blob: 3b39b2c85fcb18f5e91924c58c5210c00d4262f6 [file] [log] [blame]
{
# policy_templates.json - Metafile for policy templates
#
# The content of this file is evaluated as a Python expression.
#
# This file is used as input to generate the following policy templates:
# ADM, ADMX+ADML, MCX/plist and html documentation.
#
# Policy templates are user interface definitions or documents about the
# policies that can be used to configure Chrome. Each policy is a name-value
# pair where the value has a given type. Chrome looks up the values using the
# names of the policies. In the user interface where the values can be set,
# related policies might appear together in policy groups. The grouping is not
# visible to Chrome.
#
# This file contains a list of policies and groups. Each group contains a list
# of policies under the key 'policies'. All the policies and groups must have
# unique names. Group names are not exposed to Chrome at all.
#
# Each policy has a type. The currently implemented types:
# 'group': - not a real policy, contains a list of policies
# NOTE: Currently nesting groups inside other groups is not supported.
# 'string' - a string value
# 'int' - an integer value
# 'int-enum' - the user can select an integer value from a collection of
# items
# 'string-enum' - the user can select a string value from a collection of
# items
# 'string-enum-list' - the user can select a set of string values from a
# collection of items
# 'main' - a boolean value
# 'list' - a list of string values. Using this for a list of JSON strings
# is now discouraged, because the 'dict' is better for JSON.
# 'dict' - perhaps should be named JSON. An arbitrarily complex object or
# array, nested objects/arrays, etc. The user defines the value with JSON.
# 'external' - a policy that references external data.
# NOTE: This type is currently supported on Chrome OS only.
#
# NOTE to 'dict' vs 'list' - in the past, 'list' has been used for a policy
# that is an array of objects. The user supplied a list of strings, and each
# of those strings was parsed as JSON, resulting in an array of objects.
# However, there are a couple of reasons why 'dict' is better for these sorts
# of policies. Some interfaces (eg the GPO editor) only allow each list item
# to be a single-line string, which is not great for inputting a complex JSON
# object. It also means any example values shown in the documentation will
# have a hybrid syntax, with both commas and new-lines being used to delimit
# array elements - and these examples will be harder to copy and paste.
# To conclude, prefer 'dict' to 'list' if JSON is involved.
#
# Each policy is tagged with risk tags that indicate potential privacy or
# security risks. They are defined at the beginning of this file (tag
# 'risk_tag_definitions').
# Each risk tag contains the following information:
# - name: The name of the risk tag. May not contain spaces.
# - description: Description for developers so they know which tags apply to
# newly added policies.
# - user-description: A text that helps users understand what a policy with
# this tag means for their privacy and/or security.
#
# Policy group descriptions, policy captions and similar texts are localized
# strings taken from the <message> nodes of the .grd file. Their name attributes
# are generated from the JSON keys.
# Each item (policy or group) may have the following messages:
# - description:
# Describes the item it applies to.
# - caption
# A short, one-line summary of the item it applies to. This can appear
# both in policy or group listings or on title bars of policy-setting
# windows. (The caption should not end with a punctuation mark.)
# - label (Optional, defaults to caption if not specified.)
# A short, one-line summary of the item it applies to. The difference
# from caption is that label always appears next to the entry field
# where the value of the policy can be entered. 'main' policies on
# Windows ignore this. Policies on Mac are using this instead of caption.
#
# As a reference for translators, non-translatable strings must be tagged using
# <ph name="..."></ph> as described in [1]. As these tags are pruned before
# generating the comments for .proto files, paragraphs containing such tags
# should not be line-wrapped (use one long line per paragraph instead) to allow
# for correct re-flowing of the text.
# [1] https://www.chromium.org/developers/tools-we-use-in-chromium/grit/grit-users-guide.
#
# See documentation in docs/enterprise/components/policy/resources/description_guidelines.md
# for how product names should appear in <ph> tags to ensure consistency.
#
#
# Generated grd names:
# Each name has two parts: the second part is either CAPTION, DESC or LABEL,
# and the first part identifies the item the text applies to:
# -For policies and groups:
# IDS_POLICY_<NAME OF THE POLICY OR GROUP>
# e.g. the name of the caption of policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_CAPTION
# or other messages of the policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_LABEL
# IDS_POLICY_HOMEPAGELOCATION_DESC
# -For enum items:
# IDS_POLICY_ENUM_<NAME OF THE ITEM>
# e.g. the name of the caption of ProxyServerDisabled:
# IDS_POLICY_ENUM_PROXYSERVERDISABLED_CAPTION
#
# Each policy has the list of platforms where it is supported under the key
# 'supported_on' or 'future_on'. The 'supported_on' lists all released
# platforms while the 'future_on' is used to enumerate platforms where the
# feature is not yet ready for use in production environments. Any unreleased
# platforms is hidden from policy templates and documentation. The policy
# definition in the source code is generated for platforms in both lists.
#
# The format of the 'supported_on' is '<platform>:<since_version>-<until_version>'.
# It means the policy is officially released on the |platform| from
# |since_version| and is removed after |until_version|. |until_version|
# is optional.
#
# The format of the 'future_on' list entries is '<platform>'.
# There is no version range attached to it and the policy is available in the
# Dev and Canary channel only unless it's listed in the
# EnableExperimentalPolicies policy.
#
# Currently supported platforms:
# 'chrome.win', 'chrome.win7', 'chrome.mac', 'chrome.linux', 'chrome.*'
# 'chrome_os', 'android', 'webview_android', 'ios', 'chrome_frame'
# Note that 'chrome_frame' has been deprecated.
#
# Annotations:
# 'example_value' is used in the generated documentation and example policy
# configuration files. Examples must cover the entire schema, i.e. use every
# defined property at least once.
#
# 'default' is used to provide a machine readable way of indicating the
# behavior of the controlled setting/feature when the policy is not set. For
# example, if 'default' is set to True, it documents that when the policy is
# not set, the feature controlled by the policy will behave in the same way
# it would behave if the policy was set to True.
# This field is only used for policies of type 'int', 'main', 'string-enum',
# or 'int-enum'. Other policy types are assumed to have a default equal to
# an empty string or empty list. If the default value can't be expressed with
# the given type and is equivalent to unset, it should be represent with None.
# For example, this would be used for a boolean policy where unset means the
# user can turn the feature on and off, while a set policy will force the
# feature to always be on or off.
# Note that this is different from 'default_for_enterprise_users', as that
# flag sets a policy value for managed users if the policy is not set by some
# other policy source (such as cloud policy). It is also different from
# 'default_for_managed_devices_doc_only', which documents an explicitly
# implemented default policy value for managed devices.
#
# 'items' is used to outline the behavior of each state the policy can take.
# This field is only used for policies of type 'main', 'int-enum', or
# 'string-enum'. For 'main' policies, it describes how the policy behaves when
# set to True or False, and whether the unset state is different from the
# enabled/disabled states. For 'enum' policies, it lists all possible values
# the policy can be set to along with a brief description.
#
# Additional information is specified under the 'features' key:
# 'dynamic_refresh' controls if the generated documentation should state that
# the policy supports dynamic refresh or not. Supporting dynamic refresh means
# that Chrome respects the changes to the policy immediately, without the need
# for restart.
# 'can_be_mandatory' Set to False to suppress the policy in the generated
# mandatory policy templates. The generated documentation for the policy
# will contain a suitable hint for administrators.
# 'can_be_recommended' Set to True to include the policy in the generated
# recommended policy templates. The generated documentation for the policy
# will contain a suitable hint for administrators.
# Policies settings in the mandatory template override user preferences, while
# recommended policies provide a default setting that may be overridden by the
# user. By default, each policy is mandatory and not recommended.
# 'per_profile' controls whether a user policy applies to every user logging
# into the browser or only one profile.
# 'cloud_only' Set to True if the policy is forced or recommended to set from
# Admin console only. This hides the policy from policy templates and Chrome
# documentation in policy_templates.zip. The documentation will NOT be hidden
# from the https://cloud.google.com/docs/chrome-enterprise/policies/.
# 'platform_only' Set to True if the policy can only be set from platform
# policy but do not support Admin console. This is only used as a hint for
# Admin console.
# 'internal_only' Set to True if the policy is used for internal development
# or testing purposes and will never be used by any external administrator.
# 'unlisted' Set to True if the policy is controlled by Admin Console
# without any user interface for administrator. It can only be used for
# policies with the 'cloud_only' tag. Policy with the 'unlisted' tag will be
# hidden from all documentations, policy templates and Admin Console UI.
# 'metapolicy_type' determines the type of metapolicy a policy is. A
# metapolicy is a policy which affects how other policies are applied.
# Precedence metapolicies affect how policies are prioritized depending on
# their scope, source, and other factors. Merging metapolicies determine which
# list or dictionary policies can have their values combined into a single
# policy. If the setting is missing, it is assumed that the policy is not a
# metapolicy. The supported types are 'merge' (example policy is
# PolicyListMultipleSourceMergeList) and 'precedence' (example policy is
# CloudPolicyOverridesPlatformPolicy).
#
# The 'max_size' key is used to specify the maximal size of the external data
# that a policy can reference, in bytes. This annotation is compulsory for
# policies of type 'external'. It is ignored for all other policy types.
#
# The 'future' key has been deprecated, please use 'future_on' instead for
# unreleased policies.
#
# Schemas:
# All policies have a key 'schema' which describes the schema of the policy.
