• Google ChromeOS (Google ChromeOS) since version 27

Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True keeps High-contrast mode on. Setting the policy to False keeps High-contrast mode off.

If you set the policy, users can't change it. If not set, High-contrast mode is off, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True keeps spoken feedback on. Setting the policy to False keeps spoken feedback off.

If you set the policy, users can't change it. If not set, spoken feedback is off at first, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the sticky keys accessibility feature on the login screen.

If this policy is set to true, the sticky keys will always be enabled on the login screen.

If this policy is set to false, the sticky keys will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the sticky keys is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the large cursor accessibility feature on the login screen.

If this policy is set to true, the large cursor will always be enabled on the login screen.

If this policy is set to false, the large cursor will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the large cursor is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the keyboard focus highlighting accessibility feature on the login screen.

This feature is responsible for highlighting the object that is focused by the keyboard.

If this policy is set to enabled, the keyboard focus highlighting will always be enabled.

If this policy is set to disabled, the keyboard focus highlighting will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 77

Enable the select to speak accessibility feature.

If this policy is set to true, the select to speak will always be enabled.

If this policy is set to false, the select to speak will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the select to speak is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True turns spoken feedback on at the sign-in screen. Setting the policy to False turns spoken feedback off at the screen.

If you set the policy, users can temporarily turn spoken feedback on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, spoken feedback is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenSpokenFeedbackEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 79

If this policy is set, it controls the type of screen magnifier that is enabled.

If this policy is set to "Full-screen", the screen magnifier will always be enabled in full-screen magnifier mode on the login screen.

If this policy is set to "Docked", the screen magnifier will always be enabled in docked magnifier mode on the login screen.

If this policy is set to "None", the screen magnifier will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled
• 2 = Docked magnifier enabled

• Google ChromeOS (Google ChromeOS) since version 79

Enable the high contrast accessibility feature on the login screen.

If this policy is set to true, the high contrast will always be enabled on the login screen.

If this policy is set to false, the high contrast will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the high contrast is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the autoclick accessibility feature on the login screen.

This feature allows to automatically click when the mouse cursor stops, without requiring the user to physically press the mouse or touchpad buttons.

If this policy is set to true, the autoclick will always be enabled on the login screen.

If this policy is set to false, the autoclick will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the autoclick is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 76

Setting the policy to True keeps sticky keys on. Setting the policy to False keeps sticky keys off.

If you set the policy, users can't change it. If not set, sticky keys is off at first, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the cursor highlight accessibility feature on the login screen.

If this policy is set to true, the cursor highlight will always be enabled on the login screen.

If this policy is set to false, the cursor highlight will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the cursor highlight is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 81

Enable accessibility features shortcuts on the login screen.

If this policy is set to true, accessibility features shortcuts will always be enabled on the login screen.

If this policy is set to false, accessibility features shortcuts will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, accessibility features shortcuts will be enabled by default on the login screen.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True turns the large cursor on at the sign-in screen. Setting the policy to False turns the large cursor off at the sign-in screen.

If you set the policy, users can temporarily turn the large cursor on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the large cursor is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenLargeCursorEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the select to speak accessibility feature on the login screen.

If this policy is set to true, the select to speak will always be enabled on the login screen.

If this policy is set to false, the select to speak will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the select to speak is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True keeps the large cursor on. Setting the policy to False keeps the large cursor off.

If you set the policy, users can't change the feature. If not set, the large cursor is off at first, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to None turns the screen magnifier off.

If you set the policy, users can't change it. If not set, the screen magnifier is off at first, but users can turn it on any time.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled
• 2 = Docked magnifier enabled

• Google ChromeOS (Google ChromeOS) since version 79

Enable the virtual keyboard accessibility feature on the login screen.

If this policy is set to true, the virtual keyboard will always be enabled on the login screen.

If this policy is set to false, the virtual keyboard will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the virtual keyboard is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the mono audio accessibility feature on the login screen.

This feature allows to switch the device mode from the default stereo audio to the mono audio.

If this policy is set to true, the mono audio will always be enabled on the login screen.

