Setting ChromeOS user or browser policies
To manage your fleet of ChromeOS devices, you must be a Google administrator. You can set user policies to control the user experience when the user signs in with their managed Google account on any device. Step 1: Access the Google Admin Console Sign in to the Google Admin console with your administrator account. Step 2: Navigate to User Settings From the Admin console Home page, go to Menu > Devices > Chrome > Settings > User & browser settings Step 3: Select an Organizational Unit On the left, select the organizational unit you want to apply the settings to. If you want to apply the settings to all devices, select the top-level organizational unit. Step 4: Configure the Policy Scroll to the setting you want to configure. Click on it, make your desired changes, and then click Save. The policies will take effect the next time a user signs in with their managed account on a ChromeOS device. Top 10 practical user policies for enterprise While there isn't an official list of the "top 10 most used" user policies, the following 10 are highly valuable for enterprise customers to manage security, user experience, and device performance. Maximum user session length: This policy is critical for security. You can set an automatic sign-out time (e.g., 60 minutes) to ensure that unattended devices are not left signed in, reducing the risk of unauthorized access. Browser sign-in settings: To prevent data leaks and maintain control over user accounts, you can enforce that users can only sign in to Chrome browser with their managed work account. This prevents them from using personal accounts on company devices. High efficiency mode: This policy improves device performance by automatically discarding inactive background tabs after a few hours. For a large enterprise, this can significantly reduce the memory footprint and CPU usage across the fleet, leading to better device responsiveness. Exceptions to tab discarding: You can set a list of mission-critical web pages (e.g., a CRM dashboard or an internal ticketing system) that will never be automatically discarded. This ensures that essential applications remain active in the background. Wake locks: This policy gives you control over whether applications and websites can prevent a device from sleeping or the screen from turning off. This is particularly useful for devices used as kiosks or for digital signage, ensuring the content is always visible. Idle settings: This policy allows you to define what a device does when it's left idle or a user closes the lid. You can configure devices to automatically lock, sign out, or even shut down, which is essential for both power management and security. Spoken feedback (ChromeVox): Enabling this accessibility feature is crucial for creating an inclusive workplace. It provides spoken feedback for visually impaired users, allowing them to navigate the device and use applications effectively. High contrast: For users with low vision, this policy can be configured to change the font and background color scheme to make web pages easier to read. This is a practical and important accessibility feature for a diverse workforce. Custom wallpaper: This policy allows you to set a company-branded wallpaper on all managed devices. This is useful for building a consistent corporate identity and can be used to display important information like IT support contact details. Custom terms of service: Before a user can sign in for the first time, you can present them with a custom terms of service document. This is useful for ensuring all employees acknowledge and agree to company policies, such as an acceptable use policy. For more detailed explanations of the device policies available, check out this article in our help center: Set Chrome policies for users or browsersSetting ChromeOS device policies
To manage your fleet of ChromeOS devices, you must be a Google Admin Console administrator. You can set policies for all devices in your organization or apply them to specific groups of devices using organizational units. Step 1: Access the Google Admin Console Sign in to the Google Admin console with your administrator account. Step 2: Navigate to Device Settings From the Admin console Home page, go to Menu > Devices > Chrome > Settings > Device settings. Step 3: Select an Organizational Unit On the left, select the organizational unit you want to apply the settings to. If you want to apply the settings to all devices, select the top-level organizational unit. Step 4: Configure the Policy Scroll to the setting you want to configure. Click on it, make your desired changes, and then click Save. Changes typically take effect within a few minutes, but it can sometimes take up to 24 hours. Top 10 practical ChromeOS device policies for enterprise While there isn't an official list of the "top 10 most used" devices policies, here are ten highly recommended and commonly used policies for enterprises, with a focus on security, productivity, and management. Forced Re-enrollment: This policy ensures that if a device is wiped, it automatically re-enrolls in your organization's account without a user's manual input. This is critical for device security and inventory management. Allow Guest Mode: Disabling guest mode prevents users from browsing the web without signing in, which can help ensure all user activity is tied to a specific account and is auditable. Sign-In Restriction: This policy allows you to restrict device sign-ins to only users within your organization's domain. For example, by allowlisting *@yourcompany.com, you prevent non-employees from using