# This schema supports a subset of the JSON Schema standard
# (https://json-schema.org/understanding-json-schema/index.html). For more
# information see //components/policy/tools/schema_validator.py. This
# validator is also used during presubmit to validate all schemas,
# validation_schemas and the example_values. On the client-side we use
# //components/policy/core/common/schema.h to validate policy values against
# the provided schemas in this file. This validator supports the same subset
# of features supported by the python schema validator used during presubmit.
#
# For many policies this is simply a type eg 'boolean' or 'string', but for
# 'dict' policies this describes the types of not only the root object, but
# also all of its descendants. This schema data is used to validate 'dict'
# policies, if a SchemaValidatingPolicyHandler is configured appropriately in
# configuration_policy_handler_list_factory.cc
#
# Some policies at first seem to have simple schema e.g. a string or a list of
# strings, but those strings are actually JSON strings, and this JSON has
# another schema. This type of policy is deprecated. When adding new policies,
# make sure the entire schema is described by the 'schema' field and that
# there are no strings which contain JSON.
# The legacy policies which contain JSON strings have an extra field, the
# 'validation_schema' which is used to validate not only the schema of the
# policy itself, but also the content of the JSON strings inside the policy.
# Do not use this field when adding new policies.
#
# In order to hide sensitive policy values from the user, you can use
# 'sensitiveValue': True (default 'False') in the associated schema. Those
# values will be masked with '********' in the chrome://policy UI and policy
# exports. 'sensitiveValue' can be applied to all schema types.
#
# For some policies which have complicated schema we add either
# 'description_schema' which describes some but not necessarily all properties
# of the policy or 'url_schema' which contains the link to the expanded
# documentation.
# Note that 'description_schema' is used for documentation purposes only, but
# not for schema validation. It can be used in cases where validation is not
# desired, e.g. if the schema does not describe all properties (see
# ArcPolicy).
#
# TODO(crbug.com/960274): Add translations of the schemas.
#
# IDs:
# Since a Protocol Buffer definition is generated from this file, unique and
# persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format!
# For your editing convenience:
# The highest ID currently used is always set in the
# 'highest_id_currently_used' value at the end of this file.
# And don't forget to also update the EnterprisePolicies enum of
# histograms.xml (run 'python tools/metrics/histograms/update_policies.py').
# A policy can be deleted from this file if and only if it is never launched;
# in which case its id must be added to the 'deleted_policy_ids' list to
# prevent reuse.
#
# Ownership:
# Each policy has an 'owners' field. This field is a list of strings which
# describe the group of people responsible for maintaining the policy and can
# help answer questions or solve issues with the policy. The entries can be
# either emails of committers or file:// references to OWNERS files in the
# Chromium repository.
#
# Placeholders:
# The following placeholder strings are automatically substituted:
# $1 -> Google Chrome / Chromium
# $2 -> Google Chrome OS / Chromium OS
# $3 -> Google Chrome Frame / Chromium Frame
# $6 is reserved for doc_writer
#
# Device Policy:
# An additional flag 'device_only' (optional, defaults to False) indicates
# that this policy is only supported as a device-level Cloud Policy. In that
# case no entry in the UserPolicy Protobuf is generated and it is assumed that
# it will be added to the DevicePolicy Protobuf manually. Device policy only
# exists on Chrome OS.
#
# Management Type:
# Chrome OS devices can either be managed through the Google cloud or through
# Active Directory. Most policies are supported for both management types, but
# some are not. To indicate supported management types, use
# 'supported_chrome_os_management': ['google_cloud', 'active_directory'],
# where
# 'google_cloud' = Policy is supported for Google cloud management.
# 'active_directory' = Policy is supported for Active Directory management.
# This setting applies to Chrome OS only. If the setting is missing, both
# types are assumed. The array must not be empty.
#
# Enterprise defaults for user policy:
# For managed users on Chrome OS (i.e. users receiving user policy from the
# cloud), if the optional key 'default_for_enterprise_users' is set, its value
# is applied as mandatory policy unless a different setting is received from
# the cloud. This default value handling is automatically enforced by the
# policy stack when filling the PolicyMap (specifically, by the generated
# function SetEnterpriseUsersDefaults).
#
# Enterprise defaults for device policy:
# The optional key 'default_for_managed_devices_doc_only' can be used to
# document a differing default value for devices enrolled into enterprise
# management. This is for documentation only - the enrollment-dependent
# handling must be manually implemented.
#
# Atomic Policy Group:
# An atomic policy group is a group of policies that logically belong together
# and influence a certain aspect of the browser only when considered together
# and should be treated as a single policy when merging policies from multiple
# sources. They all have to be set in the same source to take effect. In case
# members of a policy group are set at different sources, only the policies
# from the source with the highest priority will be used.
#
'risk_tag_definitions' : [
# All following tags are ordered by severity of their impact.
{
'name': 'full-admin-access',
'description': '''Policies with this tag enable an administrator to
execute arbitrary code or configure a machine in a way that a
man-in-the-middle situation can occur.''',
'user-description': '''Your administrator has set up certificates or applications that could potentially access all of your data.
This could possibly allow inspecting and modifying all data sent and received by Chrome.'''
},
{
'name': 'system-security',
'description': '''Policies with this tag can make the user vulnerable
against attacks which are not possible when the policies are unset.
This includes execution of deprecated code or unsafe configuration of
network settings and proxies.''',
'user-description': '''Policy set by your administrator could enable functionality that is outdated or that could reduce the security of the system in other ways.'''
},
{
'name': 'website-sharing',
'description': '''Setting Policies with this tag will allow sharing
information with a server that would normally not be allowed.
Those information can include geolocation, audio/video device inputs or
data that can be used to identify the user.''',
'user-description': '''Policy set by your administrator could enable sharing of data with websites.
Some of these data might suffice to identify you or could be used to record private information.'''
},
{
'name': 'admin-sharing',
'description': '''Policies with this tag enable an administrator to log
the user's activity or traffic.''',
'user-description': '''Policy configured by your administrator might allow them to gather general information about your device and your activity.'''
},
{
'name': 'filtering',
'description': '''Policies with this tag can restrict the information a
user can query from the world-wide web. This includes blocked websites,
enforced search settings and partly data synchronization.''',
'user-description': '''Your administrator has set up policy that may restrict your access to websites, services or search results.'''
},
{
'name': 'local-data-access',
'description': '''Policies with this tag can cause storing data to or
reading data from a local file system without the user's knowledge. This
includes import of existing settings to the cloud or avoiding clean-up of
local history data.''',
'user-description': '''Your administrator has set up policy that could cause private data to be imported from your system or could cause private data to be written to an admin-specified place.'''
},
{
'name': 'google-sharing',
'description': '''Set policies might enforce sharing data with google,
like crash reports or history.''',
'user-description': '''There are policies set by your administrator which can affect the communication with Google services.
Therefore, some services could either be unreachable or you might not be able to restrict sent data.'''
}
],
'policy_definitions': [
{
'name': 'Startup',
'type': 'group',
'caption': '''Startup, Home page and New Tab page''',
'desc': '''Configure the pages to load on startup, the default home page and the default new tab page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing them.
The user's home page settings are only completely locked down if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.
The policy 'URLs to open on startup' is ignored unless you select 'Open a list of URLs' in 'Action on startup'.''',
'policies': [
'ShowHomeButton',
'HomepageLocation',
'HomepageIsNewTabPage',
'NewTabPageLocation',
'RestoreOnStartup',
'RestoreOnStartupURLs',
],
},
{
'name': 'RemoteAccess',
'type': 'group',
'caption': '''Remote access''',
'desc': '''Configure remote access options in Chrome Remote Desktop host.
Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application. The native service is packaged and executed separately from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browser.
These policies are ignored unless the
Chrome Remote Desktop host is installed.''',
'policies': [
'RemoteAccessClientFirewallTraversal',
'RemoteAccessHostClientDomain',
'RemoteAccessHostClientDomainList',
'RemoteAccessHostFirewallTraversal',
'RemoteAccessHostDomain',
'RemoteAccessHostDomainList',
'RemoteAccessHostRequireTwoFactor',
'RemoteAccessHostTalkGadgetPrefix',
'RemoteAccessHostRequireCurtain',
'RemoteAccessHostAllowClientPairing',
'RemoteAccessHostAllowGnubbyAuth',
'RemoteAccessHostAllowRelayedConnection',
'RemoteAccessHostUdpPortRange',
'RemoteAccessHostMatchUsername',
'RemoteAccessHostTokenUrl',
'RemoteAccessHostTokenValidationUrl',
'RemoteAccessHostTokenValidationCertificateIssuer',
'RemoteAccessHostDebugOverridePolicies',
'RemoteAccessHostAllowUiAccessForRemoteAssistance',
'RemoteAccessHostAllowFileTransfer',
'RemoteAccessHostEnableUserInterface',
'RemoteAccessHostAllowRemoteAccessConnections',
'RemoteAccessHostMaximumSessionDurationMinutes',
],
},
{
'name': 'PasswordManager',
'type': 'group',
'caption': '''Password manager''',
'desc': '''Configures the password manager.''',
'policies': [
'PasswordManagerEnabled',
'PasswordManagerAllowShowPasswords',
'PasswordLeakDetectionEnabled',
],
},
{
'name': 'Proxy',
'type': 'group',
'caption': '''Proxy server''',
'desc': '''Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to auto detect the proxy server, all other options are ignored.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and ARC-apps ignore all proxy-related options specified from the command line.