If this policy is set to false, the mono audio will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the mono audio is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 94

Enable or disable various features on the on-screen keyboard. This policy takes effect only when "VirtualKeyboardEnabled" policy is enabled.

If one feature in this policy is set to True, it will be enabled on the on-screen keyboard.

If one feature in this policy is set to False or left unset, it will be disabled on the on-screen keyboard.

NOTE: this policy is only supported in PWA Kiosk mode.

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\VirtualKeyboardFeatures = { "auto_complete_enabled": true, "auto_correct_enabled": true, "handwriting_enabled": false, "spell_check_enabled": false, "voice_input_enabled": false }

• Google ChromeOS (Google ChromeOS) since version 78

Enable the keyboard focus highlighting accessibility feature.

This feature is responsible for highlighting the object that has the focus by the keyboard.

If this policy is set to enabled, the keyboard focus highlighting will always be enabled.

If this policy is set to disabled, the keyboard focus highlighting will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the dictation accessibility feature on the login screen.

If this policy is set to true, the dictation will always be enabled on the login screen.

If this policy is set to false, the dictation will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to True turns High-contrast mode on at the sign-in screen. Setting the policy to False turns High-contrast mode off at the screen.

If you set the policy, users can temporarily change High-contrast mode, turning it on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, High-contrast mode is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenHighContrastEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the caret highlight accessibility feature on the login screen.

If this policy is set to true, the caret highlight will always be enabled on the login screen.

If this policy is set to false, the caret highlight will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the caret highlight is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the cursor highlight accessibility feature.

This feature is responsible for highlighting the area that surrounds the mouse cursor while moving it.

If this policy is set to enabled, the cursor highlight will always be enabled.

If this policy is set to disabled, the cursor highlight will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the cursor highlight is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 34

Setting the policy to True keeps the on-screen keyboard on. Setting the policy to False keeps the on-screen keyboard off unless other factors turn it on. See the TouchVirtualKeyboardEnabled policy as an example of these factors.

If you set the policy, users can't change it. If not set, the on-screen keyboard is off at first, but users can turn it on any time.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the autoclick accessibility feature.

This feature is responsible to click without physically pressing your mouse or touchpad, hover over the object you'd like to click.

If this policy is set to enabled, the autoclick will always be enabled.

If this policy is set to disabled, the autoclick will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the autoclick is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 79

Enable the spoken feedback accessibility feature on the login screen.

If this policy is set to true, the spoken feedback will always be enabled on the login screen.

If this policy is set to false, the spoken feedback will always be disabled on the login screen.

If you set this policy, users cannot change or override it.

If this policy is left unset, the spoken feedback is disabled on the login screen initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 81

Enable accessibility features shortcuts.

If this policy is set to true, accessibility features shortcuts will always be enabled.

If this policy is set to false, accessibility features shortcuts will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, accessibility features shortcuts will be enabled by default.

• Google ChromeOS (Google ChromeOS) since version 35

Setting the policy to True makes the top row of keys on the keyboard act as function key commands. Pressing the Search key changes their behavior back to media keys.

If set to False or not set, the keyboard defaults to producing media key commands. Pressing the Search key changes them to function keys.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the mono audio accessibility feature.

This feature is responsible for outputing stereo audio which includes different left and right channels, so different ears get different sounds.

If this policy is set to enabled, the mono audio will always be enabled.

If this policy is set to disabled, the mono audio will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the mono audio is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 29

Setting the policy to None turns screen magnification off at the sign-in screen.

If you set the policy, users can temporarily turn the screen magnifier on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the screen magnifier is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Valid values: • 0 = Off • 1 = On • 2 = Docked magnifier on

Note: DeviceLoginScreenScreenMagnifierType overrides this policy if the former is specified.

• 0 = Screen magnifier disabled
• 1 = Full-screen magnifier enabled
• 2 = Docked magnifier enabled

• Google ChromeOS (Google ChromeOS) since version 94

Allow the enhanced network text-to-speech voices in Select-to-speak accessibility feature. These voices send text to Google's servers to synthesize natural-sounding speech.

If this policy is set to false, the enhanced network text-to-speech voices feature in Select-to-speak will always be disabled.

