Google Git
Sign in
chromium / chromium / src / 3b26751ff0ac3ca5d1377616b55d0284673dc232 / . / components / policy / resources / policy_templates.json
blob: b626efa809c0eddb20130f5a285754fd6409bac8 [file] [log] [blame]
{
# policy_templates.json - Metafile for policy templates
#
# The content of this file is evaluated as a Python expression.
#
# This file is used as input to generate the following policy templates:
# ADM, ADMX+ADML, MCX/plist and html documentation.
#
# Policy templates are user interface definitions or documents about the
# policies that can be used to configure Chrome. Each policy is a name-value
# pair where the value has a given type. Chrome looks up the values using the
# names of the policies. In the user interface where the values can be set,
# related policies might appear together in policy groups. The grouping is not
# visible to Chrome.
#
# This file contains a list of policies and groups. Each group contains a list
# of policies under the key 'policies'. All the policies and groups must have
# unique names. Group names are not exposed to Chrome at all.
#
# Each policy has a type. The currently implemented types:
# 'group': - not a real policy, contains a list of policies
# NOTE: Currently nesting groups inside other groups is not supported.
# 'string' - a string value
# 'int' - an integer value
# 'int-enum' - the user can select an integer value from a collection of
# items
# 'string-enum' - the user can select a string value from a collection of
# items
# 'string-enum-list' - the user can select a set of string values from a
# collection of items
# 'main' - a boolean value
# 'list' - a list of string values
# 'dict' - a dictionary value, containing other values indexed by strings
# NOTE: This type is not supported yet. https://crbug.com/108992
# 'external' - a policy that references external data.
# NOTE: This type is currently supported on Chrome OS only.
#
# Each policy is tagged with risk tags that indicate potential privacy or
# security risks. They are defined at the beginning of this file (tag
# 'risk_tag_definitions').
# Each risk tag contains the following information:
# - name: The name of the risk tag. May not contain spaces.
# - description: Description for developers so they know which tags apply to
# newly added policies.
# - user-description: A text that helps users understand what a policy with
# this tag means for their privacy and/or security.
# TODO(fhorschig|tnagel): Revisit policy tags after reviews.
#
# Policy group descriptions, policy captions and similar texts are localized
# strings taken from the <message> nodes of the .grd file. Their name
# attributes are generated from the JSON keys.
# Each item (policy or group) may have the following messages:
# - description:
# Describes the item it applies to.
# - caption
# A short, one-line summary of the item it applies to. This can appear
# both in policy or group listings or on title bars of policy-setting
# windows.
# - label (Optional, defaults to caption if not specified.)
# A short, one-line summary of the item it applies to. The difference
# from caption is that label always appears next to the entry field
# where the value of the policy can be entered. 'main' policies on
# Windows ignore this. Policies on Mac are using this instead of caption.
#
# Non-translateable strings should be tagged using <ph name="..."></ph> as
# described in https://www.chromium.org/developers/tools-we-use-in-chromium/grit/grit-users-guide
#
# Generated grd names:
# Each name has two parts: the second part is either CAPTION, DESC or LABEL,
# and the first part identifies the item the text applies to:
# -For policies and groups:
# IDS_POLICY_<NAME OF THE POLICY OR GROUP>
# e.g. the name of the caption of policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_CAPTION
# or other messages of the policy HomepageLocation:
# IDS_POLICY_HOMEPAGELOCATION_LABEL
# IDS_POLICY_HOMEPAGELOCATION_DESC
# -For enum items:
# IDS_POLICY_ENUM_<NAME OF THE ITEM>
# e.g. the name of the caption of ProxyServerDisabled:
# IDS_POLICY_ENUM_PROXYSERVERDISABLED_CAPTION
#
# Products and versions:
# Each policy has the list of products and version numbers where it is
# supported under the key 'supported_on'. Each item of this list has the
# form of 'product:since_version-until_version', which means that support
# for the policy in 'product' was introduced in 'since_version' and removed
# after 'until_version'. Product names may contain a suffix specifying a
# platform name, e.g.: 'chrome.win' is read as 'Chrome on Windows'. Version
# numbers can be any string that does not contain ':' or '-' characters.
#
# Currently supported product names:
# 'chrome_frame', 'chrome_os', 'android', 'ios', 'webview_android',
# 'chrome.win', 'chrome.linux', 'chrome.mac', 'chrome.*'
# For example if 'chrome.*:5-10' is specified for a policy, then it should
# be read as:
# 'chrome.linux:5-10', 'chrome.mac:5-10', 'chrome.win:5-10'
#
# The product name also affects in which templates the policy is included:
# chrome.*, chrome.win, chrome_frame -> ADM, ADMX, ADML, doc
# chrome.*, chrome.linux -> JSON, doc
# chrome.*, chrome.mac -> plist, plist_strings, doc
# everything else -> doc
#
# The default list of policies supported by Chrome is also generated based
# on the product names:
# chrome.* -> Chrome policy definition list
# chrome_os -> Chrome policy definition list, when building OS_CHROMEOS
#
# Annotations:
# Additional information is specified under keys 'features' and
# 'example_value'. These are used in the generated documentation and example
# policy configuration files. 'dynamic_refresh' controls if the generated
# documentation should state that the policy supports dynamic refresh or not.
# Supporting dynamic refresh means that Chrome respects the changes to the
# policy immediately, without the need for restart.
# 'can_be_mandatory' can be set to False to exclude that policy in the
# mandatory policies template. This only affects the template generation;
# The default is True.
# 'can_be_recommended' can be set to True to include that policy in the
# recommended policies templates. This only affects the template generation;
# all policies can be at the recommended level. The default is False.
#
# The 'max_size' key is used to specify the maximal size of the external data
# that a policy can reference, in bytes. This annotation is compulsory for
# policies of type 'external'. It is ignored for all other policy types.
#
# The 'future' key is used to indicate that a policy isn't yet ready for
# usage. It defaults to False, and currently affects the generated policy
# templates and documentation. The policy definition list that Chrome sees
# will include policies marked with 'future'. If a WIP policy isn't meant to
# be seen by the policy providers either, the 'supported_on' key should be set
# to an empty list.
#
# IDs:
# Since a Protocol Buffer definition is generated from this file, unique and
# persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format!
# For your editing convenience: highest ID currently used: 319
#
# Placeholders:
# The following placeholder strings are automatically substituted:
# $1 -> Google Chrome / Chromium
# $2 -> Google Chrome OS / Chromium OS
# $3 -> Google Chrome Frame / Chromium Frame
# $6 is reserved for doc_writer
#
# Device Policy:
# An additional flag 'device_only' (optional, defaults to False) indicates
# that this policy is only supported as a device-level Cloud Policy.
# In that case no entry in the UserPolicy Protobuf is generated and
# it is assumed that it will be added to the DevicePolicy Protobuf manually.
#
# Enterprise defaults:
# For managed users on Chrome OS (i.e. users receiving user policy from the
# cloud), if the optional key 'default_for_enterprise_users' is set, its value
# is applied as mandatory policy unless a different setting is received from
# the cloud.
'risk_tag_definitions' : [
# All following tags are ordered by severity of their impact.
# TODO(fhorschig|tnagel): Revisit user-descriptions after reviews.
{
'name': 'full-admin-access',
'description': '''Policies with this tag enable an administrator to
execute arbitrary code or configure a machine in a way that a
man-in-the-middle situation can occur.''',
'user-description': '''Your administrator has set up certificates or applications that could potentially access all of your data.
This could possibly allow inspecting and modifying all data sent and received by Chrome.'''
},
{
'name': 'system-security',
'description': '''Policies with this tag can make the user vulnerable
against attacks which are not possible when the policies are unset.
This includes execution of deprecated code or unsafe configuration of
network settings and proxies.''',
'user-description': '''Policy set by your administrator could enable functionality that is outdated or that could reduce the security of the system in other ways.'''
},
{
'name': 'website-sharing',
'description': '''Setting Policies with this tag will allow sharing
information with a server that would normally not be allowed.
Those information can include geolocation, audio/video device inputs or
data that can be used to identify the user.''',
'user-description': '''Policy set by your administrator could enable sharing of data with websites.
Some of these data might suffice to identify you or could be used to record private information.'''
},
{
'name': 'admin-sharing',
'description': '''Policies with this tag enable an administrator to log
the user's activity or traffic.''',
'user-description': '''Policy configured by your administrator might allow them to gather general information about your device and your activity.'''
},
{
'name': 'filtering',
'description': '''Policies with this tag can restrict the information a
user can query from the world-wide web. This includes blocked websites,
enforced search settings and partly data synchronization.''',
'user-description': '''Your administrator has set up policy that may restrict your access to websites, services or search results.'''
},
{
'name': 'local-data-access',
'description': '''Policies with this tag can cause storing data to or
reading data from a local file system without the user's knowledge. This
includes import of existing settings to the cloud or avoiding clean-up of
local history data.''',
'user-description': '''Your administrator has set up policy that could cause private data to be imported from your system or could cause private data to be written to an admin-specified place.'''
},
{
'name': 'google-sharing',
'description': '''Set policies might enforce sharing data with google,
like crash reports or history.''',
'user-description': '''There are policies set by your administrator which can affect the communication with Google services.
Therefore, some services could either be unreachable or you might not be able to restrict sent data.'''
}
],
'policy_definitions': [
{
'name': 'Homepage',
'type': 'group',
'caption': '''Home page''',
'desc': '''Configure the default home page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing it.
The user's home page settings are only completely locked down, if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.''',
'policies': [
{
'name': 'HomepageLocation',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.chromium.org',
'id': 1,
'caption': '''Configure the home page URL''',
'tags': [],
'desc': '''Configures the default home page URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing it.
The home page is the page opened by the Home button. The pages that open on startup are controlled by the RestoreOnStartup policies.
The home page type can either be set to a URL you specify here or set to the New Tab Page. If you select the New Tab Page, then this policy does not take effect.
If you enable this setting, users cannot change their home page URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, but they can still choose the New Tab Page as their home page.
Leaving this policy not set will allow the user to choose his home page on his own if HomepageIsNewTabPage is not set too.
This policy is not available on Windows instances that are not joined
to an Active Directory domain.''',
'label': '''Home page URL''',
},
{
'name': 'HomepageIsNewTabPage',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 2,
'caption': '''Use New Tab Page as homepage''',
'tags': [],
'desc': '''Configures the type of the default home page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing home page preferences. The home page can either be set to a URL you specify or set to the New Tab Page.
If you enable this setting, the New Tab Page is always used for the home page, and the home page URL location is ignored.
If you disable this setting, the user's homepage will never be the New Tab Page, unless its URL is set to 'chrome://newtab'.
If you enable or disable this setting, users cannot change their homepage type in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Leaving this policy not set will allow the user to choose whether the new tab page is his home page on his own.
This policy is not available on Windows instances that are not joined
to an Active Directory domain.''',
},
],
},
{
'name': 'DefaultBrowserSettingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 3,
'caption': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
'tags': [],
'desc': '''Configures the default browser checks in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing them.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always check on startup whether it is the default browser and automatically register itself if possible.
If this setting is disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will never check if it is the default browser and will disable user controls for setting this option.
If this setting is not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will allow the user to control whether it is the default browser and whether user notifications should be shown when it isn't.''',
'label': '''Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser''',
},
{
'name': 'ApplicationLocaleValue',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:8-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'en',
'id': 4,
'caption': '''Application locale''',
'tags': [],
'desc': '''Configures the application locale in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing the locale.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the specified locale. If the configured locale is not supported, 'en-US' is used instead.
If this setting is disabled or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses either the user-specified preferred locale (if configured), the system locale or the fallback locale 'en-US'.''',
'label': '''Application locale''',
},
{
'name': 'AlternateErrorPagesEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 5,
'caption': '''Enable alternate error pages''',
'tags': [],
'desc': '''Enables the use of alternate error pages that are built into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> (such as 'page not found') and prevents users from changing this setting.
If you enable this setting, alternate error pages are used.
If you disable this setting, alternate error pages are never used.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'SearchSuggestEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 6,
'caption': '''Enable search suggestions''',
'tags': [],
'desc': '''Enables search suggestions in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s omnibox and prevents users from changing this setting.
If you enable this setting, search suggestions are used.