Leaving these policies not set will allow the users to choose the proxy settings on their own.''',
'policies': [
'ProxyMode',
'ProxyServerMode',
'ProxyServer',
'ProxyPacUrl',
'ProxyBypassList',
],
},
{
'name': 'HTTPAuthentication',
'type': 'group',
'caption': '''HTTP authentication''',
'desc': '''Policies related to integrated HTTP authentication.''',
'policies': [
'AuthSchemes',
'DisableAuthNegotiateCnameLookup',
'EnableAuthNegotiatePort',
'BasicAuthOverHttpEnabled',
'AuthServerAllowlist',
'AuthServerWhitelist',
'AuthNegotiateDelegateAllowlist',
'AuthNegotiateDelegateWhitelist',
'AuthNegotiateDelegateByKdcPolicy',
'GSSAPILibraryName',
'AuthAndroidNegotiateAccountType',
'AllowCrossOriginAuthPrompt',
'NtlmV2Enabled',
'IntegratedWebAuthenticationAllowed',
],
},
{
'name': 'Kerberos',
'type': 'group',
'caption': '''Kerberos''',
'desc': '''Policies related to Kerberos authentication.''',
'policies': [
'KerberosEnabled',
'KerberosRememberPasswordEnabled',
'KerberosAddAccountsAllowed',
'KerberosAccounts',
],
},
{
'name': 'Extensions',
'type': 'group',
'caption': '''Extensions''',
'desc': '''Configures extension-related policies. The user is not allowed to install blocked extensions unless they are whitelisted. You can also force <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to automatically install extensions by specifying them in <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph>. Force-installed extensions are installed regardless whether they are present in the blocklist.''',
'policies': [
'ExtensionInstallAllowlist',
'ExtensionInstallBlocklist',
'ExtensionInstallBlacklist',
'ExtensionInstallWhitelist',
'ExtensionInstallForcelist',
'ExtensionInstallSources',
'ExtensionAllowedTypes',
'ExtensionAllowInsecureUpdates',
'ExtensionSettings',
'BlockExternalExtensions',
],
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106683
'name': 'DefaultSearchProvider',
'type': 'group',
'caption': '''Default search provider''',
'desc': '''Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.''',
'policies': [
'DefaultSearchProviderEnabled',
'DefaultSearchProviderName',
'DefaultSearchProviderKeyword',
'DefaultSearchProviderSearchURL',
'DefaultSearchProviderSuggestURL',
'DefaultSearchProviderInstantURL',
'DefaultSearchProviderIconURL',
'DefaultSearchProviderEncodings',
'DefaultSearchProviderAlternateURLs',
'DefaultSearchProviderSearchTermsReplacementKey',
'DefaultSearchProviderImageURL',
'DefaultSearchProviderNewTabURL',
'DefaultSearchProviderSearchURLPostParams',
'DefaultSearchProviderSuggestURLPostParams',
'DefaultSearchProviderInstantURLPostParams',
'DefaultSearchProviderImageURLPostParams',
],
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106682
'name': 'ContentSettings',
'type': 'group',
'caption': '''Content settings''',
'desc': '''Content settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.''',
'policies': [
'DefaultCookiesSetting',
'DefaultFileHandlingGuardSetting',
'DefaultFileSystemReadGuardSetting',
'DefaultFileSystemWriteGuardSetting',
'DefaultImagesSetting',
'DefaultInsecureContentSetting',
'DefaultJavaScriptSetting',
'DefaultJavaScriptJitSetting',
'DefaultPluginsSetting',
'DefaultPopupsSetting',
'DefaultNotificationsSetting',
'DefaultGeolocationSetting',
'DefaultMediaStreamSetting',
'DefaultSensorsSetting',
'DefaultWebBluetoothGuardSetting',
'DefaultKeygenSetting',
'DefaultWebUsbGuardSetting',
'DefaultSerialGuardSetting',
'AutoSelectCertificateForUrls',
'CookiesAllowedForUrls',
'CookiesBlockedForUrls',
'CookiesSessionOnlyForUrls',
'FileHandlingAllowedForUrls',
'FileHandlingBlockedForUrls',
'FileSystemReadAskForUrls',
'FileSystemReadBlockedForUrls',
'FileSystemWriteAskForUrls',
'FileSystemWriteBlockedForUrls',
'ImagesAllowedForUrls',
'ImagesBlockedForUrls',
'InsecureContentAllowedForUrls',
'InsecureContentBlockedForUrls',
'JavaScriptAllowedForUrls',
'JavaScriptBlockedForUrls',
'JavaScriptJitAllowedForSites',
'JavaScriptJitBlockedForSites',
'KeygenAllowedForUrls',
'KeygenBlockedForUrls',
'LegacySameSiteCookieBehaviorEnabled',
'LegacySameSiteCookieBehaviorEnabledForDomainList',
'PluginsAllowedForUrls',
'PluginsBlockedForUrls',
'PopupsAllowedForUrls',
'RegisteredProtocolHandlers',
'PopupsBlockedForUrls',
'NotificationsAllowedForUrls',
'NotificationsBlockedForUrls',
'SensorsAllowedForUrls',
'SensorsBlockedForUrls',
'WebUsbAllowDevicesForUrls',
'WebUsbAskForUrls',
'WebUsbBlockedForUrls',
'SerialAskForUrls',
'SerialBlockedForUrls',
'SerialAllowAllPortsForUrls',
'SerialAllowUsbDevicesForUrls',
],
},
{
'name': 'NativeMessaging',
'type': 'group',
'caption': '''Native Messaging''',
'desc': '''Configures policies for Native Messaging. Blocked native messaging hosts won't be allowed unless they are whitelisted.''',
'policies': [
'NativeMessagingBlacklist',
'NativeMessagingBlocklist',
'NativeMessagingAllowlist',
'NativeMessagingWhitelist',
'NativeMessagingUserLevelHosts',
],
},
{
'name': 'ChromeFrameRendererSettings',
'owners': ['tommi@chromium.org'],
'type': 'group',
'caption': '''Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'desc': '''Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
The default setting is to allow the host browser do the rendering, but you can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> render HTML pages by default.''',
'policies': [
'ChromeFrameRendererSettings',
'RenderInChromeFrameList',
'RenderInHostList',
'AdditionalLaunchParameters',
'SkipMetadataCheck',
],
},
{
'name': 'ChromeFrameContentTypes',
'owners': ['tommi@chromium.org'],
'type': 'group',
'caption': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types''',
'desc': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types.''',
'policies': [
'ChromeFrameContentTypes',
],
},
{
'name': 'Drive',
'type': 'group',
'caption': '''Google Drive''',
'desc': '''Configure Google Drive in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'DriveDisabled',
'DriveDisabledOverCellular',
],
},
{
'name': 'PowerManagement',
'type': 'group',
'caption': '''Power management''',
'desc': '''Configure power management in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
These policies let you configure how <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> behaves when the user remains idle for some amount of time.''',
'policies': [
'ScreenDimDelayAC',
'ScreenOffDelayAC',
'ScreenLockDelayAC',
'IdleWarningDelayAC',
'IdleDelayAC',
'ScreenDimDelayBattery',
'ScreenOffDelayBattery',
'ScreenLockDelayBattery',
'IdleWarningDelayBattery',
'IdleDelayBattery',
'IdleAction',
'IdleActionAC',
'IdleActionBattery',
'LidCloseAction',
'PowerManagementUsesAudioActivity',
'PowerManagementUsesVideoActivity',
'PresentationIdleDelayScale',
'PresentationScreenDimDelayScale',
'AllowWakeLocks',
'AllowScreenWakeLocks',
'UserActivityScreenDimDelayScale',
'WaitForInitialUserActivity',
'PowerManagementIdleSettings',
'ScreenLockDelays',
'PowerSmartDimEnabled',
'ScreenBrightnessPercent',
'DevicePowerPeakShiftBatteryThreshold',
'DevicePowerPeakShiftDayConfig',
'DevicePowerPeakShiftEnabled',
'DeviceBootOnAcEnabled',
'DeviceAdvancedBatteryChargeModeEnabled',
'DeviceAdvancedBatteryChargeModeDayConfig',
'DeviceBatteryChargeMode',
'DeviceBatteryChargeCustomStartCharging',
'DeviceBatteryChargeCustomStopCharging',
'DeviceUsbPowerShareEnabled'
],
},
{
'name': 'Accessibility',
'type': 'group',
'caption': '''Accessibility settings''',
'desc': '''Configure <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> accessibility features.''',
'policies': [
'ShowAccessibilityOptionsInSystemTrayMenu',
'LargeCursorEnabled',
'SpokenFeedbackEnabled',
'HighContrastEnabled',
'VirtualKeyboardEnabled',
'VirtualKeyboardFeatures',
'StickyKeysEnabled',
'KeyboardDefaultToFunctionKeys',
'ScreenMagnifierType',
'DictationEnabled',
'SelectToSpeakEnabled',
'KeyboardFocusHighlightEnabled',
'CursorHighlightEnabled',
'CaretHighlightEnabled',
'MonoAudioEnabled',
'AccessibilityShortcutsEnabled',
'AutoclickEnabled',
'DeviceLoginScreenDefaultLargeCursorEnabled',
'DeviceLoginScreenDefaultSpokenFeedbackEnabled',
'DeviceLoginScreenDefaultHighContrastEnabled',
'DeviceLoginScreenDefaultVirtualKeyboardEnabled',
'DeviceLoginScreenDefaultScreenMagnifierType',
'DeviceLoginScreenLargeCursorEnabled',
'DeviceLoginScreenSpokenFeedbackEnabled',
'DeviceLoginScreenHighContrastEnabled',
'DeviceLoginScreenVirtualKeyboardEnabled',