company devices. Device State Reporting: Enabling this policy allows administrators to collect and monitor real-time data on devices, such as serial number, model, and last time synced. This is crucial for fleet management and troubleshooting. Disabled Device Return Instructions: For lost or stolen devices, you can set a custom message that appears on the disabled device's screen. This message can include contact information, increasing the chances of the device being returned. Screen Lock: Automatically locking the screen on idle after a short period ensures that unattended devices are not left vulnerable. Safe Browsing: Enforcing Safe Browsing helps protect users from malicious sites by displaying a warning before they can access a potentially dangerous URL. Disallow External Storage Devices: This policy can prevent the use of USB drives and other external storage, which helps mitigate the risk of data exfiltration or malware introduction. Application Allowlisting: By setting the "Allowed Apps and Extensions" policy to "Block all apps and extensions except the ones I allow," you can maintain a high level of security and control over what applications users can run. This is a common and effective security measure. Automatic Updates: This policy ensures that the device's operating system and browser automatically receive and apply security patches and feature updates, keeping the devices secure and up to date without manual intervention. For more detailed explanations of the device policies available, check out this article in our help center: Set ChromeOS device policiesOrganizational unit structure
An Organizational Unit (OU) is a container within your Google Admin console that allows you to group users, devices, and other assets. The primary purpose of an OU is to apply policies and settings to specific subsets of your organization. Policy Inheritance: OUs operate on a hierarchy. Policies you set at a parent OU are inherited by all child OUs below it. This is a fundamental concept for simplifying management. For example, you can set a default homepage for all devices at the top-level OU, and it will apply everywhere unless you override it in a specific child OU. Users vs. Devices: A key best practice is to understand that users and devices can be in different OUs. A user's policies follow them regardless of the device they sign into, while a device's policies remain with the device, no matter who signs in. Best Practices for Structuring OUs The goal is to create a structure that is as simple as possible but as complex as necessary. Avoid creating OUs for every small group or purpose, as this can lead to an administrative nightmare. 1. Start with a Simple, Hierarchical Design Your OU structure should be logical and easy to navigate. Common approaches include: By Location: For organizations with multiple offices (e.g., North America > California > Los Angeles). By Department or Role: Useful for corporate environments (e.g., Finance, Marketing, Engineering). By Job Level: Role within the organisation (e.g. Executives > Managers > Individual Contributors (ICs) ). 2. Separate Users and Devices Only When Necessary While you can put users and devices in the same OU, it's often more effective to separate them to apply different policies. User OUs: Structure user OUs based on the policies you need to apply to people. This is for things like app access, content filtering, and user-specific settings. For example, an "ICs" OU might have restricted app access, while a "Exec" OU has full access. Device OUs: Structure device OUs based on the policies you need to apply to the physical hardware. This is for settings like network configuration, sign-in restrictions, and public session behavior. For example, you might have a "Laptops" OU for devices that travel and a "Kiosk" OU for public-facing devices. 3. Leverage Policy Inheritance to Simplify Management Set the most common, organization-wide policies at the top-level OU. Then, only create child OUs to apply exceptions to these inherited policies. Example: If 90% of your devices use the same Wi-Fi settings, configure those settings at the top-level device OU. For a specific set of lab devices that need a different Wi-Fi network, create a "Lab Devices" child OU and override the Wi-Fi policy there. This saves you from re-configuring the same settings repeatedly. 4. Use Groups for Cross-OU Policies While OUs are great for hierarchical policy application, Google Groups provide flexibility for applying policies to a specific set of users who are not in the same OU. When to use Groups: Use groups for temporary projects, special access to applications, or when a few individuals across different OUs need the same policy applied. For example, you could create a "Pilot Program" group and assign an experimental app to its members without moving them from their primary OUs. Key Takeaways Plan first: Before creating any OUs, map out your organizational needs and how they translate to policies. Simplicity is key: Use as few OUs as you can while still meeting your policy requirements. OUs for hierarchy, Groups for flexibility: Remember that OUs manage hierarchy and inheritance, while groups provide a way to apply policies to a dynamic set of users or devices. For more detailed explanations of how OUs and Groups work within the Admin Console, check out these articles in our help center: How the organizational structure works Managing group-based policiesEssential settings and configurations in Chrome Enterprise Upgrade