If you disable this setting, search suggestions are never used.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'DnsPrefetchingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 7,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''Enables network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. The policy name refers to DNS prefetching for historical reasons.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'NetworkPredictionOptions',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'NetworkPredictionAlways',
'value': 0,
'caption': '''Predict network actions on any network connection''',
},
{
'name': 'NetworkPredictionWifiOnly',
'value': 1,
'caption': '''Predict network actions on any network that is not
cellular''',
},
{
'name': 'NetworkPredictionNever',
'value': 2,
'caption': '''Do not predict network actions on any network connection''',
},
],
'supported_on': ['chrome.*:38-', 'chrome_os:38-', 'android:38-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 273,
'caption': '''Enable network prediction''',
'tags': [],
'desc': '''Enables network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
This controls DNS prefetching, TCP and SSL preconnection and prerendering of web pages.
If you set this preference to 'always', 'never', or 'WiFi only', users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, network prediction will be enabled but the user will be able to change it.''',
},
{
'name': 'WPADQuickCheckEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [ 'chrome.*:35-', 'chrome_os:35-' ],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 261,
'caption': '''Enable WPAD optimization''',
'tags': ['system-security'],
'desc': '''Allows to turn off WPAD (Web Proxy Auto-Discovery) optimization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is set to false, WPAD optimization is disabled causing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to wait longer for DNS-based WPAD servers. If the policy is not set or is enabled, WPAD optimization is enabled.
Independent of whether or how this policy is set, the WPAD optimization setting cannot be changed by users.''',
},
{
'name': 'DisableSpdy',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 8,
'caption': '''Disable SPDY protocol''',
'tags': [],
'desc': '''Disables use of the SPDY protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is enabled the SPDY protocol will not be available in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting this policy to disabled will allow the usage of SPDY.
If this policy is left not set, SPDY will be available.''',
},
{
'name': 'DisabledSchemes',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:12-', 'chrome_os:12-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': ['file', 'https'],
'id': 85,
'caption': '''Disable URL protocol schemes''',
'tags': [],
'desc': '''This policy is deprecated, please use URLBlacklist instead.
Disables the listed protocol schemes in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
URLs using a scheme from this list will not load and can not be navigated to.
If this policy is left not set or the list is empty all schemes will be accessible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''List of disabled protocol schemes''',
},
{
'name': 'JavascriptEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 9,
'caption': '''Enable JavaScript''',
'tags': [],
'desc': '''This policy is deprecated, please use DefaultJavaScriptSetting instead.
Can be used to disabled JavaScript in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.
If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.''',
},
{
'name': 'IncognitoEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 10,
'caption': '''Enable Incognito mode''',
'tags': [],
'desc': '''This policy is deprecated. Please, use IncognitoModeAvailability instead.
Enables Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is enabled or not configured, users can open web pages in incognito mode.
If this setting is disabled, users cannot open web pages in incognito mode.
If this policy is left not set, this will be enabled and the user will be able to use incognito mode.''',
},
{
'name': 'IncognitoModeAvailability',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Enabled',
'value': 0,
'caption': '''Incognito mode available''',
},
{
'name': 'Disabled',
'value': 1,
'caption': '''Incognito mode disabled''',
},
{
'name': 'Forced',
'value': 2,
'caption': '''Incognito mode forced''',
},
],
'supported_on': [
'chrome.*:14-',
'chrome_os:14-',
'android:30-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 93,
'caption': '''Incognito mode availability''',
'tags': ['filtering'],
'desc': '''Specifies whether the user may open pages in Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.
If 'Disabled' is selected, pages may not be opened in Incognito mode.
If 'Forced' is selected, pages may be opened ONLY in Incognito mode.''',
},
{
'name': 'SavingBrowserHistoryDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 11,
'caption': '''Disable saving browser history''',
'tags': [],
'desc': '''Disables saving browser history in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
If this setting is enabled, browsing history is not saved. This setting also disables tab syncing.
If this setting is disabled or not set, browsing history is saved.''',
},
{
'name': 'AllowDeletingBrowserHistory',
'future': True,
'type': 'main',
'schema': { 'type': 'boolean' },
# TODO(pamg): Restore the correct 'supported' line when the UI properly
# shows that deleting browser history is disabled. Also fix the 'os' line
# in policy_test_cases.json.
# 'supported_on': ['chrome.*:27-', 'chrome_os:27-'],
'supported_on': [],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 187,
'caption': '''Enable deleting browser and download history''',
'tags': [],
'desc': '''Enables deleting browser history and download history in <ph name="PRODUCT_NAME">$<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
Note that even with this policy disabled, the browsing and download history are not guaranteed to be retained: users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.
If this setting is enabled or not set, browsing and download history can be deleted.
If this setting is disabled, browsing and download history cannot be deleted.''',
},
{
'name': 'AllowDinosaurEasterEgg',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:48-', 'chrome.*:48-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 309,
'default_for_enterprise_users': False,
'caption': '''Allow Dinosaur Easter Egg Game''',
'tags': [],
'desc': '''Allow users to play dinosaur easter egg game when device is offline.
If this policy is set to False, users will not be able to play the dinosaur easter egg game when device is offline. If this setting is set to True, users are allowed to play the dinosaur game. If this policy is not set, users are not allowed to play the dinosaur easter egg game on enrolled Chrome OS, but are allowed to play it under other circumstances.''',
},
{
'name': 'RemoteAccess',
'type': 'group',
'caption': '''Configure remote access options''',
'desc': '''Configure remote access options in Chrome Remote Desktop host.
Chrome Remote Desktop host is a native service that runs on the target
machine that a user can connect to using Chrome Remote Desktop
application. The native service is packaged and executed separately from
the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browser.
These policies are ignored unless the
Chrome Remote Desktop host is installed.''',
'policies': [
{
'name': 'RemoteAccessClientFirewallTraversal',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-16', 'chrome_os:14-16'],
'features': {
'dynamic_refresh': True,
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 94,
'caption': '''Enable firewall traversal from remote access client''',
'tags': [],
'desc': '''This policy is no longer supported.
Enables usage of STUN and relay servers when connecting to a remote client.
If this setting is enabled, then this machine can discover and connect to remote host machines even if they are separated by a firewall.
If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine can only connect to host machines within the local network.''',
},
{
'name': 'RemoteAccessHostClientDomain',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'my-awesome-domain.com',
'id': 316,
'caption': '''Configure the required domain name for remote access clients''',
'tags': [],
'desc': '''Configures the required client domain name that will be imposed on remote access clients and prevents users from changing it.
If this setting is enabled, then only clients from the specified domain can connect to the host.
If this setting is disabled or not set, then the default policy for the connection type is applied. For remote assistance, this allows clients from any domain can connect to the host; for anytime remote access, only the host owner can connect.
See also RemoteAccessHostDomain.''',
},
{
'name': 'RemoteAccessHostFirewallTraversal',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:14-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 95,
'caption': '''Enable firewall traversal from remote access host''',
'tags': [],
'desc': '''Enables usage of STUN servers when remote clients are trying to establish a connection to this machine.
If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall.
If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network.
If this policy is left not set the setting will be enabled.''',
},
{
'name': 'RemoteAccessHostDomain',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'my-awesome-domain.com',
'id': 154,
'caption': '''Configure the required domain name for remote access hosts''',
'tags': [],
'desc': '''Configures the required host domain name that will be imposed on remote access hosts and prevents users from changing it.
If this setting is enabled, then hosts can be shared only using accounts registered on the specified domain name.
If this setting is disabled or not set, then hosts can be shared using any account.
See also RemoteAccessHostClientDomain.''',
},
{
'name': 'RemoteAccessHostRequireTwoFactor',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:22-22'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
# Mark this 'removed' when https://crbug.com/100216 is resolved.
'deprecated': True,
'example_value': False,
'id': 155,
'caption': '''Enable two-factor authentication for remote access hosts''',
'tags': [],
'desc': '''Enables two-factor authentication for remote access hosts instead of a user-specified PIN.
If this setting is enabled, then users must provide a valid two-factor code when accessing a host.
If this setting is disabled or not set, then two-factor will not be enabled and the default behavior of having a user-defined PIN will be used.''',
},
{
'name': 'RemoteAccessHostTalkGadgetPrefix',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'chromoting-host',
'id': 156,
'caption': '''Configure the TalkGadget prefix for remote access hosts''',
'tags': [],
'desc': '''Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.
If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.
If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.
If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.
Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.''',
},
{
'name': 'RemoteAccessHostRequireCurtain',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:23-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 157,
'caption': '''Enable curtaining of remote access hosts''',
'tags': ['system-security'],
'desc': '''Enables curtaining of remote access hosts while a connection is in progress.
If this setting is enabled, then hosts' physical input and output devices are disabled while a remote connection is in progress.
If this setting is disabled or not set, then both local and remote users can interact with the host when it is being shared.''',
},
{
'name': 'RemoteAccessHostAllowClientPairing',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:30-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 234,
'caption': '''Enable or disable PIN-less authentication for remote access hosts''',
'tags': [],
'desc': '''If this setting is enabled or not configured, then users can opt to pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
If this setting is disabled, then this feature will not be available.''',
},
{
'name': 'RemoteAccessHostAllowGnubbyAuth',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:35-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 257,
'caption': '''Allow gnubby authentication for remote access hosts''',
'tags': [],
'desc': '''If this setting is enabled, then gnubby authentication requests will be proxied across a remote host connection.
If this setting is disabled or not configured, gnubby authentication requests will not be proxied.''',
},
{
'name': 'RemoteAccessHostAllowRelayedConnection',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 263,
'caption': '''Enable the use of relay servers by the remote access host''',
'tags': [],
'desc': '''Enables usage of relay servers when remote clients are trying to establish a connection to this machine.
If this setting is enabled, then remote clients can use relay servers to connect to this machine when a direct connection is not available (e.g. due to firewall restrictions).
Note that if the policy <ph name="REMOTEACCESSHOSTFIREWALLTRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is disabled, this policy will be ignored.
If this policy is left not set the setting will be enabled.''',
},
{
'name': 'RemoteAccessHostUdpPortRange',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '12400-12409',
'id': 264,
'caption': '''Restrict the UDP port range used by the remote access host''',
'tags': [],
'desc': '''Restricts the UDP port range used by the remote access host in this machine.
If this policy is left not set, or if it is set to an empty string, the remote access host will be allowed to use any available port, unless the policy <ph name="REMOTEACCESSHOSTFIREWALLTRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is disabled, in which case the remote access host will use UDP ports in the 12400-12409 range.''',
},
{
'name': 'RemoteAccessHostMatchUsername',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.linux:25-', 'chrome.mac:25-', 'chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 285,
'caption': '''Requires that the name of the local user and the remote access host owner match''',
'tags': [],
'desc': '''Requires that the name of the local user and the remote access host owner match.
If this setting is enabled, then the remote access host compares the name of the local user (that the host is associated with) and the name of the Google account registered as the host owner (i.e. "johndoe" if the host is owned by "johndoe@example.com" Google account). The remote access host will not start if the name of the host owner is different from the name of the local user that the host is associated with. RemoteAccessHostMatchUsername policy should be used together with RemoteAccessHostDomain to also enforce that the Google account of the host owner is associated with a specific domain (i.e. "example.com").
If this setting is disabled or not set, then the remote access host can be associated with any local user.''',
},
{
'name': 'RemoteAccessHostTokenUrl',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-','chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'https://example.com/issue',
'id': 286,
'caption': '''URL where remote access clients should obtain their authentication token''',
'tags': ['website-sharing'],
'desc': '''URL where remote access clients should obtain their authentication token.
If this policy is set, the remote access host will require authenticating clients to obtain an authentication token from this URL in order to connect. Must be used in conjunction with RemoteAccessHostTokenValidationUrl.
This feature is currently disabled server-side.''',
},
{
'name': 'RemoteAccessHostTokenValidationUrl',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-','chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'https://example.com/validate',
'id': 287,
'caption': '''URL for validating remote access client authentication token''',
'tags': ['website-sharing'],
'desc': '''URL for validating remote access client authentication token.
If this policy is set, the remote access host will use this URL to validate authentication tokens from remote access clients, in order to accept connections. Must be used in conjunction with RemoteAccessHostTokenUrl.
This feature is currently disabled server-side.''',
},
{
'name': 'RemoteAccessHostTokenValidationCertificateIssuer',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:28-','chrome_os:42-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'Example Certificate Authority',
'id': 288,
'caption': '''Client certificate for connecting to RemoteAccessHostTokenValidationUrl''',
'tags': [],
'desc': '''Client certificate for connecting to RemoteAccessHostTokenValidationUrl.