'DeviceLoginScreenDictationEnabled',
'DeviceLoginScreenSelectToSpeakEnabled',
'DeviceLoginScreenCursorHighlightEnabled',
'DeviceLoginScreenCaretHighlightEnabled',
'DeviceLoginScreenMonoAudioEnabled',
'DeviceLoginScreenAutoclickEnabled',
'DeviceLoginScreenStickyKeysEnabled',
'DeviceLoginScreenKeyboardFocusHighlightEnabled',
'DeviceLoginScreenScreenMagnifierType',
'DeviceLoginScreenShowOptionsInSystemTrayMenu',
'DeviceLoginScreenAccessibilityShortcutsEnabled',
'FloatingAccessibilityMenuEnabled',
'EnhancedNetworkVoicesInSelectToSpeakAllowed',
],
},
{
'name': 'Attestation',
'type': 'group',
'caption': 'Remote attestation',
'desc': 'Configure the remote attestation with TPM mechanism.',
'policies': [
'AttestationEnabledForDevice',
'AttestationEnabledForUser',
'AttestationExtensionAllowlist',
'AttestationExtensionWhitelist',
'AttestationForContentProtectionEnabled',
'DeviceWebBasedAttestationAllowedUrls',
],
},
{
'name': 'LocallyManagedUsers',
'type': 'group',
'caption': '''Locally managed users settings''',
'desc': '''Configure settings for managed users.''',
'policies': [
'SupervisedUsersEnabled',
'SupervisedUserCreationEnabled',
'SupervisedUserContentProviderEnabled',
],
},
{
'name': 'GoogleCast',
'type': 'group',
'caption': '''<ph name="PRODUCT_NAME">Google Cast</ph>''',
'desc': '''Configure policies for <ph name="PRODUCT_NAME">Google Cast</ph>, a feature that allows users to send the contents of tabs, sites or the desktop from the browser to remote displays and sound systems.''',
'policies': [
'EnableMediaRouter',
'ShowCastIconInToolbar',
],
},
{
'name': 'ScreenCapture',
'type': 'group',
'caption': '''Allow or deny screen capture''',
'desc': '''Configure policies to control the level of screen-share APIs (e.g., getDisplayMedia() or the Desktop Capture extension API)
that a site may capture (e.g. tab, window or desktop capture).''',
'policies': [
'ScreenCaptureAllowed',
'ScreenCaptureAllowedByOrigins',
'WindowCaptureAllowedByOrigins',
'TabCaptureAllowedByOrigins',
'SameOriginTabCaptureAllowedByOrigins',
],
},
{
'name': 'QuickUnlock',
'type': 'group',
'caption': '''Quick unlock''',
'desc': '''Configures quick unlock related policies.''',
'policies': [
'QuickUnlockModeAllowlist',
'QuickUnlockModeWhitelist',
'QuickUnlockTimeout',
'PinUnlockMinimumLength',
'PinUnlockMaximumLength',
'PinUnlockWeakPinsAllowed',
'PinUnlockAutosubmitEnabled',
],
},
{
'name': 'CastReceiver',
'type': 'group',
'caption': '''Cast Receiver''',
'desc': '''Configure the Cast Receiver in <ph name="PRODUCT_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'CastReceiverEnabled',
'CastReceiverName',
]
},
{
'name': 'SafeBrowsing',
'type': 'group',
'caption': '''Safe Browsing settings''',
'desc': '''Configure Safe Browsing related policies.''',
'policies': [
'SafeBrowsingEnabled',
'SafeBrowsingExtendedReportingEnabled',
'SafeBrowsingProtectionLevel',
'SafeBrowsingWhitelistDomains',
'SafeBrowsingAllowlistDomains',
'PasswordProtectionWarningTrigger',
'PasswordProtectionLoginURLs',
'PasswordProtectionChangePasswordURL',
],
},
{
'name': 'NetworkFileShares',
'type': 'group',
'caption': '''Network File Shares settings''',
'desc': '''Configure Network File Share related policies.''',
'policies': [
'NetworkFileSharesAllowed',
'NetBiosShareDiscoveryEnabled',
'NTLMShareAuthenticationEnabled',
'NetworkFileSharesPreconfiguredShares',
],
},
{
'name': 'CloudReporting',
'type': 'group',
'caption': '''Cloud Reporting''',
'desc': '''Configure cloud reporting policies.
When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, these policies will be ignored.
These policies are only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
These policies are always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
'ReportVersionData',
'ReportPolicyData',
'ReportMachineIDData',
'ReportUserIDData',
'ReportExtensionsAndPluginsData',
'ReportSafeBrowsingData',
'CloudExtensionRequestEnabled',
'CloudReportingEnabled',
],
},
{
'name': 'BrowserSwitcher',
'type': 'group',
'caption': '''<ph name="LBS_PRODUCT_NAME">Legacy Browser Support</ph>''',
'desc': '''Configure policies to switch between browsers.
Configured websites will automatically open in another browser than <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'policies': [
'AlternativeBrowserPath',
'AlternativeBrowserParameters',
'BrowserSwitcherChromePath',
'BrowserSwitcherChromeParameters',
'BrowserSwitcherDelay',
'BrowserSwitcherEnabled',
'BrowserSwitcherExternalSitelistUrl',
'BrowserSwitcherExternalGreylistUrl',
'BrowserSwitcherKeepLastChromeTab',
'BrowserSwitcherParsingMode',
'BrowserSwitcherUrlList',
'BrowserSwitcherUrlGreylist',
'BrowserSwitcherUseIeSitelist',
],
},
{
'name': 'PluginVm',
'type': 'group',
'caption': '''PluginVm''',
'policies': [
'PluginVmAllowed',
'PluginVmDataCollectionAllowed',
'PluginVmImage',
'PluginVmLicenseKey',
'PluginVmRequiredFreeDiskSpace',
'PluginVmUserId',
'UserPluginVmAllowed',
],
'desc': '''Configure <ph name="PLUGIN_VM_NAME">PluginVm</ph> related policies.''',
},
{
'name': 'Signin',
'type': 'group',
'caption': '''Sign-in settings''',
'desc': '''Controls the behavior of the sign-in screen, where users log into their accounts. Settings include who can log in, what type of accounts are allowed, what authentication methods should be used, as well as general accessibility, input method and locale settings.''',
'policies': [
'DeviceGuestModeEnabled',
'DeviceUserWhitelist',
'DeviceUserAllowlist',
'DeviceAllowNewUsers',
'DeviceLoginScreenDomainAutoComplete',
'DeviceShowUserNamesOnSignin',
'DeviceWallpaperImage',
'DeviceEphemeralUsersEnabled',
'LoginAuthenticationBehavior',
'DeviceSamlLoginAuthenticationType',
'DeviceTransferSAMLCookies',
'LoginVideoCaptureAllowedUrls',
'DeviceStartUpFlags',
'DeviceLoginScreenExtensions',
'DeviceLoginScreenLocales',
'DeviceLoginScreenInputMethods',
'DeviceLoginScreenSystemInfoEnforced',
'DeviceSecondFactorAuthentication',
'DeviceLoginScreenIsolateOrigins',
'DeviceLoginScreenSitePerProcess',
'DeviceLoginScreenAutoSelectCertificateForUrls',
'DeviceShowNumericKeyboardForPassword',
'DeviceFamilyLinkAccountsAllowed',
'DeviceLoginScreenPromptOnMultipleMatchingCertificates',
],
},
{
'name': 'UserAndDeviceReporting',
'type': 'group',
'caption': '''User and device reporting''',
'desc': '''Controls what kind of user and device information is reported.''',
'policies': [
'EnableDeviceGranularReporting',
'ReportDeviceVersionInfo',
'ReportDeviceBootMode',
'ReportDeviceUsers',
'ReportDeviceActivityTimes',
'ReportDeviceAudioStatus',
'ReportDeviceLocation',
'ReportDeviceNetworkConfiguration',
'ReportDeviceNetworkInterfaces',
'ReportDeviceNetworkStatus',
'ReportDeviceHardwareStatus',
'ReportDeviceSessionStatus',
'ReportDeviceGraphicsStatus',
'ReportDeviceCrashReportInfo',
'ReportDeviceOsUpdateStatus',
'ReportDeviceBoardStatus',
'ReportDeviceCpuInfo',
'ReportDeviceTimezoneInfo',
'ReportDeviceMemoryInfo',
'ReportDeviceBacklightInfo',
'ReportDevicePowerStatus',
'ReportDeviceSecurityStatus',
'ReportDeviceStorageStatus',
'ReportDeviceAppInfo',
'ReportDeviceBluetoothInfo',
'ReportDeviceFanInfo',
'ReportDeviceVpdInfo',
'ReportDeviceSystemInfo',
'ReportDevicePrintJobs',
'ReportDeviceLoginLogout',
'ReportUploadFrequency',
'ReportArcStatusEnabled',
'HeartbeatEnabled',
'HeartbeatFrequency',
'LogUploadEnabled',
'DeviceMetricsReportingEnabled',
'ReportDeviceNetworkTelemetryCollectionRateMs',
'ReportDeviceNetworkTelemetryEventCheckingRateMs',
],
},
{
'name': 'Network',
'type': 'group',
'caption': '''Network settings''',
'desc': '''Controls device-wide network configuration.''',
'policies': [
'DeviceOpenNetworkConfiguration',
'DeviceDataRoamingEnabled',
'NetworkThrottlingEnabled',
'DeviceHostnameTemplate',
'DeviceHostnameUserConfigurable',
'DeviceWiFiFastTransitionEnabled',
'DeviceWiFiAllowed',
'DeviceDockMacAddressSource',
],
},
{
'name': 'DeviceUpdate',
'type': 'group',
'caption': '''Device update settings''',
'desc': '''Controls how and when Chrome OS updates are applied.''',
'policies': [
'ChromeOsReleaseChannel',
'ChromeOsReleaseChannelDelegated',
'DeviceAutoUpdateDisabled',
'DeviceAutoUpdateP2PEnabled',
'DeviceAutoUpdateTimeRestrictions',
'DeviceTargetVersionPrefix',
'DeviceTargetVersionSelector',
'DeviceUpdateStagingSchedule',
'DeviceUpdateScatterFactor',