If this policy is set to true or unset, the enhanced network text-to-speech voices feature in Select-to-speak can be enabled or disabled by the user.

• Google ChromeOS (Google ChromeOS) since version 80

Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.

If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.

If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.

• Google ChromeOS (Google ChromeOS) since version 84

In kiosk mode, controls whether the floating accessibility menu is being shown.

If this policy is set to enabled, the floating accessibility menu will be always shown.

If this policy is set to disabled or left unset, the floating accessibility menu will never be shown.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the caret highlight accessibility feature.

This feature is responsible for highlighting the area that surrounds the caret while editing.

If this policy is set to enabled, the caret highlight will always be enabled.

If this policy is set to disabled, the caret highlight will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the caret highlight is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 78

Enable the dictation accessibility feature.

If this policy is set to enabled, the dictation will always be enabled.

If this policy is set to disabled, the dictation will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the dictation is disabled initially but can be enabled by the user anytime.

• Google ChromeOS (Google ChromeOS) since version 34

This policy is deprecated, please use the DeviceLoginScreenVirtualKeyboardEnabled policy instead.

Setting the policy to True turns the on-screen keyboard on at sign-in. Setting the policy to False turns the on-screen keyboard off at sign-in.

If you set the policy, users can temporarily turn the on-screen keyboard on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.

If not set, the on-screen keyboard is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.

Note: DeviceLoginScreenVirtualKeyboardEnabled overrides this policy if the former is specified.

• Google ChromeOS (Google ChromeOS) since version 68

Unless the DefaultGeolocationSetting policy is set to BlockGeolocation, then setting GoogleLocationServicesEnabled turns Google location services on during initial setup. Setting the policy to GoogleLocationServicesDisabled or leaving it unset keeps location services off during setup.

Setting policy to BackupAndRestoreUnderUserControl prompts users about whether or not to use Google location services. If they turn it on, Android apps use the services to search the device location and send anonymous location data to Google.

After initial setup, users can turn Google location services on or off.

• 0 = Google location services disabled
• 1 = User decides whether to enable Google location services
• 2 = Google location services enabled

• Google ChromeOS (Google ChromeOS) since version 52

Setting the policy to CopyCaCerts makes all ONC-installed CA certificates with Web TrustBit available for ARC-apps.

Setting to None or leaving it unset makes Google Chrome OS certificates unavailable for ARC-apps.

• 0 = Disable usage of Google Chrome OS certificates to ARC-apps
• 1 = Enable Google Chrome OS CA certificates to ARC-apps

• Google ChromeOS (Google ChromeOS) since version 94

Setting the policy to True enables sharing text/files from Android apps to supported Web Apps, using the built-in Android sharing system. When enabled, this will send metadata for installed Web Apps to Google to generate and install a shim Android app. Setting the policy to False disables this functionality.

• Google ChromeOS (Google ChromeOS) since version 88

If "DeviceArcDataSnapshotHours" policy is set, then the ARC data snapshotting mechanism is turned on. And the ARC data snapshot update can be started automatically during the defined time intervals. When an interval starts, ARC data snapshot update is required and no user is logged-in, the ARC data snapshot update process is started without user notification. If the user session is active, the UI notification is shown and have to be accepted in order to reboot a device and start ARC data snapshot update process. Note: a device is blocked for usage during the ARC data snapshot update process.

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\DeviceArcDataSnapshotHours = { "intervals": [ { "end": { "day_of_week": "MONDAY", "time": 21720000 }, "start": { "day_of_week": "MONDAY", "time": 12840000 } }, { "end": { "day_of_week": "FRIDAY", "time": 57600000 }, "start": { "day_of_week": "FRIDAY", "time": 38640000 } } ], "timezone": "GMT" }

• Google ChromeOS (Google ChromeOS) since version 67

Setting the policy to True sends reports of key, policy-triggered Android app installation events to Google. Setting the policy to False means no events are captured.

• Google ChromeOS (Google ChromeOS) since version 50

Setting the policy specifies a set of policies to hand over to the ARC runtime. Admins can use it to select the Android apps that autoinstall. Enter value in valid JSON format.

To pin apps to the launcher, see PinnedLauncherApps.