If this policy is set, the host will use a client certificate with the given issuer CN to authenticate to RemoteAccessHostTokenValidationUrl. Set it to "*" to use any available client certificate.
This feature is currently disabled server-side.''',
},
{
'name': 'RemoteAccessHostDebugOverridePolicies',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:25-47','chrome_os:42-47'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '{ "RemoteAccessHostMatchUsername": true }',
'id': 289,
'caption': '''Policy overrides for Debug builds of the remote access host''',
'tags': [],
'desc': '''Overrides policies on Debug builds of the remote access host.
The value is parsed as a JSON dictionary of policy name to policy value mappings.''',
},
],
},
{
'name': 'PrintingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:39-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 12,
'caption': '''Enable printing''',
'tags': [],
'desc': '''Enables printing in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
If this setting is enabled or not configured, users can print.
If this setting is disabled, users cannot print from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Printing is disabled in the wrench menu, extensions, JavaScript applications, etc. It is still possible to print from plugins that bypass <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> while printing. For example, certain Flash applications have the print option in their context menu, which is not covered by this policy.''',
},
{
'name': 'CloudPrintProxyEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 13,
'caption': '''Enable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to act as a proxy between <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> and legacy printers connected to the machine.
If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account.
If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>.''',
},
{
'name': 'ForceSafeSearch',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-', 'chrome_os:25-', 'android:30-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': False,
'id': 162,
'caption': '''Force SafeSearch''',
'tags': ['filtering'],
'desc': '''This policy is deprecated, please use ForceGoogleSafeSearch and ForceYouTubeSafetyMode instead. This policy will be ignored if either the ForceGoogleSafeSearch or ForceYouTubeSafetyMode policies are set.
Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Safety Mode on YouTube.
If you enable this setting, SafeSearch in Google Search and YouTube is always active.
If you disable this setting or do not set a value, SafeSearch in Google Search and YouTube is not enforced.''',
},
{
'name': 'ForceGoogleSafeSearch',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:41-', 'chrome_os:41-', 'android:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 282,
'caption': '''Force Google SafeSearch''',
'tags': ['filtering'],
'desc': '''Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting.
If you enable this setting, SafeSearch in Google Search is always active.
If you disable this setting or do not set a value, SafeSearch in Google Search is not enforced.''',
},
{
'name': 'ForceYouTubeSafetyMode',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:41-', 'chrome_os:41-', 'android:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 283,
'caption': '''Force YouTube Safety Mode''',
'tags': ['filtering'],
'desc': '''Forces YouTube Safety Mode to active and prevents users from changing this setting.
If you enable this setting, Safety Mode on YouTube is always active.
If you disable this setting or do not set a value, Safety Mode on YouTube is not enforced.''',
},
{
'name': 'SafeBrowsingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 14,
'caption': '''Enable Safe Browsing''',
'tags': ['system-security'],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Safe Browsing feature and prevents users from changing this setting.
If you enable this setting, Safe Browsing is always active.
If you disable this setting, Safe Browsing is never active.
If you enable or disable this setting, users cannot change or override the "Enable phishing and malware protection" setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, this will be enabled but the user will be able to change it.''',
},
{
'name': 'MetricsReportingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 15,
'caption': '''Enable reporting of usage and crash-related data''',
'tags': ['google-sharing'],
'desc': '''Enables anonymous reporting of usage and crash-related data about <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to Google and prevents users from changing this setting.
If this setting is enabled, anonymous reporting of usage and crash-related
data is sent to Google. If it is disabled, this information is not sent
to Google. In both cases, users cannot change or override the setting.
If this policy is left not set, the setting will be what the user chose
upon installation / first run.
This policy is not available on Windows instances that are not joined to
an Active Directory domain. (For Chrome OS, see
DeviceMetricsReportingEnabled.)''',
},
{
'name': 'PasswordManager',
'type': 'group',
'caption': '''Password manager''',
'desc': '''Configures the password manager. If the password manager is enabled, then you can choose to enable or disable whether the user may show stored passwords in clear text.''',
'policies': [
{
'name': 'PasswordManagerEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 16,
'caption': '''Enable saving passwords to the password manager''',
'tags': [],
'desc': '''
If this setting is enabled, users can have <ph
name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> memorize passwords
and provide them automatically the next time they log in to a site.
If this settings is disabled, users cannot save new passwords but they
may still use passwords that have been saved previously.
If this policy is enabled or disabled, users cannot change or override
it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If this
policy is unset, password saving is allowed (but can be turned off by
the user).''',
},
{
'name': 'PasswordManagerAllowShowPasswords',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 17,
'caption': '''Allow users to show passwords in Password Manager''',
'tags': [],
'desc': '''Controls whether the user may show passwords in clear text in the password manager.
If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window.
If you enable or do not set this policy, users can view their passwords in clear text in the password manager.''',
},
],
},
{
'name': 'AutoFillEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 18,
'caption': '''Enable AutoFill''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.
If you disable this setting, AutoFill will be inaccessible to users.
If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.''',
},
{
'name': 'DisabledPlugins',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 19,
'caption': '''Specify a list of disabled plugins''',
'tags': [],
'desc': '''Specifies a list of plugins that are disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
If you enable this setting, the specified list of plugins is never used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The plugins are marked as disabled in 'about:plugins' and users cannot enable them.
Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions.
If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.''',
'label': '''List of disabled plugins''',
},
{
'name': 'EnabledPlugins',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 78,
'caption': '''Specify a list of enabled plugins''',
'tags': ['system-security'],
'desc': '''Specifies a list of plugins that are enabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
The specified list of plugins is always used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them.
Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions.
If this policy is left not set the user can disable any plugin installed on the system.''',
'label': '''List of enabled plugins''',
},
{
'name': 'DisabledPluginsExceptions',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['Java', 'Shockwave Flash', 'Chrome PDF Viewer'],
'id': 79,
'caption': '''Specify a list of plugins that the user can enable or disable''',
'tags': [],
'desc': '''Specifies a list of plugins that user can enable or disable in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them.
If you enable this setting, the specified list of plugins can be used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Users can enable or disable them in 'about:plugins', even if the plugin also matches a pattern in DisabledPlugins. Users can also enable and disable plugins that don't match any patterns in DisabledPlugins, DisabledPluginsExceptions and EnabledPlugins.
This policy is meant to allow for strict plugin blacklisting where the 'DisabledPlugins' list contains wildcarded entries like disable all plugins '*' or disable all Java plugins '*Java*' but the administrator wishes to enable some particular version like 'IcedTea Java 2.3'. This particular versions can be specified in this policy.
Note that both the plugin name and the plugin's group name have to be exempted. Each plugin group is shown in a separate section in about:plugins; each section may have one or more plugins. For example, the "Shockwave Flash" plugin belongs to the "Adobe Flash Player" group, and both names have to have a match in the exceptions list if that plugin is to be exempted from the blacklist.
If this policy is left not set any plugin that matches the patterns in the 'DisabledPlugins' will be locked disabled and the user won't be able to enable them.''',
'label': '''List of exceptions to the list of disabled plugins''',
},
{
'name': 'DisablePluginFinder',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 66,
'caption': '''Specify whether the plugin finder should be disabled''',
'tags': [],
'desc': '''If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Setting this option to disabled or leave it not set the plugin finder will be active.''',
'label': '''Disable plugin finder''',
},
{
'name': 'SyncDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 20,
'caption': '''Disable synchronization of data with Google''',
'tags': ['filtering', 'google-sharing'],
'desc': '''Disables data synchronization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> using Google-hosted synchronization services and prevents users from changing this setting.
If you enable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.''',
},
{
'name': 'SigninAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:27-', 'android:38-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 190,
'caption': '''Allows sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''This policy is deprecated, consider using SyncDisabled instead.
Allows the user to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you set this policy, you can configure whether a user is allowed to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Setting this policy to 'False' will prevent apps and extensions that use the chrome.identity API from functioning, so you may want to use SyncDisabled instead.''',
},
{
'name': 'EnableDeprecatedWebBasedSignin',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:35-42'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'deprecated': True,
'example_value': False,
'id': 265,
'caption': '''Enables the old web-based signin''',
'tags': [],
'desc': '''Enables the old web-based signin flow.
This setting was named EnableWebBasedSignin prior to Chrome 42, and support for it will be removed entirely in Chrome 43.
This setting is useful for enterprise customers who are using SSO solutions that are not compatible with the new inline signin flow yet.
If you enable this setting, the old web-based signin flow would be used.
If you disable this setting or leave it not set, the new inline signin flow would be used by default. Users may still enable the old web-based signin flow through the command line flag --enable-web-based-signin.
The experimental setting will be removed in the future when the inline signin fully supports all SSO signin flows.''',
},
{
'name': 'UserDataDir',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.win:11-', 'chrome.mac:11-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '${users}/${user_name}/Chrome',
'id': 63,
'caption': '''Set user data directory''',
'tags': ['local-data-access'],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing user data.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.''',
'label': '''Set user data directory''',
},
{
'name': 'DiskCacheDir',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:13-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '${user_home}/Chrome_cache',
'id': 88,
'caption': '''Set disk cache directory''',
'tags': [],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing cached files on the disk.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory regardless whether the user has specified the '--disk-cache-dir' flag or not.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
If this policy is left not set the default cache directory will be used and the user will be able to override it with the '--disk-cache-dir' command line flag.''',
'label': '''Set disk cache directory''',
},
{
'name': 'DiskCacheSize',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 104857600,
'id': 110,
'caption': '''Set disk cache size in bytes''',
'tags': [],
'desc': '''Configures the cache size that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing cached files on the disk.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided cache size regardless whether the user has specified the '--disk-cache-size' flag or not. The value specified in this policy is not a hard boundary but rather a suggestion to the caching system, any value below a few megabytes is too small and will be rounded up to a sane minimum.
If the value of this policy is 0, the default cache size will be used but the user will not be able to change it.
If this policy is not set the default size will be used and the user will be able to override it with the --disk-cache-size flag.''',
'label': '''Set disk cache size''',
},
{
'name': 'MediaCacheSize',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 104857600,
'id': 111,
'caption': '''Set media disk cache size in bytes''',
'tags': [],
'desc': '''Configures the cache size that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing cached media files on the disk.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided cache size regardless whether the user has specified the '--media-cache-size' flag or not. The value specified in this policy is not a hard boundary but rather a suggestion to the caching system, any value below a few megabytes is too small and will be rounded up to a sane minimum.
If the value of this policy is 0, the default cache size will be used but the user will not be able to change it.
If this policy is not set the default size will be used and the user will be able to override it with the --media-cache-size flag.''',
'label': '''Set media disk cache size''',
},
{
'name': 'DownloadDirectory',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:11-', 'chrome_os:35-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '/home/${user_name}/Downloads',
'id': 64,
'caption': '''Set download directory''',
'tags': ['local-data-access'],
'desc': '''Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for downloading files.
If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory regardless whether the user has specified one or enabled the flag to be prompted for download location every time.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
If this policy is left not set the default download directory will be used and the user will be able to change it.''',
'label': '''Set download directory''',
},
{
'name': 'ClearSiteDataOnExit',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-28', 'chrome_os:11-28'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': True,
'id': 65,
'caption': '''Clear site data on browser shutdown (deprecated)''',
'tags': [],
'desc': '''This policy has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 29.''',
'label': '''Clear site data on browser shutdown (deprecated)''',
},
{
'name': 'CaptivePortalAuthenticationIgnoresProxy',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:41-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 295,
'caption': '''Captive portal authentication ignores proxy''',
'tags': [],
'desc': '''This policy allows <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> to bypass any proxy for captive portal authentication.
This policy only takes effect if a proxy is configured (for example through policy, by the user in chrome://settings, or by extensions).
If you enable this setting, any captive portal authentication pages (i.e. all web pages starting from captive portal signin page until <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> detects succesful internet connection) will be displayed in a separate window ignoring all policy settings and restrictions for the current user.
If you disable this setting or leave it unset, any captive portal authentication pages will be shown in a (regular) new browser tab, using the current user's proxy settings.''',
},
{
'name': 'Proxy',
'type': 'group',
'caption': '''Proxy server''',
'desc': '''Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to auto detect the proxy server, all other options are ignored.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores all proxy-related options specified from the command line.