'DeviceUpdateAllowedConnectionTypes',
'DeviceUpdateHttpDownloadsEnabled',
'RebootAfterUpdate',
'MinimumRequiredChromeVersion',
'DeviceRollbackToTargetVersion',
'DeviceRollbackAllowedMilestones',
'DeviceQuickFixBuildToken',
'DeviceMinimumVersion',
'DeviceMinimumVersionAueMessage',
'DeviceChannelDowngradeBehavior',
],
},
{
'name': 'PowerAndShutdown',
'type': 'group',
'caption': '''Power and shutdown''',
'desc': '''Controls settings related to power management and rebooting.''',
'policies': [
'DeviceLoginScreenPowerManagement',
'UptimeLimit',
'DeviceRebootOnShutdown',
],
},
{
'name': 'Kiosk',
'type': 'group',
'caption': '''Kiosk settings''',
'desc': '''Controls public session and kiosk account types.''',
'policies': [
'DeviceLocalAccounts',
'DeviceLocalAccountAutoLoginId',
'DeviceLocalAccountAutoLoginDelay',
'DeviceLocalAccountAutoLoginBailoutEnabled',
'DeviceLocalAccountPromptForNetworkWhenOffline',
'AllowKioskAppControlChromeVersion',
],
},
{
'name': 'Other',
'type': 'group',
'caption': '''Other''',
'desc': '''Controls miscellaneous settings including USB, bluetooth, policy refresh, developer mode and others.''',
'policies': [
'UsbDetachableWhitelist',
'UsbDetachableAllowlist',
'DeviceAllowBluetooth',
'TPMFirmwareUpdateSettings',
'DeviceEcryptfsMigrationStrategy',
'DevicePolicyRefreshRate',
'DeviceBlockDevmode',
'DeviceAllowRedeemChromeOsRegistrationOffers',
'DeviceQuirksDownloadEnabled',
'ExtensionCacheSize',
'DeviceOffHours',
'SuggestedContentEnabled',
'DeviceShowLowDiskSpaceNotification',
'WebXRImmersiveArEnabled',
'PromptOnMultipleMatchingCertificates',
],
},
{
'name': 'DateAndTime',
'type': 'group',
'caption': '''Date and time''',
'desc': '''Controls clock and time zone settings.''',
'policies': [
'SystemTimezone',
'SystemTimezoneAutomaticDetection',
'SystemUse24HourClock',
]
},
{
'name': 'Display',
'type': 'group',
'caption': '''Display''',
'desc': '''Controls display settings.''',
'policies': [
'DeviceDisplayResolution',
'DisplayRotationDefault',
]
},
{
'name': 'Printing',
'type': 'group',
'caption': '''Printing''',
'desc': '''Controls printing settings.''',
'policies': [
'PrintingEnabled',
'CloudPrintProxyEnabled',
'PrintingAllowedColorModes',
'PrintingAllowedDuplexModes',
'PrintingAllowedPinModes',
'PrintingAllowedBackgroundGraphicsModes',
'PrintingColorDefault',
'PrintingDuplexDefault',
'PrintingPinDefault',
'PrintingBackgroundGraphicsDefault',
'PrintingPaperSizeDefault',
'PrintingSendUsernameAndFilenameEnabled',
'PrintingMaxSheetsAllowed',
'PrintJobHistoryExpirationPeriod',
'PrintingAPIExtensionsWhitelist',
'PrintingAPIExtensionsAllowlist',
'CloudPrintSubmitEnabled',
'DisablePrintPreview',
'PrintHeaderFooter',
'DefaultPrinterSelection',
'NativePrinters',
'NativePrintersBulkConfiguration',
'NativePrintersBulkAccessMode',
'NativePrintersBulkBlacklist',
'NativePrintersBulkWhitelist',
'Printers',
'PrintersBulkConfiguration',
'PrintersBulkAccessMode',
'PrintersBulkBlocklist',
'PrintersBulkAllowlist',
'DeviceNativePrinters',
'DeviceNativePrintersAccessMode',
'DeviceNativePrintersBlacklist',
'DeviceNativePrintersWhitelist',
'DevicePrinters',
'DevicePrintersAccessMode',
'DevicePrintersBlocklist',
'DevicePrintersAllowlist',
'PrintPreviewUseSystemDefaultPrinter',
'UserNativePrintersAllowed',
'UserPrintersAllowed',
'ExternalPrintServers',
'ExternalPrintServersWhitelist',
'ExternalPrintServersAllowlist',
'DeviceExternalPrintServers',
'DeviceExternalPrintServersAllowlist',
'PrinterTypeDenyList',
'PrintRasterizationMode',
'PrintPdfAsImageAvailability',
'PrintRasterizePdfDpi',
'DeletePrintJobHistoryAllowed',
'CloudPrintWarningsSuppressed',
'PrintPostScriptMode',
'PrintPdfAsImageDefault',
]
},
{
'name': 'ActiveDirectoryManagement',
'type': 'group',
'caption': '''<ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> management settings''',
'desc': '''Controls settings specific to <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> managed <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.''',
'policies': [
'DeviceMachinePasswordChangeRate',
'DeviceUserPolicyLoopbackProcessingMode',
'DeviceKerberosEncryptionTypes',
'DeviceGpoCacheLifetime',
'DeviceAuthDataCacheLifetime',
]
},
{
'name': 'Arc',
'type': 'group',
'caption': '''Android settings''',
'desc': '''Controls settings for the Android container (ARC) and Android apps.''',
'policies': [
'ArcEnabled',
'UnaffiliatedArcAllowed',
'ArcPolicy',
'ArcAppInstallEventLoggingEnabled',
'ArcBackupRestoreServiceEnabled',
'ArcGoogleLocationServicesEnabled',
'ArcCertificatesSyncMode',
'ArcBackupRestoreEnabled',
'ArcLocationServiceEnabled',
'AppRecommendationZeroStateEnabled',
'DeviceArcDataSnapshotHours',
'ArcAppToWebAppSharingEnabled',
]
},
{
'name': 'Crostini',
'type': 'group',
'caption': '''Linux container''',
'desc': '''Controls settings for the Linux container (Crostini).''',
'policies': [
'VirtualMachinesAllowed',
'CrostiniAllowed',
'DeviceUnaffiliatedCrostiniAllowed',
'CrostiniExportImportUIAllowed',
'CrostiniRootAccessAllowed',
'CrostiniAnsiblePlaybook',
'CrostiniArcAdbSideloadingAllowed',
'DeviceCrostiniArcAdbSideloadingAllowed',
'CrostiniPortForwardingAllowed',
]
},
{
'name': 'GoogleAssistant',
'type': 'group',
'caption': '''Google Assistant''',
'desc': '''Controls settings for Google Assistant.''',
'policies': [
'AssistantOnboardingMode',
'VoiceInteractionContextEnabled',
'VoiceInteractionHotwordEnabled',
'AssistantVoiceMatchEnabledDuringOobe',
'VoiceInteractionQuickAnswersEnabled',
]
},
{
'name': 'QuickAnswers',
'type': 'group',
'caption': '''Quick Answers''',
'desc': '''Controls settings for Quick Answers.''',
'policies': [
'QuickAnswersEnabled',
'QuickAnswersDefinitionEnabled',
'QuickAnswersTranslationEnabled',
'QuickAnswersUnitConverstionEnabled',
]
},
{
'name': 'WilcoDtc',
'type': 'group',
'caption': '''Wilco DTC''',
'desc': '''Controls wilco diagnostics and telemetry controller settings.''',
'policies': [
'DeviceWilcoDtcAllowed',
'DeviceWilcoDtcConfiguration',
],
},
{
'name': 'ParentalSupervision',
'type': 'group',
'caption': '''Parental supervision settings''',
'desc': '''Controls parental supervision policies, that are applied to child accounts only.
These policies are not set in the admin console, but configured directly by Kids API Server.''',
'policies': [
'ParentAccessCodeConfig',
'PerAppTimeLimits',
'PerAppTimeLimitsWhitelist',
'PerAppTimeLimitsAllowlist',
'UsageTimeLimit',
'EduCoexistenceToSVersion',
],
},
{
'name': 'PrivacyScreen',
'type': 'group',
'caption': '''Privacy screen settings''',
'desc': '''Controls user and device policies for the privacy screen feature.''',
'policies': [
'DeviceLoginScreenPrivacyScreenEnabled',
'PrivacyScreenEnabled',
],
},
{
'name': 'CertificateManagement',
'type': 'group',
'caption': '''Certificate management settings''',
'desc': '''Controls user and device policies for certificate management.''',
'policies': [
'RequiredClientCertificateForDevice',
'RequiredClientCertificateForUser',
],
},
{
'name': 'Gaia',
'type': 'group',
'caption': '''Gaia user identity management settings''',
'desc': '''Controls settings for users authenticated againts Gaia without SAML.''',
'policies': [
'GaiaOfflineSigninTimeLimitDays',
],
},
{
'name': 'SAML',
'type': 'group',
'caption': '''Saml user identity management settings''',
'desc': '''Controls settings for users authenticated via SAML with an extaernal IdP''',
'policies': [
'SamlInSessionPasswordChangeEnabled',
'SamlPasswordExpirationAdvanceWarningDays',
'LockScreenReauthenticationEnabled',
'SAMLOfflineSigninTimeLimit',
],
},
{
'name': 'Borealis',
'type': 'group',
'caption': '''Borealis''',
'desc': '''Controls policies related to the <ph name="BOREALIS_NAME">Borealis</ph> subsystem.''',
'policies': [
'DeviceBorealisAllowed',
'UserBorealisAllowed',
],
},
{
'name': 'HomepageLocation',
'owners': ['file://components/policy/resources/OWNERS', 'rsorokin@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:81-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.chromium.org',
'id': 1,
'caption': '''Configure the home page URL''',
'tags': [],
'desc': '''Setting the policy sets the default homepage URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. You open the homepage using the Home button. On desktop, the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policies control the pages that open on startup.
