the given issuer CN to authenticate to RemoteAccessHostTokenValidationUrl. Set it to "*" to use any available client certificate.
This feature is currently disabled server-side.''',
},
{
'name': 'RemoteAccessHostDebugOverridePolicies',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:25-47','chrome_os:42-47'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '{ "RemoteAccessHostMatchUsername": true }',
'id': 289,
'caption': '''Policy overrides for Debug builds of the remote access host''',
'tags': [],
'desc': '''Overrides policies on Debug builds of the remote access host.
The value is parsed as a JSON dictionary of policy name to policy value mappings.''',
},
{
'name': 'RemoteAccessHostAllowUiAccessForRemoteAssistance',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:55-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 344,
'caption': '''Allow remote users to interact with elevated windows in remote assistance sessions''',
'tags': ['system-security'],
'desc': '''If this setting is enabled, the remote assistance host will be run in a process with <ph name="UIACCESS_PERMISSION_NAME">uiAccess</ph> permissions. This will allow remote users to interact with elevated windows on the local user's desktop.
If this setting is disabled or not configured, the remote assistance host will run in the user's context and remote users cannot interact with elevated windows on the desktop.''',
},
{
'name': 'PrintingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:39-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 12,
'caption': '''Enable printing''',
'tags': [],
'desc': '''Enables printing in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
If this setting is enabled or not configured, users can print.
If this setting is disabled, users cannot print from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Printing is disabled in the wrench menu, extensions, JavaScript applications, etc. It is still possible to print from plugins that bypass <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> while printing. For example, certain Flash applications have the print option in their context menu, which is not covered by this policy.''',
'arc_support': 'This policy has no effect on Android apps.',
},
{
'name': 'CloudPrintProxyEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 13,
'caption': '''Enable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to act as a proxy between <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> and legacy printers connected to the machine.
If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account.
If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>.''',
},
{
'name': 'PrintingAllowedColorModes',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'any',
'color',
'monochrome',
],
},
'items': [
{
'name': 'any',
'value': 'any',
'caption': '''Allow all color modes''',
},
{
'name': 'color',
'value': 'color',
'caption': '''Color printing only''',
},
{
'name': 'monochrome',
'value': 'monochrome',
'caption': '''Monochrome printing only''',
},
],
'supported_on': ['chrome_os:70-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'monochrome',
'id': 474,
'caption': '''Restrict printing color mode''',
'tags': [],
'desc': '''Sets printing to color only, monochrome only or no color mode restriction. Unset policy is treated as no restriction.''',
},
{
'name': 'PrintingAllowedDuplexModes',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'any',
'simplex',
'duplex',
],
},
'items': [
{
'name': 'any',
'value': 'any',
'caption': '''Allow all duplex modes''',
},
{
'name': 'simplex',
'value': 'simplex',
'caption': '''Simplex printing only''',
},
{
'name': 'duplex',
'value': 'duplex',
'caption': '''Duplex printing only''',
},
],
'supported_on': ['chrome_os:71-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'duplex',
'id': 475,
'caption': '''Restrict printing duplex mode''',
'tags': [],
'desc': '''Restricts printing duplex mode. Unset policy and empty set are treated as no restriction.''',
},
{
'name': 'PrintingAllowedPageSizes',
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'WidthUm': {
'description': '''Width of the page in micrometers''',
'type': 'integer',
},
'HeightUm': {
'description': '''Height of the page in micrometers''',
'type': 'integer',
},
},
'required': ['WidthUm', 'HeightUm'],
},
},
'supported_on': ['chrome_os:72-'],
'future': True,
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [{'WidthUm': 210000, 'HeightUm': 297000}],
'id': 476,
'caption': '''Restrict printing page size''',
'tags': [],
'desc': '''Restricts printing page size. Unset policy and empty set are treated as no restriction.''',
},
{
'name': 'PrintingColorDefault',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'color',
'monochrome',
],
},
'items': [
{
'name': 'color',
'value': 'color',
'caption': '''Enable color printing''',
},
{
'name': 'monochrome',
'value': 'monochrome',
'caption': '''Enable monochrome printing''',
},
],
'supported_on': ['chrome_os:72-'],
'future': True,
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'monochrome',
'id': 477,
'caption': '''Default printing color mode''',
'tags': [],
'desc': '''Overrides default printing color mode. If the mode is unavailable this policy is ignored.''',
},
{
'name': 'PrintingDuplexDefault',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'simplex',
'short-edge',
'long-edge',
],
},
'items': [
{
'name': 'simplex',
'value': 'simplex',
'caption': '''Enable simplex printing''',
},
{
'name': 'short-edge',
'value': 'short-edge',
'caption': '''Enable short edge duplex printing''',
},
{
'name': 'long-edge',
'value': 'long-edge',
'caption': '''Enable long edge duplex printing''',
},
],
'supported_on': ['chrome_os:72-'],
'future': True,