• Google ChromeOS (Google ChromeOS) since version 64

Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets users use ARC. Setting the policy to False means unaffiliated users may not use ARC.

Changes to the policy only apply while ARC isn't running, for example, while starting ChromeOS.

• Google ChromeOS (Google ChromeOS) since version 68

Setting the policy to BackupAndRestoreEnabled means Android backup and restore is initially on. Setting the policy to BackupAndRestoreDisabled or leaving it unset keeps backup and restore off during setup.

Setting the policy to BackupAndRestoreUnderUserControl means users see prompts to use backup and restore. If they turn on backup and restore, Android app data is uploaded to Android backup servers and restored during reinstallations of compatible apps.

After initial setup, users can turn backup and restore on or off.

• 0 = Backup and restore disabled
• 1 = User decides whether to enable backup and restore
• 2 = Backup and restore enabled

• Google ChromeOS (Google ChromeOS) since version 50

Unless Ephemeral mode or multiple sign-in is on during the user's session, setting ArcEnabled to True turns ARC on for the user. Setting the policy to False or leaving it unset means enterprise users can't use ARC.

• Google ChromeOS (Google ChromeOS) since version 91

Controls the availability of Borealis for this user.

If the policy is set to false, Borealis will be unavailable. Otherwise (when the policy is unset, or true) Borealis will be available if and only if no other policy or setting disables it.

• Google ChromeOS (Google ChromeOS) since version 91

Controls the availability of Borealis for this device.

If the policy is set to false, Borealis will be unavailable for all users of the device. Otherwise (when the policy is unset, or true) Borealis will be available if and only if no other policy or setting disables it.

• Google ChromeOS (Google ChromeOS) since version 83

Specifies client certificates that should be enrolled using the device management protocol.

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\RequiredClientCertificateForUser = [ { "cert_profile_id": "cert_profile_id_1", "enable_remote_attestation_check": true, "key_algorithm": "rsa", "name": "Certificate Profile 1", "policy_version": "some_hash", "renewal_period_seconds": 2592000 } ]

• Google ChromeOS (Google ChromeOS) since version 84

Specifies device-wide client certificates that should be enrolled using the device management protocol.

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\RequiredClientCertificateForDevice = [ { "cert_profile_id": "cert_profile_id_1", "enable_remote_attestation_check": true, "key_algorithm": "rsa", "name": "Certificate Profile 1", "policy_version": "some_hash", "renewal_period_seconds": 2592000 } ]

• Google ChromeOS (Google ChromeOS) since version 86
• Google Chrome (Linux) since version 86
• Google Chrome (Mac) since version 86
• Google Chrome (Windows) since version 86

Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.

Leaving it unset lets websites ask for access, but users can change this setting.

• 2 = Do not allow any site to request access to serial ports via the Serial API
• 3 = Allow sites to ask the user to grant access to a serial port

Windows (Intune):

<enabled/>

<data id="DefaultSerialGuardSetting" value="2"/>

• Google Chrome (Linux) since version 15
• Google Chrome (Mac) since version 15
• Google Chrome (Windows) since version 15
• Google ChromeOS (Google ChromeOS) since version 15

Setting the policy lets you make a list of URL patterns that specify sites for which Chrome can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.

Examples for the usage of the $FILTER section:

* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.

* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.

* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.

* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.

* When $FILTER is set to {}, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.

Leaving the policy unset means there's no autoselection for any site.

Windows (Windows clients):

Software\Policies\Google\Chrome\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"

Android/Linux:

[ "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" ]

Mac:

<array> <string>{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}</string> </array>

Windows (Intune):

<enabled/>

<data id="AutoSelectCertificateForUrlsDesc" value="1&#xF000;{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"/>

• Google ChromeOS (Google ChromeOS) since version 94
• Google Chrome (Linux) since version 94
• Google Chrome (Mac) since version 94
• Google Chrome (Windows) since version 94

Setting the policy allows you to list sites which are automatically granted permission to access USB serial devices with vendor and product IDs matching the vendor_id and product_id fields. Omitting the product_id field allows the given sites permission to access devices with a vendor ID matching the vendor_id field and any product ID.