Leaving these policies not set will allow the users to choose the proxy settings on their own.''',
'policies': [
{
'name': 'ProxyMode',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'direct',
'auto_detect',
'pac_script',
'fixed_servers',
'system'
],
},
'items': [
{
'name': 'ProxyDisabled',
'value': 'direct',
'caption': '''Never use a proxy''',
},
{
'name': 'ProxyAutoDetect',
'value': 'auto_detect',
'caption': '''Auto detect proxy settings''',
},
{
'name': 'ProxyPacScript',
'value': 'pac_script',
'caption': '''Use a .pac proxy script''',
},
{
'name': 'ProxyFixedServers',
'value': 'fixed_servers',
'caption': '''Use fixed proxy servers''',
},
{
'name': 'ProxyUseSystem',
'value': 'system',
'caption': '''Use system proxy settings''',
},
],
'supported_on': [
'chrome.*:10-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'direct',
'id': 21,
'caption': '''Choose how to specify proxy server settings''',
'tags': [],
'desc': '''Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.
If you choose fixed server proxy mode, you can specify further options in 'Address or URL of proxy server' and 'Comma-separated list of proxy bypass rules'.
If you choose to use a .pac proxy script, you must specify the URL to the script in 'URL to a proxy .pac file'.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores all proxy-related options specified from the command line.
Leaving this policy not set will allow the users to choose the proxy settings on their own.''',
},
{
'name': 'ProxyServerMode',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'ProxyServerDisabled',
'value': 0,
'caption': '''Never use a proxy''',
},
{
'name': 'ProxyServerAutoDetect',
'value': 1,
'caption': '''Auto detect proxy settings''',
},
{
'name': 'ProxyServerManual',
'value': 2,
'caption': '''Manually specify proxy settings''',
},
{
'name': 'ProxyServerUseSystem',
'value': 3,
'caption': '''Use system proxy settings''',
},
],
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 2,
'id': 22,
'caption': '''Choose how to specify proxy server settings''',
'tags': [],
'desc': '''This policy is deprecated, use ProxyMode instead.
Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.
If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores all proxy-related options specified from the command line.
Leaving this policy not set will allow the users to choose the proxy settings on their own.''',
},
{
'name': 'ProxyServer',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '123.123.123.123:8080',
'id': 23,
'caption': '''Address or URL of proxy server''',
'tags': [],
'desc': '''You can specify the URL of the proxy server here.
This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings'.
You should leave this policy not set if you have selected any other mode for setting proxy policies.
For more options and detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>''',
},
{
'name': 'ProxyPacUrl',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://internal.site/example.pac',
'id': 24,
'caption': '''URL to a proxy .pac file''',
'tags': [],
'desc': '''You can specify a URL to a proxy .pac file here.
This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings'.
You should leave this policy not set if you have selected any other mode for setting proxy policies.
For detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>''',
},
{
'name': 'ProxyBypassList',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://www.example1.com,https://www.example2.com,https://internalsite/',
'id': 25,
'caption': '''Proxy bypass rules''',
'tags': [],
'desc': '''<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will bypass any proxy for the list of hosts given here.
This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings'.
You should leave this policy not set if you have selected any other mode for setting proxy policies.
For more detailed examples, visit:
<ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>''',
'label': '''Comma-separated list of proxy bypass rules''',
},
],
},
{
# TODO(joaodasilva): Make this the default and deprecate the other proxy
# policies once all providers are ready to load 'dict' policies.
# This is currently an internal policy.
# https://crbug.com/108992, https://crbug.com/108996
'name': 'ProxySettings',
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'ProxyMode': { 'type': 'string' },
'ProxyPacUrl': { 'type': 'string' },
'ProxyServer': { 'type': 'string' },
'ProxyBypassList': { 'type': 'string' },
'ProxyServerMode': { 'type': 'string' },
},
},
'supported_on': [
'chrome.*:18-',
'chrome_os:18-',
'android:30-',
'ios:34-47',
],
'future': True,
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': { "ProxyMode": "direct" },
'id': 116,
'caption': '''Proxy settings''',
'tags': ['system-security'],
'desc': '''Configures the proxy settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy isn't ready for usage yet, please don't use it.''',
},
{
'name': 'HTTPAuthentication',
'type': 'group',
'caption': '''Policies for HTTP authentication''',
'desc': '''Policies related to integrated HTTP authentication.''',
'policies': [
{
'name': 'AuthSchemes',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:9-','android:46-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'basic,digest,ntlm,negotiate',
'id': 26,
'caption': '''Supported authentication schemes''',
'tags': [],
'desc': '''Specifies which HTTP authentication schemes are supported by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas.
If this policy is left not set, all four schemes will be used.''',
},
{
'name': 'DisableAuthNegotiateCnameLookup',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-','android:46-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 27,
'caption': '''Disable CNAME lookup when negotiating Kerberos authentication''',
'tags': [],
'desc': '''Specifies whether the generated Kerberos SPN is based on the canonical DNS name or the original name entered.
If you enable this setting, CNAME lookup will be skipped and the server name will be used as entered.
If you disable this setting or leave it not set, the canonical name of the server will be determined via CNAME lookup.''',
},
{
'name': 'EnableAuthNegotiatePort',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': False,
'id': 28,
'caption': '''Include non-standard port in Kerberos SPN''',
'tags': [],
'desc': '''Specifies whether the generated Kerberos SPN should include a non-standard port.
If you enable this setting, and a non-standard port (i.e., a port other than 80 or 443) is entered, it will be included in the generated Kerberos SPN.
If you disable this setting or leave it not set, the generated Kerberos SPN will not include a port in any case.''',
},
{
'name': 'AuthServerWhitelist',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:9-','android:46-','webview_android:49-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': '*example.com,foobar.com,*baz',
'id': 29,
'caption': '''Authentication server whitelist''',
'tags': [],
'desc': '''Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> receives an authentication challenge from a proxy or from a server which is in this permitted list.
Separate multiple server names with commas. Wildcards (*) are allowed.
If you leave this policy not set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
},
{
'name': 'AuthNegotiateDelegateWhitelist',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:9-','android:46-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'foobar.example.com',
'id': 30,
'caption': '''Kerberos delegation server whitelist''',
'tags': [],
'desc': '''Servers that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may delegate to.
Separate multiple server names with commas. Wildcards (*) are allowed.
If you leave this policy not set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not delegate user credentials even if a server is detected as Intranet.''',
},
{
'name': 'GSSAPILibraryName',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.linux:9-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'libgssapi_krb5.so.2',
'id': 31,
'caption': '''GSSAPI library name''',
'tags': [],
'desc': '''Specifies which GSSAPI library to use for HTTP authentication. You can set either just a library name, or a full path.
If no setting is provided, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will fall back to using a default library name.''',
},
{
'name': 'AuthAndroidNegotiateAccountType',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['android:46-','webview_android:49-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'com.example.spnego',
'id': 305,
'caption': '''Account type for <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication''',
'tags': [],
'desc': '''Specifies the account type of the accounts provided by the Android authentication app that supports <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication (e.g. Kerberos authentication). This information should be available from the supplier of the authentication app. For more details see https://goo.gl/hajyfN.
If no setting is provided, <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication is disabled on Android.''',
},
{
'name': 'AllowCrossOriginAuthPrompt',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:13-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 89,
'caption': '''Cross-origin HTTP Basic Auth prompts''',
'tags': ['website-sharing'],
'desc': '''Controls whether third-party sub-content on a page is allowed to pop-up an HTTP Basic Auth dialog box.
Typically this is disabled as a phishing defense. If this policy is not set, this is disabled and third-party sub-content will not be allowed to pop up a HTTP Basic Auth dialog box.''',
},
],
},
{
'name': 'Extensions',
'type': 'group',
'caption': '''Extensions''',
'desc': '''Configures extension-related policies. The user is not allowed to install blacklisted extensions unless they are whitelisted. You can also force <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to automatically install extensions by specifying them in <ph name="EXTENSIONINSTALLFORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph>. Force-installed extensions are installed regardless whether they are present in the blacklist.''',
'policies': [
{
'name': 'ExtensionInstallBlacklist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['extension_id1', 'extension_id2'],
'id': 32,
'caption': '''Configure extension installation blacklist''',
'tags': [],
'desc': '''Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted.
A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist.
If this policy is left not set the user can install any extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''Extension IDs the user should be prevented from installing (or * for all)''',
},
{
'name': 'ExtensionInstallWhitelist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['extension_id1', 'extension_id2'],
'id': 33,
'caption': '''Configure extension installation whitelist''',
'tags': [],
'desc': '''Allows you to specify which extensions are not subject to the blacklist.
A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the whitelist.
By default, all extensions are whitelisted, but if all extensions have been blacklisted by policy, the whitelist can be used to override that policy.''',
'label': '''Extension IDs to exempt from the blacklist''',
},
{
'name': 'ExtensionInstallForcelist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:9-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx'],
'id': 34,
'caption': '''Configure the list of force-installed apps and extensions''',
'tags': ['full-admin-access'],
'desc': '''
Specifies a list of apps and extensions that are installed silently,
without user interaction, and which cannot be uninstalled by the
user. All permissions requested by the apps/extensions are granted
implicitly, without user interaction, including any additional
permissions requested by future versions of the app/extension.
Furthermore, permissions are granted for the
enterprise.deviceAttributes and enterprise.platformKeys extension
APIs. (These two APIs are not available to apps/extensions that are
not force-installed.)
This policy takes precedence over a potentially conflicting
ExtensionsInstallBlacklist policy. If an app or extension that
previously had been force-installed is removed from this list, it is
automatically uninstalled by <ph name="PRODUCT_NAME">$1<ex>Google
Chrome</ex></ph>.
For Windows instances that are not joined to an Active Directory
domain, forced installation is limited to apps and extensions listed
in the Chrome Web Store.
Note that the source code of any extension may be altered by users via
Developer Tools (potentially rendering the extension
dysfunctional). If this is a concern, the DeveloperToolsDisabled
policy should be set.
Each list item of the policy is a string that contains an extension ID
and an "update" URL separated by a semicolon (<ph
name="SEMICOLON">;</ph>). The extension ID is the 32-letter string
found e.g. on <ph
name="CHROME_EXTENSIONS_LINK">chrome://extensions</ph> when in
developer mode. The "update" URL should point to an Update Manifest
XML document as described at <ph
name="LINK_TO_EXTENSION_DOC1">https://developer.chrome.com/extensions/autoupdate</ph>. Note
that the "update" URL set in this policy is only used for the initial
installation; subsequent updates of the extension employ the update
URL indicated in the extension's manifest.
For example, <ph
name="EXTENSION_POLICY_EXAMPLE">gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx</ph>
installs the <ph name="EXTENSION_POLICY_EXAMPLE_EXTENSION_NAME">Chrome
Remote Desktop</ph> app from the standard Chrome Web Store "update"
URL. For more information about hosting extensions, see: <ph
name="LINK_TO_EXTENSION_DOC2">https://developer.chrome.com/extensions/hosting</ph>.
If this policy is left not set, no apps or extensions are installed
automatically and the user can uninstall any app or extension in <ph
name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
'label': '''Extension/App IDs and update URLs to be silently installed''',
},
{
'name': 'ExtensionInstallSources',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
'id': 'ExtensionInstallSources',
},
'supported_on': ['chrome.*:21-', 'chrome_os:21-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://corp.mycompany.com/*'],
'id': 148,
'caption': '''Configure extension, app, and user script install sources''',
'tags': ['full-admin-access', 'system-security'],
'desc': '''Allows you to specify which URLs are allowed to install extensions, apps, and themes.
Starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 21, it is more difficult to install extensions, apps, and user scripts from outside the Chrome Web Store. Previously, users could click on a link to a *.crx file, and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would offer to install the file after a few warnings. After <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 21, such files must be downloaded and dragged onto the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> settings page. This setting allows specific URLs to have the old, easier installation flow.
Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e. the referrer) must be allowed by these patterns.
ExtensionInstallBlacklist takes precedence over this policy. That is, an extension on the blacklist won't be installed, even if it happens from a site on this list.''',
'label': '''URL patterns to allow extension, app, and user script installs from''',
},
{
'name': 'ExtensionAllowedTypes',
'type': 'list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'extension',
'theme',
'user_script',
'hosted_app',
'legacy_packaged_app',
'platform_app'
],
},
'id': 'ExtensionAllowedTypes',
},
'supported_on': ['chrome.*:25-', 'chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['hosted_app'],
'id': 168,
'caption': '''Configure allowed app/extension types''',
'tags': [],
'desc': '''Controls which app/extension types are allowed to be installed.