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'long-edge',
'id': 478,
'caption': '''Default printing duplex mode''',
'tags': [],
'desc': '''Overrides default printing duplex mode. If the mode is unavailable this policy is ignored.''',
},
{
'name': 'PrintingSizeDefault',
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'WidthUm': {
'description': '''Width of the page in micrometers''',
'type': 'integer',
},
'HeightUm': {
'description': '''Height of the page in micrometers''',
'type': 'integer',
},
},
'required': ['WidthUm', 'HeightUm'],
},
'supported_on': ['chrome_os:72-'],
'future': True,
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {'WidthUm': 210000, 'HeightUm': 297000},
'id': 479,
'caption': '''Default printing page size''',
'tags': [],
'desc': '''Overrides default printing page size. If the page size is unavailable this policy is ignored.''',
},
{
'name': 'ForceSafeSearch',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-', 'chrome_os:25-', 'android:30-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 162,
'caption': '''Force SafeSearch''',
'tags': ['filtering'],
'desc': '''This policy is deprecated, please use <ph name="FORCE_GOOGLE_SAFE_SEARCH_POLICY_NAME">ForceGoogleSafeSearch</ph> and <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph> instead. This policy is ignored if either the <ph name="FORCE_GOOGLE_SAFE_SEARCH_POLICY_NAME">ForceGoogleSafeSearch</ph>, the <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph> or the (deprecated) <ph name="FORCE_YOUTUBE_SAFETY_MODE_POLICY_NAME">ForceYouTubeSafetyMode</ph> policies are set.
Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Moderate Restricted Mode on YouTube.
If you enable this setting, SafeSearch in Google Search and Moderate Restricted Mode YouTube is always active.
If you disable this setting or do not set a value, SafeSearch in Google Search and Restricted Mode in YouTube is not enforced.''',
},
{
'name': 'ForceGoogleSafeSearch',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:41-', 'chrome_os:41-', 'android:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 282,
'caption': '''Force Google SafeSearch''',
'tags': ['filtering'],
'desc': '''Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting.
If you enable this setting, SafeSearch in Google Search is always active.
If you disable this setting or do not set a value, SafeSearch in Google Search is not enforced.''',
},
{
'name': 'ForceYouTubeSafetyMode',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:41-', 'chrome_os:41-', 'android:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 283,
'caption': '''Force YouTube Safety Mode''',
'tags': ['filtering'],
'desc': '''This policy is deprecated. Consider using <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph>, which overrides this policy and allows more fine-grained tuning.
Forces YouTube Moderate Restricted Mode and prevents users from changing this setting.
If this setting is enabled, Restricted Mode on YouTube is always enforced to be at least Moderate.
If this setting is disabled or no value is set, Restricted Mode on YouTube is not enforced by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. External policies such as YouTube policies might still enforce Restricted Mode, though.''',
'arc_support': 'This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.',
},
{
'name': 'ForceYouTubeRestrict',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Off',
'value': 0,
'caption': '''Do not enforce Restricted Mode on YouTube''',
},
{
'name': 'Moderate',
'value': 1,
'caption': '''Enforce at least Moderate Restricted Mode on YouTube''',
},
{
'name': 'Strict',
'value': 2,
'caption': '''Enforce Strict Restricted Mode for YouTube''',
},
],
'supported_on': ['chrome.*:55-', 'chrome_os:55-', 'android:55-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 0,
'id': 348,
'caption': '''Force minimum YouTube Restricted Mode''',
'tags': ['filtering'],
'desc': '''Enforces a minimum Restricted Mode on YouTube and prevents users from
picking a less restricted mode.
If this setting is set to Strict, Strict Restricted Mode on YouTube is always active.
If this setting is set to Moderate, the user may only pick Moderate Restricted Mode
and Strict Restricted Mode on YouTube, but cannot disable Restricted Mode.
If this setting is set to Off or no value is set, Restricted Mode on YouTube is not enforced by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. External policies such as YouTube policies might still enforce Restricted Mode, though.''',
'arc_support': 'This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.',
},
{
'name': 'SafeBrowsingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 14,
'caption': '''Enable Safe Browsing''',
'tags': ['system-security'],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Safe Browsing feature and prevents users from changing this setting.
If you enable this setting, Safe Browsing is always active.
If you disable this setting, Safe Browsing is never active.
If you enable or disable this setting, users cannot change or override the "Enable phishing and malware protection" setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.
See https://developers.google.com/safe-browsing for more info on Safe Browsing.
This policy is not available on Windows instances that are not joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain.''',
},
{
'name': 'MetricsReportingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 15,
'caption': '''Enable reporting of usage and crash-related data''',
'tags': ['google-sharing'],
'desc': '''Enables anonymous reporting of usage and crash-related data about <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to Google and prevents users from changing this setting.
