Setting ChromeOS device policies

To manage your fleet of ChromeOS devices, you must be a Google Admin Console administrator. You can set policies for all devices in your organization or apply them to specific groups of devices using organizational units.

 

Step 1: Access the Google Admin Console

Sign in to the Google Admin console with your administrator account.

Step 2: Navigate to Device Settings

From the Admin console Home page, go to Menu > Devices > Chrome > Settings > Device settings.

Step 3: Select an Organizational Unit

On the left, select the organizational unit you want to apply the settings to. If you want to apply the settings to all devices, select the top-level organizational unit.

Step 4: Configure the Policy

Scroll to the setting you want to configure. Click on it, make your desired changes, and then click Save.

 

Changes typically take effect within a few minutes, but it can sometimes take up to 24 hours.

 

Top 10 practical ChromeOS device policies for enterprise

 

While there isn't an official list of the "top 10 most used" devices policies, here are ten highly recommended and commonly used policies for enterprises, with a focus on security, productivity, and management.

 

1. Forced Re-enrollment: This policy ensures that if a device is wiped, it automatically re-enrolls in your organization's account without a user's manual input. This is critical for device security and inventory management.
2. Allow Guest Mode: Disabling guest mode prevents users from browsing the web without signing in, which can help ensure all user activity is tied to a specific account and is auditable.
3. Sign-In Restriction: This policy allows you to restrict device sign-ins to only users within your organization's domain. For example, by allowlisting *@yourcompany.com, you prevent non-employees from using company devices.
4. Device State Reporting: Enabling this policy allows administrators to collect and monitor real-time data on devices, such as serial number, model, and last time synced. This is crucial for fleet management and troubleshooting.
5. Disabled Device Return Instructions: For lost or stolen devices, you can set a custom message that appears on the disabled device's screen. This message can include contact information, increasing the chances of the device being returned.
6. Screen Lock: Automatically locking the screen on idle after a short period ensures that unattended devices are not left vulnerable.
7. Safe Browsing: Enforcing Safe Browsing helps protect users from malicious sites by displaying a warning before they can access a potentially dangerous URL.
8. Disallow External Storage Devices: This policy can prevent the use of USB drives and other external storage, which helps mitigate the risk of data exfiltration or malware introduction.
9. Application Allowlisting: By setting the "Allowed Apps and Extensions" policy to "Block all apps and extensions except the ones I allow," you can maintain a high level of security and control over what applications users can run. This is a common and effective security measure.
10. Automatic Updates: This policy ensures that the device's operating system and browser automatically receive and apply security patches and feature updates, keeping the devices secure and up to date without manual intervention.

For more detailed explanations of the device policies available, check out this article in our help center:

 

• Set ChromeOS device policies