This setting white-lists the allowed types of extension/apps that can be installed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The value is a list of strings, each of which should be one of the following: "extension", "theme", "user_script", "hosted_app", "legacy_packaged_app", "platform_app". See the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extensions documentation for more information on these types.
Note that this policy also affects extensions and apps to be force-installed via ExtensionInstallForcelist.
If this setting is configured, extensions/apps which have a type that is not on the list will not be installed.
If this settings is left not-configured, no restrictions on the acceptable extension/app types are enforced.''',
'label': '''Types of extensions/apps that are allowed to be installed''',
},
{
'name': 'ExtensionSettings',
'type': 'dict',
'schema': {
'type': 'object',
'patternProperties': {
'^[a-p]{32}$': {
'type': 'object',
'properties': {
'installation_mode': {
'type': 'string',
'enum': ['blocked', 'allowed', 'force_installed', 'normal_installed']
},
'update_url': { 'type': 'string' },
'blocked_permissions': {
'type': 'array',
'items': {
'type': 'string',
'pattern': '^[a-z][a-zA-Z.]*$',
},
'id': 'ListOfPermissions',
},
'allowed_permissions': {
'$ref': 'ListOfPermissions',
},
'minimum_version_required': {
'type': 'string',
'pattern': '^[0-9]+([.][0-9]+)*$',
},
},
},
'^update_url:': {
'type': 'object',
'properties': {
'installation_mode': {
'type': 'string',
'enum': ['blocked', 'allowed']
},
'blocked_permissions': {
'$ref': 'ListOfPermissions',
},
'allowed_permissions': {
'$ref': 'ListOfPermissions',
},
},
},
},
'properties': {
'*': {
'type': 'object',
'properties': {
'installation_mode': {
'type': 'string',
'enum': ['blocked', 'allowed']
},
'blocked_permissions': {
'$ref': 'ListOfPermissions',
},
'install_sources': {
'$ref': 'ExtensionInstallSources',
},
'allowed_types': {
'$ref': 'ExtensionAllowedTypes',
},
},
},
},
},
'future': True,
'supported_on': ['chrome.*:40-', 'chrome_os:40-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
'abcdefghijklmnopabcdefghijklmnop' : {
'installation_mode': 'allowed',
'blocked_permissions': ['history'],
'minimum_version_required': '1.0.1',
},
'bcdefghijklmnopabcdefghijklmnopa' : {
'installation_mode': 'force_installed',
'update_url': 'https://example.com/update_url',
'allowed_permissions': ['downloads'],
},
'update_url:https://www.example.com/update.xml': {
'blocked_permissions': ['wallpaper'],
},
'*': {
'installation_mode': 'blocked',
'blocked_permissions': ['downloads', 'bookmarks'],
'install_sources': ['https://company-intranet/chromeapps'],
'allowed_types': ['hosted_app'],
},
},
'id': 278,
'caption': 'Extension management settings',
'tags': [],
'desc': '''Configures extension management settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy controls multiple settings, including settings controlled by any existing extension-related policies. This policy will override any legacy policies if both are set.
This policy maps an extension ID or an update URL to its configuration. With an extension ID, configuration will be applied to the specified extension only. A default configuration can be set for the special ID "*", which will apply to all extensions that don't have a custom configuration set in this policy. With an update URL, configuration will be applied to all extensions with the exact update URL stated in manifest of this extension, as described at <ph name="LINK_TO_EXTENSION_DOC1">https://developer.chrome.com/extensions/autoupdate</ph>.
The configuration for each extension (or extensions with same update URL) is another dictionary that can contain the fields documented below.
"installation_mode": maps to a string indicating the installation mode for the extension. The valid strings are:
* "allowed": allows the extension to be installed by the user. This is the default behavior.
* "blocked": blocks installation of the extension.
* "force_installed": the extension is automatically installed and can't be removed by the user.
* "normal_installed": the extension is automatically installed but can be disabled by the user.
The "installation_mode" can also be configured for multiple extensions as well, including the "*" extension (as default settings) and extensions with same update URL. Only the "allowed" and "blocked" values can be used in this case.
If the mode is set to "force_installed" or "normal_installed" then an "update_url" must be configured too. Note that the update URL set in this policy is only used for the initial installation; subsequent updates of the extension will use the update URL indicated in the extension's manifest. The update URL should point to an Update Manifest XML document as mentioned above.
"blocked_permissions": maps to a list of strings indicating the blocked API permissions for the extension. The permissions names are same as the permission strings declared in manifest of extension as described at <ph name="LINK_TO_EXTENSION_DOC3">https://developer.chrome.com/extensions/declare_permissions</ph>. This setting also can be configured for "*" extension. If the extension requires a permission which is on the blocklist, it will not be allowed to load. If it contains a blocked permission as optional requirement, it will be handled in the normal way, but requesting conflicting permissions will be declined automatically at runtime.
"allowed_permissions": similar to "blocked_permissions", but instead explicitly allow some permissions which might be blocked by global blocked permission list, thus can not be configured for "*" extension. Note that this setting doesn't give granted permissions to extensions automatically.
"minimum_version_required": maps to a version string. The format of the version string is the same as the one used in extension manifest, as described at <ph name="LINK_TO_EXTENSION_DOC4">https://developer.chrome.com/apps/manifest/version</ph>. An extension with a version older than the specified minimum version will be disabled. This applies to force-installed extensions as well.
The following settings can be used only for the default "*" configuration:
"install_sources": Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e. the referrer) must be allowed by these patterns.
"allowed_types": This setting whitelists the allowed types of extension/apps that can be installed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The value is a list of strings, each of which should be one of the following: "extension", "theme", "user_script", "hosted_app", "legacy_packaged_app", "platform_app". See the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extensions documentation for more information on these types.
This policy isn't ready for usage yet, please don't use it.
'''
},
],
},
{
'name': 'ShowHomeButton',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 35,
'caption': '''Show Home button on toolbar''',
'tags': [],
'desc': '''Shows the Home button on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s toolbar.
If you enable this setting, the Home button is always shown.
If you disable this setting, the Home button is never shown.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Leaving this policy not set will allow the user to choose whether to show the home button.''',
},
{
'name': 'DeveloperToolsDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 36,
'caption': '''Disable Developer Tools''',
'tags': [],
'desc': '''Disables the Developer Tools and the JavaScript console.
If you enable this setting, the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.
Setting this option to disabled or leaving it not set will allow the use to use the Developer Tools and the JavaScript console.''',
},
{
'name': 'RestoreOnStartupGroup',
'type': 'group',
'caption': '''Startup pages''',
'desc': '''Allows you to configure the pages that are loaded on startup.
The contents of the list 'URLs to open at startup' are ignored unless you select 'Open a list of URLs' in 'Action on startup'.''',
'policies': [
{
'name': 'RestoreOnStartup',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 4, 5 ],
},
'items': [
{
'name': 'RestoreOnStartupIsNewTabPage',
'value': 5,
'caption': '''Open New Tab Page''',
},
{
'name': 'RestoreOnStartupIsLastSession',
'value': 1,
'caption': '''Restore the last session''',
},
{
'name': 'RestoreOnStartupIsURLs',
'value': 4,
'caption': '''Open a list of URLs''',
},
],
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 4,
'id': 37,
'caption': '''Action on startup''',
'tags': [],
'desc': '''Allows you to specify the behavior on startup.
If you choose 'Open New Tab Page' the New Tab Page will always be opened when you start <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you choose 'Restore the last session', the URLs that were open last time <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> was closed will be reopened and the browsing session will be restored as it was left.
Choosing this option disables some settings that rely on sessions or that perform actions on exit (such as Clear browsing data on exit or session-only cookies).
If you choose 'Open a list of URLs', the list of 'URLs to open on startup' will be opened when a user starts <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you enable this setting, users cannot change or override it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
Disabling this setting is equivalent to leaving it not configured. The user will still be able to change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
This policy is not available on Windows instances that are not joined
to an Active Directory domain.''',
},
{
'name': 'RestoreOnStartupURLs',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://example.com', 'https://www.chromium.org'],
'id': 38,
'caption': '''URLs to open on startup''',
'tags': [],
'desc': '''If 'Open a list of URLs' is selected as the startup action, this allows you to specify the list of URLs that are opened. If left not set no URL will be opened on start up.
This policy only works if the 'RestoreOnStartup' policy is set to 'RestoreOnStartupIsURLs'.
This policy is not available on Windows instances that are not joined
to an Active Directory domain.''',
},
],
},
{
'name': 'BlockThirdPartyCookies',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:10-', 'chrome_os:11-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 39,
'caption': '''Block third party cookies''',
'tags': [],
'desc': '''Blocks third party cookies.
Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar.
Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting.
If this policy is left not set, third party cookies will be enabled but the user will be able to change that.''',
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106683
'name': 'DefaultSearchProvider',
'type': 'group',
'caption': '''Default search provider''',
'desc': '''Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.''',
'policies': [
{
'name': 'DefaultSearchProviderEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 40,
'caption': '''Enable the default search provider''',
'tags': [],
'desc': '''Enables the use of a default search provider.
If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL.
You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider.
If you disable this setting, no search is performed when the user enters non-URL text in the omnibox.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.
This policy is not available on Windows instances that are not joined
to an Active Directory domain.''',
},
{
'name': 'DefaultSearchProviderName',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'My Intranet Search',
'id': 41,
'caption': '''Default search provider name''',
'tags': ['website-sharing'],
'desc': '''Specifies the name of the default search provider. If left empty or not set, the host name specified by the search URL will be used.
This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderKeyword',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'mis',
'id': 42,
'caption': '''Default search provider keyword''',
'tags': [],
'desc': '''Specifies the keyword, which is the shortcut used in the omnibox to trigger the search for this provider.
This policy is optional. If not set, no keyword will activate the search provider.
This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderSearchURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [
'chrome.*:8-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/search?q={searchTerms}',
'id': 43,
'caption': '''Default search provider search URL''',
'tags': ['website-sharing'],
'desc': '''Specifies the URL of the search engine used when doing a default search. The URL should contain the string '<ph name="SEARCH_TERM_MARKER">{searchTerms}</ph>', which will be replaced at query time by the terms the user is searching for.
This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.''',
},
{
'name': 'DefaultSearchProviderSuggestURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/suggest?q={searchTerms}',
'id': 44,
'caption': '''Default search provider suggest URL''',
'tags': [],
'desc': '''Specifies the URL of the search engine used to provide search suggestions. The URL should contain the string '<ph name="SEARCH_TERM_MARKER">{searchTerms}</ph>', which will be replaced at query time by the text the user has entered so far.
This policy is optional. If not set, no suggest URL will be used.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderInstantURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:10-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/suggest?q={searchTerms}',
'id': 45,
'caption': '''Default search provider instant URL''',
'tags': [],
'desc': '''Specifies the URL of the search engine used to provide instant results. The URL should contain the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, which will be replaced at query time by the text the user has entered so far.
This policy is optional. If not set, no instant search results will be provided.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderIconURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/favicon.ico',
'id': 46,
'caption': '''Default search provider icon''',
'tags': [],
'desc': '''Specifies the favorite icon URL of the default search provider.
This policy is optional. If not set, no icon will be present for the search provider.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderEncodings',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['UTF-8', 'UTF-16', 'GB2312', 'ISO-8859-1'],
'id': 47,
'caption': '''Default search provider encodings''',
'tags': [],
'desc': '''Specifies the character encodings supported by the search provider. Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided.
This policy is optional. If not set, the default will be used which is UTF-8.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderAlternateURLs',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:24-', 'chrome_os:24-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://search.my.company/suggest#q={searchTerms}', 'https://search.my.company/suggest/search#q={searchTerms}'],
'id': 161,
'caption': '''List of alternate URLs for the default search provider''',
'tags': [],
'desc': '''Specifies a list of alternate URLs that can be used to extract search terms from the search engine. The URLs should contain the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, which will be used to extract the search terms.
This policy is optional. If not set, no alternate urls will be used to extract search terms.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderSearchTermsReplacementKey',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:25-', 'chrome_os:25-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'espv',
'id': 171,
'caption': '''Parameter controlling search term placement for the default search provider''',
'tags': [],
'desc': '''If this policy is set and a search URL suggested from the omnibox contains this parameter in the query string or in the fragment identifier, then the suggestion will show the search terms and search provider instead of the raw search URL.