If this setting is enabled, anonymous reporting of usage and crash-related
data is sent to Google. If it is disabled, this information is not sent
to Google. In both cases, users cannot change or override the setting.
If this policy is left not set, the setting will be what the user chose
upon installation / first run.
This policy is not available on Windows instances that are not joined to
a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain. (For Chrome OS, see
DeviceMetricsReportingEnabled.)''',
},
{
'name': 'PasswordManagerEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 16,
'caption': '''Enable saving passwords to the password manager''',
'tags': [],
'desc': '''If this setting is enabled, users can have <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> memorize passwords and provide them automatically the next time they log in to a site.
If this settings is disabled, users cannot save new passwords but they
may still use passwords that have been saved previously.
If this policy is enabled or disabled, users cannot change or override it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If this policy is unset, password saving is allowed (but can be turned off by the user).''',
'arc_support': 'This policy has no effect on Android apps.',
},
{
'name': 'PasswordManagerAllowShowPasswords',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-50', 'chrome_os:11-50'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 17,
'caption': '''Allow users to show passwords in Password Manager (deprecated)''',
'tags': [],
'desc': '''The associated setting was used before reauthentication on viewing passwords was introduced. Since then, the setting and hence this policy had no effect on the behavior of Chrome. The current behavior of Chrome is now the same as if the policy was set to disable showing passwords in clear text in the password manager settings page. That means that the settings page contains just a placeholder, and only upon the user clicking "Show" (and reauthenticating, if applicable) Chrome shows the password. Original description of the policy follows below.
Controls whether the user may show passwords in clear text in the password manager.
If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window.
If you enable or do not set this policy, users can view their passwords in clear text in the password manager.''',
},
{
'name': 'AutoFillEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 18,
'caption': '''Enable AutoFill''',
'tags': [],
'desc': '''This policy is deprecated in M70, please use AutofillAddressEnabled and AutofillCreditCardEnabled instead.
Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.
If you disable this setting, AutoFill will be inaccessible to users.
If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.''',
},
{
'name': 'AutofillAddressEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:69-',
'chrome_os:69-',
'android:69-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 459,
'caption': '''Enable AutoFill for addresses''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s AutoFill feature and allows users to auto complete address information in web forms using previously stored information.
If this setting is disabled, Autofill will never suggest, or fill address information, nor will it save additional address information that the user might submit while browsing the web.
If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.''',
},
{
'name': 'AutofillCreditCardEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:63-',
'chrome_os:63-',
'android:63-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 392,
'caption': '''Enable AutoFill for credit cards''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s AutoFill feature and allows users to auto complete credit card information in web forms using previously stored information.
If this setting is disabled, Autofill will never suggest, or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web.
If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.''',
},
{
'name': 'DisabledPlugins',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 19,
'caption': '''Specify a list of disabled plugins''',
'tags': [],
'desc': '''This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the avalability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
Specifies a list of plugins that are disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
If you enable this setting, the specified list of plugins is never used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The plugins are marked as disabled in 'about:plugins' and users cannot enable them.
Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions.
If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.''',
'label': '''List of disabled plugins''',
},
{
'name': 'EnabledPlugins',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 78,
'caption': '''Specify a list of enabled plugins''',
'tags': ['system-security'],
'desc': '''This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the avalability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
Specifies a list of plugins that are enabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
The specified list of plugins is always used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them.
Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions.
If this policy is left not set the user can disable any plugin installed on the system.''',
'label': '''List of enabled plugins''',
},
{
'name': 'DisabledPluginsExceptions',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'deprecated': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 79,
'caption': '''Specify a list of plugins that the user can enable or disable''',
'tags': [],
'desc': '''This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the avalability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
Specifies a list of plugins that user can enable or disable in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
If you enable this setting, the specified list of plugins can be used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Users can enable or disable them in 'about:plugins', even if the plugin also matches a pattern in DisabledPlugins. Users can also enable and disable plugins that don't match any patterns in DisabledPlugins, DisabledPluginsExceptions and EnabledPlugins.
This policy is meant to allow for strict plugin blacklisting where the 'DisabledPlugins' list contains wildcarded entries like disable all plugins '*' or disable all Java plugins '*Java*' but the administrator wishes to enable some particular version like 'IcedTea Java 2.3'. This particular versions can be specified in this policy.
Note that both the plugin name and the plugin's group name have to be exempted. Each plugin group is shown in a separate section in about:plugins; each section may have one or more plugins. For example, the "Shockwave Flash" plugin belongs to the "Adobe Flash Player" group, and both names have to have a match in the exceptions list if that plugin is to be exempted from the blacklist.