Let's explore some important settings and configurations to help you manage your ChromeOS devices effectively with Chrome Enterprise Upgrade. Now that you've got the basics down, we'll dive into some key administrative tasks and policies to enhance your experience. If you haven’t yet, check out “Your first steps with Chrome Enterprise Upgrade” article before continuing reading. Setting Device and User/Browser Policies Policies are configured within the Admin Console. There are various device policies and user/browser policies that allow you to control and manage various aspects of your ChromeOS devices and user experiences. Consider applying the following popular, useful policies: Device Policies > Security : Password manager, Lid close action, Power management, Geolocation, and more. Device Policies > Sign-in Settings: Sign-in screen, Device wallpaper, Single sign-on, and more. User Policies > User Experience policies: Download location, Form auto-fill, Payment methods, and More. For more detailed explanations of the policies available, check out these extensive articles on device policies and user policies. Ensuring Devices Remain Managed: Forced Re-enrollment By default, wiped ChromeOS devices automatically re-enroll into the account without requiring user credentials. This feature, known as forced re-enrollment, ensures that devices remain managed and policies are consistently enforced. Guidance is available on how to turn forced re-enrollment on or off. More information on forced re-enrollment is available here. Controlling Device Access with Sign-in Restrictions Sign-in restrictions allow you to manage which users can sign in to your managed devices. The available options are: Restrict sign-in to a list Allow any user to sign in Do not allow any user to sign-in More information on configuring sign-in restrictions is available here. Blocking Websites You can prevent users from accessing specific URLs, domains, and IP addresses. This is done through website blocking configurations. More information and a step-by-step guide can be found here. Managing Device Updates Devices automatically check for and download updates when connected to Wi-Fi or Ethernet. Administrators can manage ChromeOS updates for the organization. Full OS updates are generally released roughly every 4 weeks. Minor updates, such as security fixes, are released every 2–3 weeks. Guidance on configuring and customizing update schedules is available here. Configuring Apps and Extensions Administrators can set policies for specific web apps, Chrome apps, or supported Android apps. For example, you can force-install an app and pin it to users' Chrome taskbar. More information, step-by-step instructions, and a video tutorial are available. By understanding and utilizing these essential settings and configurations, you can effectively manage your ChromeOS environment with Chrome Enterprise Upgrade.Optimizing your ChromeOS deployment
We're excited to share the "Getting Started with ChromeOS Deployment Guide." This comprehensive guide is an invaluable read for anyone looking to successfully deploy and manage ChromeOS within their organization. Whether you're just starting your ChromeOS journey or looking to refine your existing setup, this guide offers practical insights and best practices. It covers everything from initial deployment strategies, including project kick-off and infrastructure configuration, to defining policies and managing apps and extensions. You'll find detailed guidance on: Network and Wi-Fi Setup: Ensuring seamless connectivity for your devices. Device Enrollment: Understanding both manual and zero-touch enrollment methods. Policy Considerations: Key aspects to consider for effective management. App and Extension Management: Streamlining your software ecosystem. User Adoption and Change Management: Strategies to support your users through the transition, including governance, readiness, communications, and training. This guide is packed with detailed checklists and recommendations, providing a structured approach to your ChromeOS deployment. It also offers resources for ongoing support and troubleshooting, making it a go-to resource for a smooth and efficient transition to ChromeOS. Dive in and empower your enterprise with the full potential of ChromeOS! You can access the guide here: Getting Started with ChromeOS Deployment GuideYour first steps with Chrome Enterprise Upgrade
This article will walk you through the initial, straightforward steps of setting up and managing your ChromeOS devices with Chrome Enterprise Upgrade. We'll cover everything from getting started with the Admin console and enrolling your devices to finding helpful support resources and assisting your users with the transition to ChromeOS. Where to begin? Starting with Chrome Enterprise Upgrade is straightforward. Follow these simple steps: Signing up: Begin by signing up for a Trial for Chrome Enterprise Upgrade, either on our website, or directly from the Admin Console if you already have access. Accessing the admin console: The Admin console is your central hub for managing ChromeOS devices. Access it to get started. Using the setup guides: Inside the Admin console, you'll find interactive Setup guides. These guided tutorials will help you navigate the setup process. Locate them by navigating to "Devices > Chrome > Setup Guide" in the left-hand menu. How to start managing ChromeOS devices: Enrollment Enrollment is the key to managing your ChromeOS devices. Helping your users adopt ChromeOS If your users are new to ChromeOS and Chromebooks, here’s the Employee Adoption Kit that you can use to help your users learn more and answer their questions. Getting help and support Need help? But here’s how to find additional support: Contact support: Here’s a quick overview on how to get in touch with support if you’re experiencing any issues. Talk with an expert: If you’re still in the Trial phase and need more support evaluating the solution you can complete this form to Talk with an Expert for more personalized assistance and solution validation.Boost User Adoption: Building Trust in Your Mobility Deployment