The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.

On ChromeOS, this policy only applies to affiliated users.

This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.

This policy only affects access to USB devices through the Web Serial API. To grant access to USB devices through the WebUSB API see the WebUsbAllowDevicesForUrls policy.

Windows (Windows clients):

Software\Policies\Google\Chrome\SerialAllowUsbDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://specific-device.example.com" ] }, { "devices": [ { "vendor_id": 1234 } ], "urls": [ "https://all-vendor-devices.example.com" ] } ]

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\SerialAllowUsbDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://specific-device.example.com" ] }, { "devices": [ { "vendor_id": 1234 } ], "urls": [ "https://all-vendor-devices.example.com" ] } ]

Android/Linux:

SerialAllowUsbDevicesForUrls: [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://specific-device.example.com" ] }, { "devices": [ { "vendor_id": 1234 } ], "urls": [ "https://all-vendor-devices.example.com" ] } ]

Mac:

<key>SerialAllowUsbDevicesForUrls</key> <array> <dict> <key>devices</key> <array> <dict> <key>product_id</key> <integer>5678</integer> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://specific-device.example.com</string> </array> </dict> <dict> <key>devices</key> <array> <dict> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://all-vendor-devices.example.com</string> </array> </dict> </array>

Windows (Intune):

<enabled/>

<data id="SerialAllowUsbDevicesForUrls" value="{"devices": [{"product_id": 5678, "vendor_id": 1234}], "urls": ["https://specific-device.example.com"]}, {"devices": [{"vendor_id": 1234}], "urls": ["https://all-vendor-devices.example.com"]}"/>

• Google Chrome (Android) since version 75
• Google ChromeOS (Google ChromeOS) since version 74
• Google Chrome (Linux) since version 74
• Google Chrome (Mac) since version 74
• Google Chrome (Windows) since version 74

Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the policy to be valid. Each item in the devices field can have a vendor_id and product_id field. Omitting the vendor_id field will create a policy matching any device. Omitting the product_id field will create a policy matching any device with the given vendor ID. A policy which has a product_id field without a vendor_id field is invalid.

The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' feature-policy header should be used to grant access. The URL must be valid, otherwise the policy is ignored.

Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatiblity in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requsting URL will be ignored entirely.

This policy overrides DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls and the user's preferences.

This policy only affects access to USB devices through the WebUSB API. To grant access to USB devices through the Web Serial API see the SerialAllowUsbDevicesForUrls policy.

Windows (Windows clients):

Software\Policies\Google\Chrome\WebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com" ] } ]

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\WebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com" ] } ]

Android/Linux:

WebUsbAllowDevicesForUrls: [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com" ] } ]

Mac:

<key>WebUsbAllowDevicesForUrls</key> <array> <dict> <key>devices</key> <array> <dict> <key>product_id</key> <integer>5678</integer> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://google.com</string> </array> </dict> </array>

Windows (Intune):

<enabled/>

<data id="WebUsbAllowDevicesForUrls" value="{"devices": [{"product_id": 5678, "vendor_id": 1234}], "urls": ["https://google.com"]}"/>

• Google Chrome (Linux) since version 37
• Google Chrome (Mac) since version 37
• Google Chrome (Windows) since version 37
• Google ChromeOS (Google ChromeOS) since version 37

Setting the policy (as recommended only) lets you register a list of protocol handlers, which merge with the ones that the user registers, putting both sets in use. Set the property "protocol" to the scheme, such as "mailto", and set the property "URL" to the URL pattern of the application that handles the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.

Users can't remove a protocol handler registered by policy. However, by installing a new default handler, they can change the protocol handlers installed by policy.

The protocol handlers set via this policy are not used when handling Android intents.