If this policy is left not set any plugin that matches the patterns in the 'DisabledPlugins' will be locked disabled and the user won't be able to enable them.''',
'label': '''List of exceptions to the list of disabled plugins''',
},
{
'name': 'AlwaysOpenPdfExternally',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:55-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 347,
'caption': '''Always Open PDF files externally''',
'tags': [],
'desc': '''Disables the internal PDF viewer in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Instead it treats it as download and allows the user to open PDF files with the default application.
If this policy is left not set or disabled the PDF plugin will be used to open PDF files unless the user disables it.''',
},
{
'name': 'DisablePluginFinder',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-64', 'chrome_os:11-64'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 66,
'caption': '''Specify whether the plugin finder should be disabled (deprecated)''',
'tags': [],
'desc': '''This policy has been removed as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 64.
Automatic search and installation of missing plugins is no longer supported.''',
'label': '''Disable plugin finder (deprecated)''',
},
{
'name': 'SyncDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 20,
'caption': '''Disable synchronization of data with Google''',
'tags': ['filtering', 'google-sharing'],
'desc': '''Disables data synchronization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> using Google-hosted synchronization services and prevents users from changing this setting.
If you enable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.
To fully disable Google Sync, it is recommended that you disable the Google Sync service in the Google Admin console.
This policy should not be enabled when <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">RoamingProfileSupportEnabled</ph> policy is set to enabled as that feature shares the same client side functionality. The Google-hosted synchronization is disabled in this case completely.''',
'arc_support': 'Disabling Google Sync will cause Android Backup and Restore to not function properly.',
},
{
'name': 'RoamingProfileSupportEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:57-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 358,
'caption': '''Enable the creation of roaming copies for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profile data''',
'tags': ['local-data-access'],
'desc': '''If you enable this setting, the settings stored in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the <ph name="ROAMING_PROFILE_LOCATION_POLICY_NAME">$1<ex>RoamingProfileLocation</ex></ph> policy. Enabling this policy disables cloud sync.
If this policy is disabled or left not set only the regular local profiles will be used.
The <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy disables all data synchronization, overriding RoamingProfileSupportEnabled.''',
'label': '''Enable the creation of roaming copies for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profile data.''',
},
{
'name': 'RoamingProfileLocation',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:57-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '${roaming_app_data}\\chrome-profile',
'id': 359,
'caption': '''Set the roaming profile directory''',
'tags': ['local-data-access'],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing the roaming copy of the profiles.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory to store the roaming copy of the profiles if the <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">$1<ex>RoamingProfileSupportEnabled</ex></ph> policy has been enabled. If the <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">$1<ex>RoamingProfileSupportEnabled</ex></ph> policy is disabled or left unset the value stored in this policy is not used.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
If this policy is left not set the default roaming profile path will be used.''',
'label': '''Set the roaming profile directory''',
},
{
'name': 'SigninAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:27-', 'android:38-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 190,
'caption': '''Allow sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''This policy is deprecated, consider using BrowserSignin instead.
Allows the user to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you set this policy, you can configure whether a user is allowed to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Setting this policy to 'False' will prevent apps and extensions that use the chrome.identity API from functioning, so you may want to use SyncDisabled instead.''',
},
{
'name': 'EnableDeprecatedWebBasedSignin',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:35-42'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 265,
'caption': '''Enable the old web-based signin flow''',
'tags': [],
'desc': '''This setting was named EnableWebBasedSignin prior to Chrome 42, and support for it will be removed entirely in Chrome 43.
This setting is useful for enterprise customers who are using SSO solutions that are not compatible with the new inline signin flow yet.
If you enable this setting, the old web-based signin flow would be used.
If you disable this setting or leave it not set, the new inline signin flow would be used by default. Users may still enable the old web-based signin flow through the command line flag --enable-web-based-signin.
The experimental setting will be removed in the future when the inline signin fully supports all SSO signin flows.''',
},
{
'name': 'UserDataDir',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:11-', 'chrome.mac:11-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '${users}/${user_name}/Chrome',
'id': 63,
'caption': '''Set user data directory''',
'tags': ['local-data-access'],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing user data.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a volume's root directory or to a directory used for other purposes, because <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> manages its contents.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.''',
'label': '''Set user data directory''',
},
{
'name': 'DiskCacheDir',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:13-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '${user_home}/Chrome_cache',
'id': 88,
'caption': '''Set disk cache directory''',
'tags': [],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing cached files on the disk.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory regardless whether the user has specified the '--disk-cache-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a volume's root directory or to a directory used for other purposes, because <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> manages its contents.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
If this policy is left not set the default cache directory will be used and the user will be able to override it with the '--disk-cache-dir' command line flag.''',
'label': '''Set disk cache directory''',
},
{
'name': 'DiskCacheSize',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 104857600,
'id': 110,
'caption': '''Set disk cache size in bytes''',
'tags': [],
'desc': '''Configures the cache size that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing cached files on the disk.
If