If the homepage is set to the New Tab Page, by the user or <ph name="HOMEPAGE_IS_NEW_TAB_PAGE_POLICY_NAME">HomepageIsNewTabPage</ph>, this policy has no effect.
The URL needs a standard scheme, such as http://example.com or https://example.com. When this policy is set, users can't change their homepage URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Leaving both <ph name="HOMEPAGE_LOCATION_POLICY_NAME">HomepageLocation</ph> and <ph name="HOMEPAGE_IS_NEW_TAB_PAGE_POLICY_NAME">HomepageIsNewTabPage</ph> unset lets users choose their homepage.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
'label': '''Home page URL''',
},
{
'name': 'HomepageIsNewTabPage',
'owners': ['file://components/policy/resources/OWNERS', 'rsorokin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Use New Tab Page as homepage',
},
{
'value': False,
'caption': 'Do not use New Tab Page as homepage',
},
],
'example_value': True,
'id': 2,
'caption': '''Use New Tab Page as homepage''',
'tags': [],
'desc': '''Setting the policy to Enabled makes the New Tab page the user's homepage, ignoring any homepage URL location. Setting the policy to Disabled means that their homepage is never the New Tab page, unless the user's homepage URL is set to chrome://newtab.
If you set the policy, users can't change their homepage type in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the user decides whether or not the New Tab page is their homepage.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
},
{
'name': 'NewTabPageLocation',
'owners': ['file://components/policy/resources/OWNERS', 'okalitova@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:58-', 'chrome_os:58-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.chromium.org',
'id': 360,
'caption': '''Configure the New Tab page URL''',
'tags': [],
'desc': '''Setting the policy configures the default New Tab page URL and prevents users from changing it.
The New Tab page opens with new tabs and windows.
This policy doesn't decide which pages open on start up. Those are controlled by the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policies. This policy does affect the homepage, if that's set to open the New Tab page, as well as the startup page if it's set to open the New Tab page.
It is a best practice to provide fully canonicalized URL, if the URL is not fully canonicalized <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will default to https://.
Leaving the policy unset or empty puts the default New Tab page in use.
On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.''',
'label': '''New Tab page URL''',
},
{
'name': 'DefaultBrowserSettingEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win7:11-', 'chrome.mac:11-', 'chrome.linux:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Enable the default browser check on startup',
},
{
'value': False,
'caption': 'Disable the default browser check on startup',
},
],
'example_value': True,
'id': 3,
'caption': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
'tags': [],
'desc': '''Setting the policy to True has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> always check whether it's the default browser on startup and, if possible, automatically register itself. Setting the policy to False stops <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from ever checking if it's the default and turns user controls off for this option.
Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> lets users control whether it's the default and, if not, whether user notifications should appear.
Note: For <ph name="MS_WIN_NAME">Microsoft®Windows®</ph> administrators, turning this setting on only works for machines running Windows 7. For later versions, you must deploy a "default application associations" file that makes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> the handler for the <ph name="HTTPS_PROTOCOL">https</ph> and <ph name="HTTP_PROTOCOL">http</ph> protocols (and, optionally, the <ph name="FTP_PROTOCOL">ftp</ph> protocol and other file formats). See Chrome Help ( https://support.google.com/chrome?p=make_chrome_default_win ).''',
'label': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
},
{
'name': 'ApplicationLocaleValue',
'owners': ['file://components/policy/resources/OWNERS', 'hendrich@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:8-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'en',
'id': 4,
'caption': '''Application locale''',
'tags': [],
'desc': '''Setting the policy specifies the locale <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses.
Turning it off or leaving it unset means the locale will be the first valid locale from:
1) The user specified locale (if configured).
2) The system locale.
3) The fallback locale (en-US).''',
'label': '''Application locale''',
},
{
'name': 'AlternateErrorPagesEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'pastarmovj@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable alternate error pages',
},
{
'value': False,
'caption': 'Disable alternate error pages',
},
],
'example_value': True,
'id': 5,
'caption': '''Enable alternate error pages''',
'tags': [],
'desc': '''Setting the policy to True means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses alternate error pages built into (such as "page not found"). Setting the policy to False means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> never uses alternate error pages.
If you set the policy, users can't change it. If not set, the policy is on, but users can change this setting.''',
},
{
'name': 'SearchSuggestEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable search suggestions',
},
{
'value': False,
'caption': 'Disable search suggestions',
},
],
'example_value': True,
'id': 6,
'caption': '''Enable search suggestions''',
'tags': [],
'desc': '''Setting the policy to True turns on search suggestions in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s address bar. Setting the policy to False turns off these search suggestions.
If you set the policy, users can't change it. If not set, search suggestions are on at first, but users can turn them off any time.''',
},
{
'name': 'NativeWindowOcclusionEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'pmarko@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.win:84-',
],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Detect covered window and suspend its painting',
},
{
'value': False,
'caption': 'Do not detect covered window',
},
],
'deprecated': True,
'example_value': True,
'id': 675,
'caption': '''Enable Native Window Occlusion''',
'tags': [],
'desc': '''This policy is deprecated, please use the '<ph name="WINDOW_OCCLUSION_ENABLED_POLICY_NAME">WindowOcclusionEnabled</ph>' policy instead.
Enables native window occlusion in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you enable this setting, to reduce CPU and power consumption <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will detect when a window is covered by other windows, and will suspend work painting pixels.
If you disable this setting <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not detect when a window is covered by other windows.
If this policy is left not set, occlusion detection will be enabled.''',
},
{
'name': 'WindowOcclusionEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'zmin@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.win:90-',
],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Detect covered window and suspend its painting',
},
{
'value': False,
'caption': 'Do not detect covered window',
},
],
'default': True,
'example_value': True,
'id': 817,
'caption': '''Enable Window Occlusion''',
'tags': [],
'desc': '''Enables window occlusion in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you enable this setting, to reduce CPU and power consumption <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will detect when a window is covered by other windows, and will suspend work painting pixels.
If you disable this setting <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not detect when a window is covered by other windows.
If this policy is left not set, occlusion detection will be enabled.''',
},
{
'name': 'DnsPrefetchingEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'poromov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-53', 'chrome_os:11-53', 'android:30-53'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 7,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''This policy is deprecated in M48 in favor of <ph name="NETWORK_PREDICTION_OPTIONS_POLICY_NAME">NetworkPredictionOptions</ph>, and removed in M54.
Enables network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. The policy name refers to DNS prefetching for historical reasons.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'NetworkPredictionOptions',
'owners': ['file://components/policy/resources/OWNERS', 'poromov@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'NetworkPredictionAlways',
'value': 0,
'caption': '''Predict network actions on any network connection''',
},
{
'name': 'NetworkPredictionWifiOnly',
'value': 1,
'caption': '''Predict network actions on any network that is not cellular.
(Deprecated in 50, removed in 52. After 52, if value 1 is set, it will be treated as 0 - predict network actions on any network connection.)''',
},
{
'name': 'NetworkPredictionNever',
'value': 2,
'caption': '''Do not predict network actions on any network connection''',
},
],
'supported_on': ['chrome.*:38-', 'chrome_os:38-', 'android:38-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 273,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''This policy controls network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. It controls DNS prefetching, TCP, and SSL preconnection and prerendering of webpages.
If you set the policy, users can't change it. Leaving it unset turns on network prediction, but the user can change it.''',
},
{
'name': 'WPADQuickCheckEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'atwilson@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [ 'chrome.*:35-', 'chrome_os:35-' ],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Enable Web Proxy Auto-Discovery (WPAD) optimizations',
},
{
'value': False,
'caption': 'Disable Web Proxy Auto-Discovery (WPAD) optimization',
},
],
'example_value': True,
'default': True,
'id': 261,
'caption': '''Enable WPAD optimization''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled or leaving it unset turns on WPAD (Web Proxy Auto-Discovery) optimization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting the policy to Disabled turns off WPAD optimization, causing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to wait longer for DNS-based WPAD servers.
Whether or not this policy is set, users can't change the WPAD optimization setting.''',
},
{
'name': 'DisableSpdy',
'owners': ['file://components/policy/resources/OWNERS', 'bnc@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-53', 'chrome_os:11-53', 'android:30-53'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': True,
'id': 8,
'caption': '''Disable SPDY protocol''',
'tags': [],
'desc': '''This policy is deprecated in M53 and removed in M54, because SPDY/3.1 support is removed.
Disables use of the SPDY protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is enabled the SPDY protocol will not be available in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting this policy to disabled will allow the usage of SPDY.
If this policy is left not set, SPDY will be available.''',
},
{
'name': 'DisabledSchemes',
'owners': ['file://components/policy/resources/OWNERS', 'zmin@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:12-', 'chrome_os:12-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['file', 'https'],
'id': 85,
'caption': '''Disable URL protocol schemes''',
'tags': [],
'desc': '''This policy is deprecated, please use <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> instead.
Disables the listed protocol schemes in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
URLs using a scheme from this list will not load and can not be navigated to.