This policy is optional. If not set, no search term replacement will be performed.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderImageURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:29-', 'chrome_os:29-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/searchbyimage/upload',
'id': 229,
'caption': '''Parameter providing search-by-image feature for the default search provider''',
'tags': [],
'desc': '''Specifies the URL of the search engine used to provide image search. Search requests will be sent using the GET method. If the DefaultSearchProviderImageURLPostParams policy is set then image search requests will use the POST method instead.
This policy is optional. If not set, no image search will be used.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderNewTabURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:30-', 'chrome_os:30-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'https://search.my.company/newtab',
'id': 237,
'caption': '''Default search provider new tab page URL''',
'tags': [],
'desc': '''Specifies the URL that a search engine uses to provide a new tab page.
This policy is optional. If not set, no new tab page will be provided.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderSearchURLPostParams',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:29-', 'chrome_os:29-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'q={searchTerms},ie=utf-8,oe=utf-8',
'id': 230,
'caption': '''Parameters for search URL which uses POST''',
'tags': [],
'desc': '''Specifies the parameters used when searching a URL with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.
This policy is optional. If not set, search request will be sent using the GET method.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderSuggestURLPostParams',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:29-', 'chrome_os:29-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'q={searchTerms},ie=utf-8,oe=utf-8',
'id': 231,
'caption': '''Parameters for suggest URL which uses POST''',
'tags': [],
'desc': '''Specifies the parameters used when doing suggestion search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.
This policy is optional. If not set, suggest search request will be sent using the GET method.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderInstantURLPostParams',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:29-', 'chrome_os:29-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'q={searchTerms},ie=utf-8,oe=utf-8',
'id': 232,
'caption': '''Parameters for instant URL which uses POST''',
'tags': [],
'desc': '''Specifies the parameters used when doing instant search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.
This policy is optional. If not set, instant search request will be sent using the GET method.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
{
'name': 'DefaultSearchProviderImageURLPostParams',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:29-', 'chrome_os:29-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'content={imageThumbnail},url={imageURL},sbisrc={SearchSource}',
'id': 233,
'caption': '''Parameters for image URL which uses POST''',
'tags': [],
'desc': '''Specifies the parameters used when doing image search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {imageThumbnail} in above example, it will be replaced with real image thumbnail data.
This policy is optional. If not set, image search request will be sent using the GET method.
This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.''',
},
],
},
{
# TODO(joaodasilva): Flag these policies with 'can_be_recommended'
# after fixing https://crbug.com/106682
'name': 'ContentSettings',
'type': 'group',
'caption': '''Content Settings''',
'desc': '''Content Settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.''',
'policies': [
{
'name': 'DefaultCookiesSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 4 ],
},
'items': [
{
'name': 'AllowCookies',
'value': 1,
'caption': '''Allow all sites to set local data''',
},
{
'name': 'BlockCookies',
'value': 2,
'caption': '''Do not allow any site to set local data''',
},
{
'name': 'SessionOnly',
'value': 4,
'caption': '''Keep cookies for the duration of the session''',
},
],
'supported_on': [
'chrome.*:10-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 48,
'caption': '''Default cookies setting''',
'tags': [],
'desc': '''Allows you to set whether websites are allowed to set local data. Setting local data can be either allowed for all websites or denied for all websites.
If this policy is set to 'Keep cookies for the duration of the session' then cookies will be cleared when the session closes. Note that if <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running in 'background mode', the session may not close when the last window is closed. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.
If this policy is left not set, 'AllowCookies' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultImagesSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowImages',
'value': 1,
'caption': '''Allow all sites to show all images''',
},
{
'name': 'BlockImages',
'value': 2,
'caption': '''Do not allow any site to show images''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 49,
'caption': '''Default images setting''',
'tags': [],
'desc': '''Allows you to set whether websites are allowed to display images. Displaying images can be either allowed for all websites or denied for all websites.
If this policy is left not set, 'AllowImages' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultJavaScriptSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowJavaScript',
'value': 1,
'caption': '''Allow all sites to run JavaScript''',
},
{
'name': 'BlockJavaScript',
'value': 2,
'caption': '''Do not allow any site to run JavaScript''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 50,
'caption': '''Default JavaScript setting''',
'tags': [],
'desc': '''Allows you to set whether websites are allowed to run JavaScript. Running JavaScript can be either allowed for all websites or denied for all websites.
If this policy is left not set, 'AllowJavaScript' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultPluginsSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ],
},
'items': [
{
'name': 'AllowPlugins',
'value': 1,
'caption': '''Allow all sites to automatically run plugins''',
},
{
'name': 'BlockPlugins',
'value': 2,
'caption': '''Block all plugins''',
},
{
'name': 'ClickToPlay',
'value': 3,
'caption': '''Click to play''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 51,
'caption': '''Default plugins setting''',
'tags': [],
'desc': '''Allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites.
Click to play allows plugins to run but the user must click them to start their execution.
If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultPopupsSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowPopups',
'value': 1,
'caption': '''Allow all sites to show pop-ups''',
},
{
'name': 'BlockPopups',
'value': 2,
'caption': '''Do not allow any site to show popups''',
},
],
'supported_on': [
'chrome.*:10-',
'chrome_os:11-',
'ios:34-47',
'android:33-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 52,
'caption': '''Default popups setting''',
'tags': [],
'desc': '''Allows you to set whether websites are allowed to show pop-ups. Showing popups can be either allowed for all websites or denied for all websites.
If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultNotificationsSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ],
},
'items': [
{
'name': 'AllowNotifications',
'value': 1,
'caption': '''Allow sites to show desktop notifications''',
},
{
'name': 'BlockNotifications',
'value': 2,
'caption': '''Do not allow any site to show desktop notifications''',
},
{
'name': 'AskNotifications',
'value': 3,
'caption': '''Ask every time a site wants to show desktop notifications''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 53,
'caption': '''Default notification setting''',
'tags': [],
'desc': '''Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications.
If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultGeolocationSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2, 3 ],
},
'items': [
{
'name': 'AllowGeolocation',
'value': 1,
'caption': '''Allow sites to track the users' physical location''',
},
{
'name': 'BlockGeolocation',
'value': 2,
'caption': '''Do not allow any site to track the users' physical location''',
},
{
'name': 'AskGeolocation',
'value': 3,
'caption': '''Ask whenever a site wants to track the users' physical location''',
},
],
'supported_on': ['chrome.*:10-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 0,
'id': 54,
'caption': '''Default geolocation setting''',
'tags': ['website-sharing'],
'desc': '''Allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.
If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultMediaStreamSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 2, 3 ],
},
'items': [
{
'name': 'BlockAccess',
'value': 2,
'caption': '''Do not allow any site to access the camera and microphone''',
},
{
'name': 'PromptOnAccess',
'value': 3,
'caption': '''Ask every time a site wants to access the camera and/or microphone''',
},
],
'supported_on': ['chrome.*:22-', 'chrome_os:22-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 2,
'id': 149,
'caption': '''Default mediastream setting''',
'tags': ['website-sharing'],
'desc': '''Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.
If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.''',
},
{
'name': 'DefaultKeygenSetting',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 1, 2 ],
},
'items': [
{
'name': 'AllowKeygen',
'value': 1,
'caption': '''Allow all sites to use key generation''',
},
{
'name': 'BlockKeygen',
'value': 2,
'caption': '''Do not allow any site to use key generation''',
},
],
'supported_on': ['chrome.*:49-', 'chrome_os:49-', 'android:49-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 2,
'id': 313,
'caption': '''Default key generation setting''',
'tags': ['system-security', 'website-sharing', 'local-data-access'],
'desc': '''Allows you to set whether websites are allowed to use key generation. Using key generation can be either allowed for all websites or denied for all websites.
If this policy is left not set, 'BlockKeygen' will be used and the user will be able to change it.''',
},
{
'name': 'AutoSelectCertificateForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:15-', 'chrome_os:15-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ["{\\\"pattern\\\":\\\"https://www.example.com\\\",\\\"filter\\\":{\\\"ISSUER\\\":{\\\"CN\\\":\\\"certificate issuer name\\\"}}}"],
'id': 102,
'caption': '''Automatically select client certificates for these sites''',
'tags': ['website-sharing'],
'desc': '''Allows you to specify a list of url patterns that specify sites for which <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> should automatically select a client certificate, if the site requests a certificate.
The value must be an array of stringified JSON dictionaries. Each dictionary must have the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts from which client certificates the browser will automatically select. Independent of the filter, only certificates will be selected that match the server's certificate request. If $FILTER has the form { "ISSUER": { "CN": "$ISSUER_CN" } }, additionally only client certificates are selected that are issued by a certificate with the CommonName $ISSUER_CN. If $FILTER is the empty dictionary {}, the selection of client certificates is not additionally restricted.
If this policy is left not set, no auto-selection will be done for any site.''',
},
{
'name': 'CookiesAllowedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 77,
'caption': '''Allow cookies on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to set cookies.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'CookiesBlockedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 67,
'caption': '''Block cookies on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to set cookies.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'CookiesSessionOnlyForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'android:30-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 68,
'caption': '''Allow session only cookies on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to set session only cookies.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.
Note that if <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running in 'background mode', the session may not be closed when the last browser window is closed, but will instead stay active until the browser exits. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.
If the "RestoreOnStartup" policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.''',
},
{
'name': 'ImagesAllowedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 69,
'caption': '''Allow images on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to display images.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultImagesSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'ImagesBlockedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 70,
'caption': '''Block images on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to display images.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultImagesSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'JavaScriptAllowedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 71,
'caption': '''Allow JavaScript on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to run JavaScript.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'JavaScriptBlockedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 72,
'caption': '''Block JavaScript on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to run JavaScript.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'KeygenAllowedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:49-', 'chrome_os:49-', 'android:49-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 314,
'caption': '''Allow key generation on these sites''',
'tags': ['system-security', 'website-sharing', 'local-data-access'],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to use key generation. If a url pattern is in 'KeygenBlockedForUrls', that overrides these exceptions.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultKeygenSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'KeygenBlockedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:49-', 'chrome_os:49-', 'android:49-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 315,
'caption': '''Block key generation on these sites''',
'tags': ['system-security', 'website-sharing', 'local-data-access'],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to use key generation. If a url pattern is in 'KeygenAllowedForUrls', this policy overrides these exceptions.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultKeygenSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'PluginsAllowedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 73,
'caption': '''Allow plugins on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to run plugins.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'PluginsBlockedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:11-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 74,
'caption': '''Block plugins on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to run plugins.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'PopupsAllowedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'ios:34-47',
'android:34-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 75,
'caption': '''Allow popups on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to open popups.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultPopupsSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'RegisteredProtocolHandlers',
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'default': {
'description': 'A boolean flag indicating if the protocol handler should be set as the default.',
'type': 'boolean'
},
'protocol': {
'description': 'The protocol for the protocol handler.',
'type': 'string'
},
'url': {
'description': 'The URL of the protocol handler.',
'type': 'string'
}
},
'required': ['protocol', 'url']
}
},
'supported_on': ['chrome.*:37-', 'chrome_os:37-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
'can_be_recommended': True,
'can_be_mandatory' : False,
},
'example_value': [{'protocol': 'mailto', 'url': 'https://mail.google.com/mail/?extsrc=mailto&url=%s', 'default': True}],
'id': 268,
'caption': '''Register protocol handlers''',
'tags': [],
'desc': '''Allows you to register a list of protocol handlers. This can only be a recommended policy. The property |protocol| should be set to the scheme such as 'mailto' and the property |url| should be set to the URL pattern of the application that handles the scheme. The pattern can include a '%s', which if present will be replaced by the handled URL.
The protocol handlers registered by policy are merged with the ones registered by the user and both are available for use. The user can override the protocol handlers installed by policy by installing a new default handler, but cannot remove a protocol handler registered by policy.''',
},
{
'name': 'PopupsBlockedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:11-',
'chrome_os:11-',
'ios:34-47',
'android:34-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 76,
'caption': '''Block popups on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to open popups.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultPopupsSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'NotificationsAllowedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:16-', 'chrome_os:16-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 105,
'caption': '''Allow notifications on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are allowed to display notifications.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultNotificationsSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
{
'name': 'NotificationsBlockedForUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:16-', 'chrome_os:16-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com', '[*.]example.edu'],
'id': 106,
'caption': '''Block notifications on these sites''',
'tags': [],
'desc': '''Allows you to set a list of url patterns that specify sites which are not allowed to display notifications.