Building trust with your users is critical to the success of any IT project We’ve all heard it: “IT can see what is happening on my device”, and this level of distrust from users occurs regardless of the platform being used. Finding that balance between user trust and securing your organisations data & assets is a tightrope that can have catastrophic consequences if the fine balance isn’t met. In most instances lack of end user trust is caused by not having visibility into what is happening, the “black box” of IT policy and processes is a real thing! With the ever increasing number of personal devices being used in the enterprise world, ensuring end users are aware and empowered to understand what is actually visible by their employer will help ease end users' concerns about adopting mobility management. Regardless of the enrolment method your organisation has adopted, Android Enterprise is built from the ground up with a focus on end user privacy and while aiming to ensure that IT admins have the right tools to manage their assets. Build trust through communication Being able to set policies within your organisation's EMM is a powerful responsibility. While simply ticking a box and applying the configuration can feel low impact, even small changes can have inconveniences for your users which may build up frustration and distrust over time. Start a dialog with your users I know, this is easy to say and much harder to execute. There’s a vast number of variables to consider when trying to recommend a best practice for successful dialog with your users. It’s important to consider technical ability, the size of your organisation and location distribution of staff, just to name a few. But the goal of any communication to your users should be to provide a clear understanding of what the change is, why the change is being implemented, and address potential FAQs. There are the obvious communication methods of email (don’t forget to use BCC ) or posting on an internal communication board, but these may be missed or ignored. Something I have seen becoming more common is internal calls where IT decision makers within an organisation talk about upcoming changes. Alongside visibility, this has the added benefit of allowing users to ask questions. Organisations that have committed to these sessions have found it much easier to get their end users to adopt new technologies. While we are focused on Android here, this approach can help with everything from a new device rollout to deploying video conferencing software. It can be pretty daunting to know where to start with a communication plan, so we have an employee adoption kit to help! When should you communicate a change to your users If you have a change coming that’ll have a visual or workflow impact on users, be proactive and let them know. While this can add additional workload, informing users can start a useful early dialog to understand questions that may come up. IT teams are stretched at the best of times, being able to reduce inbound support requests through pro-active communication is never a bad thing! If you're looking at making disruptive changes to a fully managed device deployment, such as completely changing the UI of a kiosk, I’ve found that end users are more receptive to this level of impact during a device refresh. Users in these scenarios see these devices as tools to do their job and form habits in their workday around how their device works. If overnight you change how their device works this is likely to disrupt those learned habits, and cause friction for your users. This often leads them to believe that the device doesn’t perform as well as it used to, even if functionally you’ve just shifted an icon around. So if you have the ability to delay that new rebrand or that push to move the app icons around until your next rollout, it certainly might be worth holding off! Don’t forget dialog is a two way street Create an easy route for users to ask questions. You could look at adapting existing IT support flows, create a dedicated form or even host a weekly office hours for users to get some 1:1 time with the team. This brings us neatly to... Best practices for policy decisions and changes You can have the best laid plans for your mobility deployment, but there is one variable you cannot account for, user innovation. As a policy setter, it’s unlikely that your testing will directly replicate your end user's day-to-day behaviour. Over time they will find their own route to achieve their goals. There’s a fun equivalent called “desire paths” where pedestrians will walk an unplanned route to get to their destination causing an environmental impact to the landscape. Don’t block them from the path, embrace it! User-centric approach to change management Whether you’ve implemented a BYOD program or provided hardware to your users, the mobility decisions you’ve made will have a material impact on the day to day lives of your users, it’s one of the many great things about working in this space. This puts even the most robust testing programs under a huge amount of pressure. It’s nearly impossible to test every possible tap or swipe that an end user could perform. Don’t fret, this can lead to some