If this policy is left not set or the list is empty all schemes will be accessible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''List of disabled protocol schemes''',
},
{
'name': 'GloballyScopeHTTPAuthCacheEnabled',
'owners': ['file://net/OWNERS', 'mmenke@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-', 'chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable globally scoped HTTP authentication cache',
},
{
'value': False,
'caption': 'Disable globally scoped HTTP authentication cache',
},
],
'example_value': False,
'id': 643,
'caption': '''Enable globally scoped HTTP auth cache''',
'tags': [],
'desc': '''This policy configures a single global per profile cache with HTTP server authentication credentials.
If this policy is unset or disabled, the browser will use the default behavior of cross-site auth, which as of version 80, will be to scope HTTP server authentication credentials by top-level site, so if two sites use resources from the same authenticating domain, credentials will need to be provided independently in the context of both sites. Cached proxy credentials will be reused across sites.
If the policy is enabled, HTTP auth credentials entered in the context of one site will automatically be used in the context of another.
Enabling this policy leaves sites open to some types of cross-site attacks, and allows users to be tracked across sites even without cookies by adding entries to the HTTP auth cache using credentials embedded in URLs.
This policy is intended to give enterprises depending on the legacy behavior a chance to update their login procedures, and will be removed in the future.'''
},
{
'name': 'DNSInterceptionChecksEnabled',
'owners': ['krb@chromium.org', 'jdonnelly@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-', 'chrome_os:80-'],
'features': {
'dynamic_refresh': True,
'per_profile': False
},
'items': [
{
'value': True,
'caption': 'Perform DNS interception checks',
},
{
'value': False,
'caption': 'Do not perform DNS interception checks',
},
],
'example_value': True,
'default': True,
'id': 654,
'caption': '''DNS interception checks enabled''',
'tags': [],
'desc': '''This policy configures a local switch that can be used to disable DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
This detection may not be necessary in an enterprise environment where the network configuration is known, since it causes some amount of DNS and HTTP traffic on start-up and each DNS configuration change.
When this policy is not set, or is enabled, the DNS interception checks are performed. When explicitly disabled, they're not.'''
},
{
'name': 'IntranetRedirectBehavior',
'owners': ['jdonnelly@chromium.org', 'tommycli@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'Default',
'value': 0,
'caption': '''Use default browser behavior.''',
},
{
'name': 'DisableInterceptionChecksDisableInfobar',
'value': 1,
'caption': '''Disable DNS interception checks and did-you-mean "http://intranetsite/" infobars.''',
},
{
'name': 'DisableInterceptionChecksEnableInfobar',
'value': 2,
'caption': '''Disable DNS interception checks; allow did-you-mean "http://intranetsite/" infobars.''',
},
{
'name': 'EnableInterceptionChecksEnableInfobar',
'value': 3,
'caption': '''Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.''',
}
],
'supported_on': ['chrome.*:88-', 'chrome_os:88-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'default': 0,
'id': 792,
'caption': '''Intranet Redirection Behavior''',
'tags': [],
'desc': '''This policy configures behavior for intranet redirection via DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
If this policy is not set, the browser will use the default behavior of DNS interception checks and intranet redirect suggestions. In M88, they are enabled by default but will be disabled by default in the future release.
<ph name="DNS_INTERCEPTION_CHECKS_ENABLED_POLICY_NAME">DNSInterceptionChecksEnabled</ph> is a related policy that may also disable DNS interception checks; this policy is a more flexible version which may separately control intranet redirection infobars and may be expanded in the future.
If either <ph name="DNS_INTERCEPTION_CHECKS_ENABLED_POLICY_NAME">DNSInterceptionChecksEnabled</ph> or this policy requests to disable interception checks, the checks will be disabled.'''
},
{
'name': 'Http09OnNonDefaultPortsEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'anqing@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:54-77', 'chrome_os:54-77'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Enable HTTP/0.9 support on non-default ports',
},
{
'value': False,
'caption': 'Disable HTTP/0.9 support on non-default ports',
},
],
'example_value': False,
'id': 345,
'caption': '''Enable HTTP/0.9 support on non-default ports''',
'tags': [],
'desc': '''This policy is deprecated, and slated for removal in Chrome 78, with no replacement.
This policy enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS.
This policy is disabled by default, and if enabled, leaves users open to the security issue https://crbug.com/600352.
This policy is intended to give enterprises a chance to migrate exising servers off of HTTP/0.9, and will be removed in the future.
If this policy is not set, HTTP/0.9 will be disabled on non-default ports.''',
},
{
'name': 'JavascriptEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'bartfab@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable JavaScript',
},
{
'value': False,
'caption': 'Disable JavaScript',
},
],
'deprecated': True,
'example_value': True,
'id': 9,
'caption': '''Enable JavaScript''',
'tags': [],
'desc': '''This policy is deprecated, please use DefaultJavaScriptSetting instead.
Can be used to disabled JavaScript in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.
If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.''',
},
{
'name': 'IncognitoEnabled',
'owners': ['file://components/policy/resources/OWNERS', 'hendrich@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable Incognito mode',
},
{
'value': False,
'caption': 'Disable Incognito mode',
},
],
'deprecated': True,
'example_value': False,
'id': 10,
'caption': '''Enable Incognito mode''',
'tags': [],
'desc': '''This policy is deprecated. Please, use IncognitoModeAvailability instead.
Enables Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is enabled or not configured, users can open web pages in incognito mode.
If this setting is disabled, users cannot open web pages in incognito mode.
If this policy is left not set, this will be enabled and the user will be able to use incognito mode.''',
},
{
'name': 'IncognitoModeAvailability',
'owners': ['file://components/policy/resources/OWNERS', 'emaxx@chromium.org'],
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Enabled',
'value': 0,
'caption': '''Incognito mode available''',
},
{
'name': 'Disabled',
'value': 1,
'caption': '''Incognito mode disabled''',
},
{
'name': 'Forced',
'value': 2,
'caption': '''Incognito mode forced''',
'supported_on': [
'chrome.*:14-',
'chrome_os:14-',
],
},
],
'supported_on': [
'chrome.*:14-',
'chrome_os:14-',
'android:30-',
'ios:90-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 93,
'caption': '''Incognito mode availability''',
'tags': ['filtering'],
'desc': '''Specifies whether the user may open pages in Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.
If 'Disabled' is selected, pages may not be opened in Incognito mode.
If 'Forced' is selected, pages may be opened ONLY in Incognito mode. Note that 'Forced' does not work for Android-on-Chrome
Note: On iOS, if the policy is changed during a session, it will only take effect on relaunch.''',
},
{
'name': 'SavingBrowserHistoryDisabled',
'owners': ['file://components/policy/resources/OWNERS', 'emaxx@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:88-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Disable saving browser history',
},
{
'value': False,
'caption': 'Enable saving browser history',
},
],
'example_value': True,
'id': 11,
'caption': '''Disable saving browser history''',
'tags': [],
'desc': '''Setting the policy to Enabled means browsing history is not saved, tab syncing is off and users can't change this setting.
Setting the policy to Disabled or leaving it unset saves browsing history.''',
},
{
'name': 'AllowDeletingBrowserHistory',
'owners': ['file://components/policy/resources/OWNERS', 'bartfab@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:57-', 'chrome_os:57-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable deleting browser and download history',
},
{
'value': False,
'caption': 'Disable deleting browser and download history',
},
],
'example_value': True,
'id': 187,
'caption': '''Enable deleting browser and download history''',
'tags': ['local-data-access', 'admin-sharing'],
'desc': '''Setting the policy to Enabled or leaving it unset means browser history and download history can be deleted in Chrome, and users can't change this setting.
Setting the policy to Disabled means browser history and download history can't be deleted. Even with this policy off, the browsing and download history are not guaranteed to be retained. Users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.''',
},
{
'name': 'AllowDinosaurEasterEgg',
'owners': ['file://components/policy/resources/OWNERS', 'poromov@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:48-', 'chrome.*:48-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'items': [
{
'value': True,
'caption': 'Enable dinosaur easter egg game',
},
{
'value': False,
'caption': 'Disable dinosaur easter egg game',
},
],
'example_value': False,
'id': 309,
'default_for_enterprise_users': False,
'caption': '''Allow Dinosaur Easter Egg Game''',
'tags': [],
'desc': '''Setting the policy to True allows users to play the dinosaur game. Setting the policy to False means users can't play the dinosaur easter egg game when device is offline.
Leaving the policy unset means users can't play the game on enrolled <ph name="PRODUCT_OS_NAME">$2<ex>GoogleChromeOS</ex></ph>, but can under other circumstances.''',
},
{
'name': 'ForceLegacyDefaultReferrerPolicy',
'owners': ['kaustubhag@chromium.org', 'chrome-network-stack@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:80-87', 'chrome_os:80-87'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'items': [
{
'value': True,
'caption': 'Use a default referrer policy of no-referrer-when-downgrade',
},
{
'value': False,
'caption': 'Do not use a default referrer policy of no-referrer-when-downgrade',
},
],
'deprecated': True,
'example_value': False,
'id': 648,
'caption': '''Use a default referrer policy of no-referrer-when-downgrade.''',
'tags': [],
'desc': '''This enterprise policy is for short-term adaptation and will be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 88.
Chrome's default referrer policy is being strengthened from its current value of no-referrer-when-downgrade to the more secure strict-origin-when-cross-origin through a gradual rollout targeting Chrome 85 stable.
Before the rollout, this enterprise policy will have no effect. After the rollout, when this enterprise policy is enabled, Chrome's default referrer policy will be set to its previous value of no-referrer-when-downgrade.