Windows (Windows clients):

Software\Policies\Google\Chrome\Recommended\RegisteredProtocolHandlers = [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\Recommended\RegisteredProtocolHandlers = [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]

Android/Linux:

RegisteredProtocolHandlers: [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]

Mac:

<key>RegisteredProtocolHandlers</key> <array> <dict> <key>default</key> <true/> <key>protocol</key> <string>mailto</string> <key>url</key> <string>https://mail.google.com/mail/?extsrc=mailto&amp;url=%s</string> </dict> </array>

Windows (Intune):

<enabled/>

<data id="RegisteredProtocolHandlers" value="{"default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s"}"/>

• Google Chrome (Linux) since version 10
• Google Chrome (Mac) since version 10
• Google Chrome (Windows) since version 10
• Google ChromeOS (Google ChromeOS) since version 11
• Google Chrome (Android) since version 30

Setting the policy to 1 lets sites track the users' physical location as the default state. Setting the policy to 2 denies this tracking by default. You can set the policy to ask whenever a site wants to track the users' physical location.

Leaving the policy unset means the AskGeolocation policy applies, but users can change this setting.

• 1 = Allow sites to track the users' physical location
• 2 = Do not allow any site to track the users' physical location
• 3 = Ask whenever a site wants to track the users' physical location

If this policy is set to BlockGeolocation, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.

Windows (Intune):

<enabled/>

<data id="DefaultGeolocationSetting" value="1"/>

• Google Chrome (Linux) since version 110
• Google Chrome (Mac) since version 110
• Google Chrome (Windows) since version 110
• Google ChromeOS (Google ChromeOS) since version 110

Setting this policy allows the domains listed to access file:// URLs in the PDF Viewer. Adding to the policy allows the domain to access file:// URLs in the PDF Viewer. Removing from the policy disallows the domain from accessing file:// URLs in the PDF Viewer. Leaving the policy unset disallows all domains from accessing file:// URLs in the PDF Viewer.

Windows (Windows clients):

Software\Policies\Google\Chrome\PdfLocalFileAccessAllowedForDomains\1 = "example.com" Software\Policies\Google\Chrome\PdfLocalFileAccessAllowedForDomains\2 = "google.com"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\PdfLocalFileAccessAllowedForDomains\1 = "example.com" Software\Policies\Google\ChromeOS\PdfLocalFileAccessAllowedForDomains\2 = "google.com"

Android/Linux:

[ "example.com", "google.com" ]

Mac:

<array> <string>example.com</string> <string>google.com</string> </array>

Windows (Intune):

<enabled/>

<data id="PdfLocalFileAccessAllowedForDomainsDesc" value="1&#xF000;example.com&#xF000;2&#xF000;google.com"/>

• Google Chrome (Linux) since version 103
• Google Chrome (Mac) since version 103
• Google Chrome (Windows) since version 103
• Google ChromeOS (Google ChromeOS) since version 103

Setting the policy to 2 blocks sites from using the clipboard site permission. Setting the policy to 3 or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use one.

This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.

This policy only affects clipboard operations controlled by the clipboard site permission, and does not affect sanitized clipboard writes or trusted copy and paste operations.

• 2 = Do not allow any site to use the clipboard site permission
• 3 = Allow sites to ask the user to grant the clipboard site permission

Windows (Intune):

<enabled/>

<data id="DefaultClipboardSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 50
• Google Chrome (Android) since version 50
• Google Chrome (Linux) since version 50
• Google Chrome (Mac) since version 50
• Google Chrome (Windows) since version 50

Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.

Leaving the policy unset lets sites ask for access, but users can change this setting.

• 2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
• 3 = Allow sites to ask the user to grant access to a nearby Bluetooth device

Windows (Intune):

<enabled/>

<data id="DefaultWebBluetoothGuardSetting" value="2"/>

• Google Chrome (Linux) since version 93
• Google Chrome (Mac) since version 93
• Google Chrome (Windows) since version 93
• Google ChromeOS (Google ChromeOS) since version 93
• Google Chrome (Android) since version 93

Allows you to set whether Google Chrome will run the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.

Disabling the JavaScript JIT will mean that Google Chrome may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Google Chrome to render web content in a more secure configuration.

This policy can be overridden for specific URL patterns using the JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.

If this policy is left not set, JavaScript JIT is enabled.