fantastic opportunities part way through the lifecycle of your devices . You should run some 1:1 sessions with your users and see how they are actually using the devices. This feedback can help you make informed decisions about your next deployment milestone or make iterative changes to improve the mobile experience for everybody. An example that has always stayed with me was from a logistics organisation with a large quantity of fully managed devices. One of their users made a simple request to adjust the app layout on their kiosk to better align with their workflow. That small adjustment had a 4% time save every time a user performed that task. That might sound negligible, but when you multiply that time saving over 10,000 users performing that same task 15 times a day these small changes make a massive difference. We don’t all work for Formula 1 teams, but incremental gains can still be a target for us all. Pushing applications is more intrusive than you may think Being able to push applications to your users is one of the many benefits of enrolling a device into Android Enterprise, but it is also one of the more user intrusive actions you can take on a device under management. My general recommendation for distributing applications is you should only force install applications you know will be critical for the user to perform their work. Users who are using a device that is owned by the organisation and enrolled as fully managed will often be more open to a dozen or more applications being automatically installed on their devices. But users who have Android Work Profile, whether corporately owned or BYOD, may find it more jarring. Limit the applications installed to the core apps required for their work such as email, calendar and a document viewer. The rest can be available for the user to download through the Play Store -empower your users! What we are doing as a platform At all stages of the device lifecycle we inform the user to help them understand what is happening on their device. Through clear dialog during provisioning, helpful prompts while the device is in use and the ability for users to see what policies are actually applied to their devices, we aim to empower users through transparency and information. Visibility into policy Regardless of enrollment type, end users can see what policies are applied to their devices and all the device level information that the EMM is able to see, all from within Settings! Users simply need to go to Settings > Security and privacy > Your work policy info. Under this section they’ll be able to see everything that you can see from within your EMM and what policies have been applied to the device. For the avoidance of doubt, content in the personal profile is not visible to the organisation! Automate work/life balance BYOD and COPE users will see Android Work Profile, providing a clear separation of personal and work applications. Keep your eyes peeled for future content discussing this in more detail. Users are probably already familiar with being able to pause the Work Profile through the launcher, but did you know that they can also automate this process through Digital Wellbeing? Simply go to Settings > Digital Wellbeing > Work Profile schedule and you can set a daily schedule for when work apps will automatically pause and unpause! Users who have their devices enrolled as fully managed can utilise Digital Wellbeing to set a Focus mode to create a similar process to scheduling work apps. Visualisation In Android 14 QPR2 we introduced greater controls for end users initiating a screen-sharing session. As a standalone feature this has been well received, and helps remove the risk of sharing something users may not wish to share while presenting from their device. But in addition to this feature, we also included a clearer UI showing that the device’s screen is being shared. While a small addition in itself, this is a great demonstration on how we prioritise helping users to understand what is happening on their device. How do you build trust with your users? Considering starting an internal session discussion with your users? Perhaps you could start by talking about the on device features we discussed! Let us know below![Community tips] What to consider when choosing an enterprise mobility management solution?
Hello everyone, I hope you are having a good week. A management solution helps you to set up, secure and manage your devices in your organisation. I see it like a comfy hub for you to ensure that your devices are working as you expect (whatever size your company is). So understandably, one of the biggest decisions when getting started with Android at work is choosing the right EMM (Enterprise Mobility Management) for your needs. There is a solution out there to meet almost every need and use case, and sometimes knowing where to start can be tricky. We are lucky here in the community, that many people have already been through this decision and there is a huge amount of experience. The Solutions Directory is a useful place to explore partners and solution options, but there are also many questions and things to consider beforehand, so this got me thinking it would be great to share community tips/advice around this. What tips would you recommend to someone considering and researching EMMs management solutions? Are there any tips you wish you knew at the beginning? Perhaps you have tips on how best to research the different options? If you are currently going through the process, please do comment too, it would be great to hear from you. Looking forward to hearing from you. Thanks so much, Lizzie