This enterprise policy is disabled by default.''',
},
{
'name': 'RemoteAccessClientFirewallTraversal',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'garykac@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-16', 'chrome_os:14-16'],
'features': {
'dynamic_refresh': True,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 94,
'caption': '''Enable firewall traversal from remote access client''',
'tags': [],
'desc': '''This policy is no longer supported.
Enables usage of STUN and relay servers when connecting to a remote client.
If this setting is enabled, then this machine can discover and connect to remote host machines even if they are separated by a firewall.
If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine can only connect to host machines within the local network.''',
},
{
'name': 'RemoteAccessHostClientDomain',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'joedow@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'deprecated': True,
'example_value': 'my-awesome-domain.com',
'id': 316,
'caption': '''Configure the required domain name for remote access clients''',
'tags': [],
'desc': '''This policy is deprecated. Please use <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostClientDomainList</ph> instead.''',
},
{
'name': 'RemoteAccessHostClientDomainList',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'garykac@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:60-', 'chrome_os:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
'id': 369,
'caption': '''Configure the required domain names for remote access clients''',
'tags': [],
'desc': '''Setting the policy specifies the client domain names that are imposed on remote access clients, and users can't change them. Only clients from one of the specified domains can connect to the host.
Setting the policy to an empty list or leaving it unset applies the default policy for the connection type. For remote assistance, this allows clients from any domain to connect to the host. For anytime remote access, only the host owner can connect.
See also <ph name="REMOTE_ACCESS_HOST_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostDomainList</ph>.
Note: This setting overrides <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_POLICY_NAME">RemoteAccessHostClientDomain</ph>, if present.''',
},
{
'name': 'RemoteAccessHostFirewallTraversal',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'items': [
{
'value': True,
'caption': 'Enable firewall traversal from remote access host',
},
{
'value': False,
'caption': 'Disable firewall traversal from remote access host',
},
],
'example_value': False,
'id': 95,
'caption': '''Enable firewall traversal from remote access host''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset allows the usage of STUN servers, letting remote clients discover and connect to this machine, even if separated by a firewall.
Setting the policy to Disabled when outgoing UDP connections are filtered by the firewall means the machine only allows connections from client machines within the local network.''',
},
{
'name': 'RemoteAccessHostDomain',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'yuweih@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'deprecated': True,
'example_value': 'my-awesome-domain.com',
'id': 154,
'caption': '''Configure the required domain name for remote access hosts''',
'tags': [],
'desc': '''This policy is deprecated. Please use <ph name="REMOTE_ACCESS_HOST_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostDomainList</ph> instead.''',
},
{
'name': 'RemoteAccessHostDomainList',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'yuweih@chromium.org'],
'type': 'list',
'schema': {
'type': 'array',
'items': {'type': 'string' },
},
'supported_on': ['chrome.*:60-', 'chrome_os:60-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
'id': 368,
'caption': '''Configure the required domain names for remote access hosts''',
'tags': [],
'desc': '''Setting the policy specifies the host domain names that are imposed on remote access hosts, and users can't change them. Hosts can be shared only using accounts registered on one of the specified domain names.
Setting the policy to an empty list or leaving it unset means hosts can be shared using any account.
See also <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostClientDomainList</ph>.
Note: This setting will override <ph name="REMOTE_ACCESS_HOST_DOMAIN_POLICY_NAME">RemoteAccessHostDomain</ph>, if present.''',
},
{
'name': 'RemoteAccessHostRequireTwoFactor',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'lambroslambrou@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:22-22'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 155,
'caption': '''Enable two-factor authentication for remote access hosts''',
'tags': [],
'desc': '''Enables two-factor authentication for remote access hosts instead of a user-specified PIN.
If this setting is enabled, then users must provide a valid two-factor code when accessing a host.
If this setting is disabled or not set, then two-factor will not be enabled and the default behavior of having a user-defined PIN will be used.''',
},
{
'name': 'RemoteAccessHostTalkGadgetPrefix',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'joedow@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-75', 'chrome_os:41-75'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'deprecated': True,
'example_value': 'chromoting-host',
'id': 156,
'caption': '''Configure the TalkGadget prefix for remote access hosts''',
'tags': [],
'desc': '''Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.
If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.
If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.
If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.
Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.''',
},
{
'name': 'RemoteAccessHostRequireCurtain',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'garykac@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:23-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'items': [
{
'value': True,
'caption': 'Enable curtaining of the remote access host',
},
{
'value': False,
'caption': 'Disable curtaining of the remote access host',
},
],
'example_value': False,
'id': 157,
'caption': '''Enable curtaining of remote access hosts''',
'tags': ['system-security'],
'desc': '''Setting the policy to Enabled turns off remote access hosts' physical input and output devices during a remote connection.
Setting the policy to Disabled or leaving it unset lets both local and remote users interact with the host while it's shared.''',
},
{
'name': 'RemoteAccessHostAllowClientPairing',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'items': [
{
'value': True,
'caption': 'Enable PIN-less authentication for the remote access host',
},
{
'value': False,
'caption': 'Disable PIN-less authentication for the remote access host',
},
],
'example_value': False,
'id': 234,
'caption': '''Enable or disable PIN-less authentication for remote access hosts''',
'tags': [],
'desc': '''Setting the policy to Enabled or leaving it unset lets users pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
Setting the policy to Disabled makes this feature unavailable.''',
},
{
'name': 'RemoteAccessHostAllowGnubbyAuth',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'lambroslambrou@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:35-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'items': [
{
'value': True,
'caption': 'Enable gnubby authentication for the remote access host',
},
{
'value': False,
'caption': 'Disable gnubby authentication for the remote access host',
},
],
'example_value': True,
'id': 257,
'caption': '''Allow gnubby authentication for remote access hosts''',
'tags': [],
'desc': '''Setting the policy to Enabled means gnubby authentication requests will be proxied across a remote host connection.
Setting the policy to Disabled or leaving it unset means gnubby authentication requests won't be proxied.
Note that this feature requires additional components which are not available outside of the Google network environment in order to work properly.''',
},
{
'name': 'RemoteAccessHostAllowRelayedConnection',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'garykac@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:36-', 'chrome_os:86-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'items': [
{
'value': True,
'caption': 'Enable the use of relay servers by the remote access host',
},
{
'value': False,
'caption': 'Disable the use of relay servers by the remote access host',
},
],
'example_value': False,
'id': 263,
'caption': '''Enable the use of relay servers by the remote access host''',
'tags': [],
'desc': '''If <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is set to Enabled, setting <ph name="REMOTE_ACCESS_HOST_ALLOW_RELAYED_CONNECTION_POLICY_NAME">RemoteAccessHostAllowRelayedConnection</ph> to Enabled or leaving it unset allows the use of remote clients to use relay servers to connect to this machine when a direct connection is not available, for example, because of firewall restrictions.
Setting the policy to Disabled doesn't turn remote access off, but only allows connections from the same network (not NAT traversal or relay).''',
},
{
'name': 'RemoteAccessHostUdpPortRange',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'yuweih@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support outside of Chrome OS.
},
'example_value': '12400-12409',
'id': 264,
'caption': '''Restrict the UDP port range used by the remote access host''',
'tags': [],
'desc': '''Setting the policy restricts the UDP port range used by the remote access host in this machine.
Leaving the policy unset or set to an empty string means the remote access host can use any available port.
Note: If <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is Disabled, the remote access host will use UDP ports in the 12400-12409 range.''',
},
{
'name': 'RemoteAccessHostMatchUsername',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.linux:25-', 'chrome.mac:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'items': [
{
'value': True,
'caption': 'Require matching local user and remote access host owner',
},
{
'value': False,
'caption': 'Do not require matching local user and remote access host owner',
},
],
'example_value': False,
'id': 285,
'caption': '''Require that the name of the local user and the remote access host owner match''',
'tags': [],
'desc': '''Setting the policy to Enabled has the remote access host compare the name of the local user the host is associated with and the name of the Google Account registered as the host owner ("johndoe," if the host is owned by "johndoe@example.com"). This host won't start if the host owner's name differs from the name of the local user that the host is associated with. To enforce that the owner's Google Account is associated with a specific domain, use the policy with <ph name="REMOTE_ACCESS_HOST_DOMAIN_POLICY_NAME">RemoteAccessHostDomain</ph>.
Setting the policy to Disabled or leaving it unset means the remote access host can be associated with any local user.''',
},
{
'name': 'RemoteAccessHostTokenUrl',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': 'https://example.com/issue',
'id': 286,
'caption': '''URL where remote access clients should obtain their authentication token''',
'tags': ['website-sharing'],
'desc': '''Setting the policy means the remote access host requires authenticating clients to get an authentication token from this URL to connect.
This feature is disabled if empty or not set.
Note: This policy must be used with <ph name="REMOTE_ACCESS_HOST_TOKEN_VALIDATION_URL_POLICY_NAME">RemoteAccessHostTokenValidationUrl</ph>.''',
},
{
'name': 'RemoteAccessHostTokenValidationUrl',
'owners': ['file://remoting/OWNERS', 'jamiewalch@chromium.org', 'garykac@chromium.org'],
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-'],
'features': {
'dynamic_refresh': True,
'internal_only': True, # Not available outside of Google.
'per_profile': False,
'platform_only': True, # No cloud-policy support.
},
'example_value': 'https://example.com/validate',
'id': 287,
'caption': '''URL for validating remote access client authentication token''',
'tags': ['website-sharing'],
'desc': '''Setting the policy means the remote access host uses this URL to validate authentication tokens from remote access clients to accept connections. This feature is disabled if empty or not set.
Note: Use the policy with <ph name="REMOTE_ACCESS_HOST_TOKEN_URL_POLICY_NAME">RemoteAccessHostTokenUrl</ph>.''',