• 1 = Allow any site to run JavaScript JIT
• 2 = Do not allow any site to run JavaScript JIT

Windows (Intune):

<enabled/>

<data id="DefaultJavaScriptJitSetting" value="1"/>

• Google ChromeOS (Google ChromeOS) since version 100
• Google Chrome (Linux) since version 100
• Google Chrome (Mac) since version 100
• Google Chrome (Windows) since version 100

Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device containing a top-level collection with the given HID usage. Each item in the list requires both usages and urls fields for the policy to be valid. Each item in the usages field must have a usage_page and may have a usage field. Omitting the usage field will create a policy matching any device containing a top-level collection with a usage from the specified usage page. An item which has a usage field without a usage_page field is invalid and is ignored.

Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.

URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

Windows (Windows clients):

Software\Policies\Google\Chrome\WebHidAllowDevicesWithHidUsagesForUrls = [ { "urls": [ "https://google.com", "https://chromium.org" ], "usages": [ { "usage": 5678, "usage_page": 1234 } ] } ]

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\WebHidAllowDevicesWithHidUsagesForUrls = [ { "urls": [ "https://google.com", "https://chromium.org" ], "usages": [ { "usage": 5678, "usage_page": 1234 } ] } ]

Android/Linux:

WebHidAllowDevicesWithHidUsagesForUrls: [ { "urls": [ "https://google.com", "https://chromium.org" ], "usages": [ { "usage": 5678, "usage_page": 1234 } ] } ]

Mac:

<key>WebHidAllowDevicesWithHidUsagesForUrls</key> <array> <dict> <key>urls</key> <array> <string>https://google.com</string> <string>https://chromium.org</string> </array> <key>usages</key> <array> <dict> <key>usage</key> <integer>5678</integer> <key>usage_page</key> <integer>1234</integer> </dict> </array> </dict> </array>

Windows (Intune):

<enabled/>

<data id="WebHidAllowDevicesWithHidUsagesForUrls" value="{"urls": ["https://google.com", "https://chromium.org"], "usages": [{"usage": 5678, "usage_page": 1234}]}"/>

• Google ChromeOS (Google ChromeOS) since version 94
• Google Chrome (Linux) since version 94
• Google Chrome (Mac) since version 94
• Google Chrome (Windows) since version 94

Setting the policy allows you to list sites which are automatically granted permission to access all available serial ports.

The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.

On Google Chrome OS, this policy only applies to affiliated users.

This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.

Windows (Windows clients):

Software\Policies\Google\Chrome\SerialAllowAllPortsForUrls\1 = "https://www.example.com"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\SerialAllowAllPortsForUrls\1 = "https://www.example.com"

Android/Linux:

[ "https://www.example.com" ]

Mac:

<array> <string>https://www.example.com</string> </array>

Windows (Intune):

<enabled/>

<data id="SerialAllowAllPortsForUrlsDesc" value="1&#xF000;https://www.example.com"/>

• Google ChromeOS (Google ChromeOS) since version 100
• Google Chrome (Linux) since version 100
• Google Chrome (Mac) since version 100
• Google Chrome (Windows) since version 100

Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the item to be valid, otherwise the item is ignored. Each item in the devices field must have a vendor_id and may have a product_id field. Omitting the product_id field will create a policy matching any device with the specified vendor ID. An item which has a product_id field without a vendor_id field is invalid and is ignored.

Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.

URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

Windows (Windows clients):

Software\Policies\Google\Chrome\WebHidAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://chromium.org" ] } ]

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\WebHidAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://chromium.org" ] } ]

Android/Linux:

WebHidAllowDevicesForUrls: [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://chromium.org" ] } ]

Mac:

<key>WebHidAllowDevicesForUrls</key> <array> <dict> <key>devices</key> <array> <dict> <key>product_id</key> <integer>5678</integer> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://google.com</string> <string>https://chromium.org</string> </array> </dict> </array>

Windows (Intune):

<enabled/>

<data id="WebHidAllowDevicesForUrls" value="{"devices": [{"product_id": 5678, "vendor_id": 1234}], "urls": ["https://google.com", "https://chromium.org"]}"/>

• Google Chrome (Linux) since version 79
• Google Chrome (Mac) since version 79
• Google Chrome (Windows) since version 79
• Google ChromeOS (Google ChromeOS) since version 79

Allows you to set whether users can add exceptions to allow mixed content for specific sites.