If this policy is left not set the global default value will be used for all sites either from the 'DefaultNotificationsSetting' policy if it is set, or the user's personal configuration otherwise.''',
},
],
},
{
'name': 'NativeMessaging',
'type': 'group',
'caption': '''Native Messaging''',
'desc': '''Configures policies for Native Messaging. Blacklisted native messaging hosts won't be allowed unless they are whitelisted.''',
'policies': [
{
'name': 'NativeMessagingBlacklist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
'com.native.messaging.host.name1',
'com.native.messaging.host.name2',
],
'id': 251,
'caption': '''Configure native messaging blacklist''',
'tags': [],
'desc': '''Allows you to specify which native messaging hosts that should not be loaded.
A blacklist value of '*' means all native messaging hosts are blacklisted unless they are explicitly listed in the whitelist.
If this policy is left not set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will load all installed native messaging hosts.''',
'label': '''Names of the forbidden native messaging hosts (or * for all)''',
},
{
'name': 'NativeMessagingWhitelist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
'com.native.messaging.host.name1',
'com.native.messaging.host.name2',
],
'id': 252,
'caption': '''Configure native messaging whitelist''',
'tags': [],
'desc': '''Allows you to specify which native messaging hosts are not subject to the blacklist.
A blacklist value of * means all native messaging hosts are blacklisted and only native messaging hosts listed in the whitelist will be loaded.
By default, all native messaging hosts are whitelisted, but if all native messaging hosts have been blacklisted by policy, the whitelist can be used to override that policy.''',
'label': '''Names of the native messaging hosts to exempt from the blacklist''',
},
{
'name': 'NativeMessagingUserLevelHosts',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 253,
'caption': '''Allow user-level Native Messaging hosts (installed without admin permissions).''',
'tags': [],
'desc': '''Enables user-level installation of Native Messaging hosts.
If this setting is enabled then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> allows
usage of Native Messaging hosts installed on user level.
If this setting is disabled then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will
only use Native Messaging hosts installed on system level.
If this setting is left not set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
will allow usage of user-level Native Messaging hosts.''',
},
],
},
{
'name': 'Disable3DAPIs',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:9-', 'chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 55,
'caption': '''Disable support for 3D graphics APIs''',
'tags': [],
'desc': '''Disable support for 3D graphics APIs.
Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API.
Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs.
If HardwareAccelerationModeEnabled is set to false, Disable3DAPIs is ignored and it is equivalent to Disable3DAPIs being set to true.''',
},
{
'name': 'PolicyRefreshRate',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:11-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 3600000,
'id': 56,
'caption': '''Refresh rate for user policy''',
'tags': [],
'desc': '''Specifies the period in milliseconds at which the device management service is queried for user policy information.
Setting this policy overrides the default value of 3 hours. Valid values for this policy are in the range from 1800000 (30 minutes) to 86400000 (1 day). Any values not in this range will be clamped to the respective boundary.
Leaving this policy not set will make <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> use the default value of 3 hours.''',
},
{
'name': 'MaxInvalidationFetchDelay',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:30-', 'chrome_os:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 10000,
'id': 228,
'caption': '''Maximum fetch delay after a policy invalidation''',
'tags': [],
'desc': '''Specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service.
Setting this policy overrides the default value of 5000 milliseconds. Valid values for this policy are in the range from 1000 (1 second) to 300000 (5 minutes). Any values not in this range will be clamped to the respective boundary.
Leaving this policy not set will make <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> use the default value of 5000 milliseconds.''',
},
{
'name': 'ChromeFrameRendererSettings',
'type': 'group',
'caption': '''Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'desc': '''Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
The default setting is to allow the host browser do the rendering, but you
can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>
Google Chrome Frame</ex></ph> render HTML pages by default.''',
'policies': [
{
'name': 'ChromeFrameRendererSettings',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'RenderInHost',
'value': 0,
'caption': '''Use the host browser by default''',
},
{
'name': 'RenderInChromeFrame',
'value': 1,
'caption': '''Use <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> by default''',
},
],
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': 1,
'id': 57,
'caption': '''Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'tags': [],
'desc': '''Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
The default setting used when this policy is left not set is to allow the host browser do the rendering, but you can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> render HTML pages by default.''',
},
{
'name': 'RenderInChromeFrameList',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': ['https://www.example.com', 'https://www.example.edu'],
'id': 58,
'caption': '''Always render the following URL patterns in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'tags': [],
'desc': '''Customize the list of URL patterns that should always be rendered by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>.
If this policy is not set the default renderer will be used for all sites as specified by the 'ChromeFrameRendererSettings' policy.
For example patterns see https://www.chromium.org/developers/how-tos/chrome-frame-getting-started.''',
},
{
'name': 'RenderInHostList',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': ['https://www.example.com', 'https://www.example.edu'],
'id': 59,
'caption': '''Always render the following URL patterns in the host browser''',
'tags': [],
'desc': '''Customize the list of URL patterns that should always be rendered by the host browser.
If this policy is not set the default renderer will be used for all sites as specified by the 'ChromeFrameRendererSettings' policy.
For example patterns see https://www.chromium.org/developers/how-tos/chrome-frame-getting-started.''',
},
{
'name': 'AdditionalLaunchParameters',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_frame:19-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': '--enable-media-stream --enable-media-source',
'id': 141,
'caption': '''Additional command line parameters for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''Allows you to specify additional parameters that are used when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> launches <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is not set the default command line will be used.''',
},
{
'name': 'SkipMetadataCheck',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_frame:31-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': False,
'id': 238,
'caption': '''Skip the meta tag check in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>''',
'tags': [],
'desc': '''Normally pages with X-UA-Compatible set to chrome=1 will be rendered in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> regardless of the 'ChromeFrameRendererSettings' policy.
If you enable this setting, pages will not be scanned for meta tags.
If you disable this setting, pages will be scanned for meta tags.
If this policy is not set, pages will be scanned for meta tags.'''
},
],
},
{
'name': 'ChromeFrameContentTypes',
'type': 'group',
'caption': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types''',
'desc': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the following content types.''',
'policies': [
{
'name': 'ChromeFrameContentTypes',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_frame:8-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': ['text/xml', 'application/xml'],
'id': 60,
'caption': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the listed content types''',
'tags': [],
'desc': '''Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle the listed content types.
If this policy is not set the default renderer will be used for all sites as specified by the 'ChromeFrameRendererSettings' policy.''',
},
],
},
{
'name': 'ChromeOsLockOnIdleSuspend',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:9-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 61,
'caption': '''Enable lock when the device become idle or suspended''',
'tags': [],
'desc': '''Enable lock when <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices become idle or suspended.
If you enable this setting, users will be asked for a password to unlock the device from sleep.
If you disable this setting, users will not be asked for a password to unlock the device from sleep.
If you enable or disable this setting, users cannot change or override it.
If the policy is left not set the user can choose whether he wants to be asked for password to unlock the device or not.''',
},
{
'name': 'ChromeOsMultiProfileUserBehavior',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'unrestricted',
'primary-only',
'not-allowed',
],
},
'items': [
{
'name': 'MultiProfileUserBehaviorUnrestricted',
'value': 'unrestricted',
'caption': '''Allow enterprise user to be both primary and secondary (Default behavior for non-managed users)''',
},
{
'name': 'MultiProfileUserBehaviorMustBePrimary',
'value': 'primary-only',
'caption': '''Allow enterprise user to be primary multiprofile user only (Default behavior for enterprise-managed users)''',
},
{
'name': 'MultiProfileUserBehaviorNotAllowed',
'value': 'not-allowed',
'caption': '''Do not allow enterprise user to be part of multiprofile (primary or secondary)''',
},
],
'supported_on': ['chrome_os:31-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 'unrestricted',
'default_for_enterprise_users': 'primary-only',
'id': 244,
'caption': '''Control the user behavior in a multiprofile session''',
'tags': [],
'desc': '''Control the user behavior in a multiprofile session on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.
If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.
If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.
If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.
If you set this setting, users cannot change or override it.
If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.
If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.''',
},
{
'name': 'InstantEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:11-28', 'chrome_os:11-28'],
'deprecated': True,
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 62,
'caption': '''Enable Instant''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Instant feature and prevents users from changing this setting.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Instant is enabled.
If you disable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Instant is disabled.
If you enable or disable this setting, users cannot change or override this setting.
If this setting is left not set the user can decide to use this function or not.
This setting has been removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 29 and higher versions.''',
},
{
'name': 'TranslateEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'chrome.*:12-',
'chrome_os:12-',
'android:30-',
'ios:34-47',
],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 80,
'caption': '''Enable Translate''',
'tags': [],
'desc': '''Enables the integrated Google Translate service on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will show an integrated toolbar offering to translate the page for the user, when appropriate.
If you disable this setting, users will never see the translation bar.
If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is left not set the user can decide to use this function or not.''',
},
{
'name': 'AllowOutdatedPlugins',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:12-', 'chrome_os:12-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 81,
'caption': '''Allow running plugins that are outdated''',
'tags': ['system-security'],
'desc': '''Allows <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to run plugins that are outdated.
If you enable this setting, outdated plugins are used as normal plugins.
If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them.
If this setting is not set, users will be asked for permission to run outdated plugins.''',
},
{
'name': 'AlwaysAuthorizePlugins',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:13-', 'chrome_os:13-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 86,
'caption': '''Always runs plugins that require authorization''',
'tags': ['system-security'],
'desc': '''Allows <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to run plugins that require authorization.
If you enable this setting, plugins that are not outdated always run.
If this setting is disabled or not set, users will be asked for permission to run plugins that require authorization. These are plugins that can compromise security.''',
},
{
'name': 'BookmarkBarEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:12-', 'chrome_os:12-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 82,
'caption': '''Enable Bookmark Bar''',
'tags': [],
'desc': '''Enables the bookmark bar on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will show a bookmark bar.
If you disable this setting, users will never see the bookmark bar.
If you enable or disable this setting, users cannot change or override it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this setting is left not set the user can decide to use this function or not.''',
},
{
'name': 'EditBookmarksEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:12-', 'chrome_os:12-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 83,
'caption': '''Enables or disables bookmark editing''',
'tags': [],
'desc': '''Enables or disables editing bookmarks in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If you enable this setting, bookmarks can be added, removed or modified. This is the default also when this policy is not set.
If you disable this setting, bookmarks can not be added, removed or modified. Existing bookmarks are still available.''',
},
{
'name': 'ShowAppsShortcutInBookmarkBar',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:37-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 267,
'caption': '''Show the apps shortcut in the bookmark bar''',
'tags': [],
'desc': '''Enables or disables the apps shortcut in the bookmark bar.
If this policy is not set then the user can choose to show or hide the apps shortcut from the bookmark bar context menu.
If this policy is configured then the user can't change it, and the apps shortcut is always shown or never shown.''',
},
{
'name': 'AllowFileSelectionDialogs',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:12-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 84,
'caption': '''Allow invocation of file selection dialogs''',
'tags': [],
'desc': '''Allows access to local files on the machine by allowing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to display file selection dialogs.
If you enable this setting, users can open file selection dialogs as normal.
If you disable this setting, whenever the user performs an action which would provoke a file selection dialog (like importing bookmarks, uploading files, saving links, etc.) a message is displayed instead and the user is assumed to have clicked Cancel on the file selection dialog.
If this setting is not set, users can open file selection dialogs as normal.''',
},
{
'name': 'GCFUserDataDir',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_frame:12-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': '${user_home}/Chrome Frame',
'id': 87,
'caption': '''Set <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> user data directory''',
'tags': [],
'desc': '''Configures the directory that <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> will use for storing user data.
If you set this policy, <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> will use the provided directory.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
If this setting is left not set the default profile directory will be used.''',
'label': '''Set user data directory''',
},
{
'name': 'DevicePolicyRefreshRate',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:11-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 3600000,
'id': 90,
'caption': '''Refresh rate for Device Policy''',
'tags': [],
'desc': '''Specifies the period in milliseconds at which the device management service is queried for device policy information.
Setting this policy overrides the default value of 3 hours. Valid values for this policy are in the range from 1800000 (30 minutes) to 86400000 (1 day). Any values not in this range will be clamped to the respective boundary.
Leaving this policy not set will make <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> use the default value of 3 hours.''',
},
{
'name': 'ImportBookmarks',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 97,
'caption': '''Import bookmarks from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''This policy forces bookmarks to be imported from the current default browser if enabled. If enabled, this policy also affects the import dialog.