This policy can be overridden for specific URL patterns using the 'InsecureContentAllowedForUrls' and 'InsecureContentBlockedForUrls' policies.

If this policy is left not set, users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.

• 2 = Do not allow any site to load mixed content
• 3 = Allow users to add exceptions to allow mixed content

Windows (Intune):

<enabled/>

<data id="DefaultInsecureContentSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 100
• Google Chrome (Linux) since version 100
• Google Chrome (Mac) since version 100
• Google Chrome (Windows) since version 100

Setting the policy allows you to list sites which are automatically granted permission to access all available devices.

The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.

On ChromeOS, this policy only applies to affiliated users.

This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls and the user's preferences.

Windows (Windows clients):

Software\Policies\Google\Chrome\WebHidAllowAllDevicesForUrls\1 = "https://google.com" Software\Policies\Google\Chrome\WebHidAllowAllDevicesForUrls\2 = "https://chromium.org"

Windows (Google Chrome OS clients):

Software\Policies\Google\ChromeOS\WebHidAllowAllDevicesForUrls\1 = "https://google.com" Software\Policies\Google\ChromeOS\WebHidAllowAllDevicesForUrls\2 = "https://chromium.org"

Android/Linux:

[ "https://google.com", "https://chromium.org" ]

Mac:

<array> <string>https://google.com</string> <string>https://chromium.org</string> </array>

Windows (Intune):

<enabled/>

<data id="WebHidAllowAllDevicesForUrlsDesc" value="1&#xF000;https://google.com&#xF000;2&#xF000;https://chromium.org"/>

• Google ChromeOS (Google ChromeOS) since version 86
• Google Chrome (Linux) since version 86
• Google Chrome (Mac) since version 86
• Google Chrome (Windows) since version 86

Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.

Leaving it unset lets websites ask for access, but users can change this setting.

• 2 = Do not allow any site to request write access to files and directories
• 3 = Allow sites to ask the user to grant write access to files and directories

Windows (Intune):

<enabled/>

<data id="DefaultFileSystemWriteGuardSetting" value="2"/>

• Google Chrome (Linux) since version 108 until version 110
• Google Chrome (Mac) since version 108 until version 110
• Google Chrome (Windows) since version 108 until version 110
• Google ChromeOS (Google ChromeOS) since version 108 until version 110
• Google Chrome (Android) since version 108 until version 110

Starting in M108, all of FileSystemSyncAccessHandle methods will be invoked synchronously. Until M110, this policy re-enables asynchronous invocation of FileSystemSyncAccessHandle methods. If this policy is set to Enabled, FileSystemSyncAccessHandle methods are invoked asynchronously. If this policy is set to Disabled or not set, all of FileSystemSyncAccessHandle methods are invoked synchronously.

Windows (Intune):

<disabled/>

• Google ChromeOS (Google ChromeOS) since version 100
• Google Chrome (Linux) since version 100
• Google Chrome (Mac) since version 100
• Google Chrome (Windows) since version 100

Setting the policy to 3 lets websites ask for access to HID devices. Setting the policy to 2 denies access to HID devices.

Leaving it unset lets websites ask for access, but users can change this setting.

This policy can be overridden for specific url patterns using the WebHidAskForUrls and WebHidBlockedForUrls policies.

• 2 = Do not allow any site to request access to HID devices via the WebHID API
• 3 = Allow sites to ask the user to grant access to a HID device

Windows (Intune):

<enabled/>

<data id="DefaultWebHidGuardSetting" value="2"/>

• Google Chrome (Linux) since version 22
• Google Chrome (Mac) since version 22
• Google Chrome (Windows) since version 22
• Google ChromeOS (Google ChromeOS) since version 22

Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.

If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.

• 2 = Do not allow any site to access the camera and microphone
• 3 = Ask every time a site wants to access the camera and/or microphone

Windows (Intune):

<enabled/>

<data id="DefaultMediaStreamSetting" value="2"/>

• Google ChromeOS (Google ChromeOS) since version 86
• Google Chrome (Linux) since version 86
• Google Chrome (Mac) since version 86
• Google Chrome (Windows) since version 86