If disabled, no bookmarks are imported.
If it is not set, the user may be asked whether to import, or importing may happen automatically.''',
'label': '''Import bookmarks from default browser on first run''',
},
{
'name': 'ImportHistory',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 98,
'caption': '''Import browsing history from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''This policy forces the browsing history to be imported from the current default browser if enabled. If enabled, this policy also affects the import dialog.
If disabled, no browsing history is imported.
If it is not set, the user may be asked whether to import, or importing may happen automatically.''',
'label': '''Import browsing history from default browser on first run''',
},
{
'name': 'ImportHomepage',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 99,
'caption': '''Import of homepage from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''This policy forces the home page to be imported from the current default browser if enabled.
If disabled, the home page is not imported.
If it is not set, the user may be asked whether to import, or importing may happen automatically.''',
'label': '''Import of homepage from default browser on first run''',
},
{
'name': 'ImportSearchEngine',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 100,
'caption': '''Import search engines from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''This policy forces search engines to be imported from the current default browser if enabled. If enabled, this policy also affects the import dialog.
If disabled, the default search engine is not imported.
If it is not set, the user may be asked whether to import, or importing may happen automatically.''',
'label': '''Import search engines from default browser on first run''',
},
{
'name': 'ImportSavedPasswords',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 101,
'caption': '''Import saved passwords from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog.
If disabled, the saved passwords are not imported.
If it is not set, the user may be asked whether to import, or importing may happen automatically.''',
'label': '''Import saved passwords from default browser on first run''',
},
{
'name': 'ImportAutofillFormData',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:39-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 277,
'caption': '''Import autofill form data from default browser on first run''',
'tags': ['local-data-access'],
'desc': '''This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog.
If disabled, the autofill form data is not imported.
If it is not set, the user may be asked whether to import, or importing may happen automatically.''',
'label': '''Import autofill form data from default browser on first run''',
},
{
'name': 'MaxConnectionsPerProxy',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome.*:14-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 32,
'id': 92,
'caption': '''Maximal number of concurrent connections to the proxy server''',
'tags': [],
'desc': '''Specifies the maximal number of simultaneous connections to the proxy server.
Some proxy servers can not handle high number of concurrent connections per client and this can be solved by setting this policy to a lower value.
The value of this policy should be lower than 100 and higher than 6 and the default value is 32.
Some web apps are known to consume many connections with hanging GETs, so lowering below 32 may lead to browser networking hangs if too many such web apps are open. Lower below the default at your own risk.
If this policy is left not set the default value will be used which is 32.''',
},
{
'name': 'HideWebStorePromo',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:15-21', 'chrome_os:15-21'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
},
'example_value': False,
'id': 96,
'caption': '''Prevent app promotions from appearing on the new tab page''',
'tags': [],
'desc': '''When set to True, promotions for Chrome Web Store apps will not appear on the new tab page.
Setting this option to False or leaving it not set will make the promotions for Chrome Web Store apps appear on the new tab page''',
},
{
'name': 'URLBlacklist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:15-',
'chrome_os:15-',
'android:30-',
'webview_android:47-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['example.com', 'https://ssl.server.com', 'hosting.com/bad_path', 'https://server:8080/path', '.exact.hostname.com', 'file://*', '*'],
'id': 103,
'caption': '''Block access to a list of URLs''',
'tags': ['filtering'],
'desc': '''Blocks access to the listed URLs.
This policy prevents the user from loading web pages from blacklisted URLs. The blacklist provides a list of URL patterns that specify which URLs will be blacklisted.
Each URL pattern can either be a pattern for local files or a generic URL pattern. Local file patterns are of the format 'file://path', where path should be an absolute path to block. All file system locations for which that path is a prefix will be blocked.
A generic URL pattern has the format 'scheme://host:port/path'.
If present, only the specified scheme will be blocked. If the scheme:// prefix is not specified, all schemes are blocked.
The host is required and can be a hostname or an IP address. Subdomains of a hostname will also be blocked. To prevent blocking subdomains, include a '.' before the hostname. The special hostname '*' will block all domains.
The optional port is a valid port number from 1 to 65535. If none is specified, all ports are blocked.
If the optional path is specified, only paths with that prefix will be blocked.
Exceptions can be defined in the URL whitelist policy. These policies are limited to 1000 entries; subsequent entries will be ignored.
Note that it is not recommended to block internal 'chrome://*' URLs since this may lead to unexpected errors.
If this policy is not set no URL will be blacklisted in the browser.''',
},
{
'name': 'URLWhitelist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': [
'chrome.*:15-',
'chrome_os:15-',
'android:30-',
'webview_android:47-',
'ios:34-47',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['example.com', 'https://ssl.server.com', 'hosting.com/good_path', 'https://server:8080/path', '.exact.hostname.com'],
'id': 104,
'caption': '''Allows access to a list of URLs''',
'tags': [],
'desc': '''Allows access to the listed URLs, as exceptions to the URL blacklist.
See the description of the URL blacklist policy for the format of entries of this list.
This policy can be used to open exceptions to restrictive blacklists. For example, '*' can be blacklisted to block all requests, and this policy can be used to allow access to a limited list of URLs. It can be used to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths.
The most specific filter will determine if a URL is blocked or allowed. The whitelist takes precedence over the blacklist.
This policy is limited to 1000 entries; subsequent entries will be ignored.
If this policy is not set there will be no exceptions to the blacklist from the 'URLBlacklist' policy.''',
},
{
'name': 'OpenNetworkConfiguration',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:16-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}", "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false, "Security": "None", "AutoConnect": true } } ] }',
'id': 107,
'caption': '''User-level network configuration''',
'tags': ['full-admin-access'],
'desc': '''Allows pushing network configuration to be applied per-user to a <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph> device. The network configuration is a JSON-formatted string as defined by the Open Network Configuration format described at <ph name="ONC_SPEC_URL">https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/open-network-configuration</ph>''',
},
{
'name': 'DeviceOpenNetworkConfiguration',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:16-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': '{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}", "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false, "Security": "None", "AutoConnect": true } } ] }',
'id': 108,
'caption': '''Device-level network configuration''',
'tags': ['full-admin-access'],
'desc': '''Allows pushing network configuration to be applied for all users of a <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph> device. The network configuration is a JSON-formatted string as defined by the Open Network Configuration format described at <ph name="ONC_SPEC_URL">https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/open-network-configuration</ph>''',
},
{
'name': 'CloudPrintSubmitEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:17-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 109,
'caption': '''Enable submission of documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>''',
'tags': [],
'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to submit documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> for printing. NOTE: This only affects <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> support in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. It does not prevent users from submitting print jobs on web sites.
If this setting is enabled or not configured, users can print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog.
If this setting is disabled, users cannot print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog''',
},
{
'name': 'EnterpriseWebStoreURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:17-28', 'chrome_os:17-28'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 'https://company-intranet/chromeapps',
'id': 112,
'caption': '''Enterprise web store URL (deprecated)''',
'tags': [],
'desc': '''This setting has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 29. The recommended way to set up organization-hosted extension/app collections is to include the site hosting the CRX packages in ExtensionInstallSources and put direct download links to the packages on a web page. A launcher for that web page can be created using the ExtensionInstallForcelist policy.''',
},
{
'name': 'EnterpriseWebStoreName',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:17-28', 'chrome_os:17-28'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'example_value': 'WidgCo Chrome Apps',
'id': 113,
'caption': '''Enterprise web store name (deprecated)''',
'tags': [],
'desc': '''This setting has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 29. The recommended way to set up organization-hosted extension/app collections is to include the site hosting the CRX packages in ExtensionInstallSources and put direct download links to the packages on a web page. A launcher for that web page can be created using the ExtensionInstallForcelist policy.''',
},
{
'name': 'EnableOriginBoundCerts',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:17-35'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'future': True,
'example_value': True,
'id': 114,
'caption': '''Enable TLS domain-bound certificates extension (deprecated)''',
'tags': [],
'desc': '''This policy has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 36.
Specifies whether the TLS domain-bound certificates extension should be enabled.
This setting is used to enable the TLS domain-bound certificates extension for testing. This experimental setting will be removed in the future.''',
},
{
'name': 'EnableMemoryInfo',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:17-34', 'chrome_os:18-34'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'deprecated': True,
'future': True,
'example_value': False,
'id': 115,
'caption': '''Enable reporting memory info (JS heap size) to page (deprecated)''',
'tags': [],
'desc': '''This policy has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 35.
Memory info is anyway reported to page, regardless of the option value, but the sizes reported are
quantized and the rate of updates is limited for security reasons. To obtain real-time precise data,
please use tools like Telemetry.''',
},
{
'name': 'DisablePrintPreview',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:18-'],
'deprecated': True,
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': False,
'id': 117,
'caption': '''Disable Print Preview (deprecated)''',
'tags': [],
'desc': '''Show the system print dialog instead of print preview.
When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will open the system print dialog instead of the built-in print preview when a user requests a page to be printed.
If this policy is not set or is set to false, print commands trigger the print preview screen.''',
},
{
'name': 'DefaultPrinterSelection',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:48-', 'chrome_os:48-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': '{ "kind": "cloud", "idPattern": ".*public", "namePattern": ".*Color" }',
'id': 308,
'caption': '''Default printer selection rules''',
'tags': [],
'desc': '''Overrides <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> default printer selection rules.
This policy determines the rules for selecting the default printer in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> which happens the first time the print function is used with a profile.
When this policy is set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will attempt to find a printer matching all of the specified attributes, and select it as default printer. The first printer found matching the policy is selected, in case of non-unique match any matching printer can be selected, depending on the order printers are discovered.
If this policy is not set or matching printer is not found within the timeout, the printer defaults to built-in PDF printer or no printer selected, when PDF printer is not available.
The value is parsed as JSON object, conforming to the following schema:
{
"type": "object",
"properties": {
"kind": {
"description": "Whether to limit the search of the matching printer to a specific set of printers.",
"type": {
"enum": [ "local", "cloud" ]
}
},
"idPattern": {
"description": "Regular expression to match printer id.",
"type": "string"
},
"namePattern": {
"description": "Regular expression to match printer display name.",
"type": "string"
}
}
}
Printers connected to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> are considered <ph name="PRINTER_TYPE_CLOUD">"cloud"</ph>, the rest of the printers are classified as <ph name="PRINTER_TYPE_LOCAL">"local"</ph>.
Omitting a field means all values match, for example, not specifying connectivity will cause Print Preview to initiate the discovery of all kinds of printers, local and cloud.
Regular expression patterns must follow the JavaScript RegExp syntax and matches are case sensistive.''',
},
{
'name': 'DisableSSLRecordSplitting',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:18-46', 'chrome_os:18-46'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 118,
'caption': '''Disable TLS False Start''',
'tags': [],
'desc': '''Specifies whether the <ph name="TLS_FALSE_START">TLS False Start</ph> optimization should be disabled. For historical reasons, this policy is named DisableSSLRecordSplitting.
If the policy is not set, or is set to false, then <ph name="TLS_FALSE_START">TLS False Start</ph> will be enabled. If it is set to true, <ph name="TLS_FALSE_START">TLS False Start</ph> will be disabled.''',
},
{
'name': 'EnableOnlineRevocationChecks',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:19-', 'chrome_os:19-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 129,
'caption': '''Whether online OCSP/CRL checks are performed''',
'tags': ['website-sharing'],
'desc': '''In light of the fact that soft-fail, online revocation checks provide no effective security benefit, they are disabled by default in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 19 and later. By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed.
If the policy is not set, or is set to false, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not perform online revocation checks in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 19 and later.''',
},
{
'name': 'RequireOnlineRevocationChecksForLocalAnchors',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:30-', 'chrome.linux:30-', 'chrome.win:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 235,
'caption': '''Whether online OCSP/CRL checks are required for local trust anchors''',
'tags': [],
'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always perform revocation checking for server certificates that successfully validate and are signed by locally-installed CA certificates.
If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is unable to obtain revocation status information, such certificates will be treated as revoked ('hard-fail').
If this policy is not set, or it is set to false, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the existing online revocation checking settings.''',
},
{
'name': 'ForceEphemeralProfiles',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:32-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': True,
'id': 245,
'caption': '''Ephemeral profile''',
'tags': [],
'desc': '''If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.
In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.
If the user has enabled sync all this data is preserved in his sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.
If the policy is set to disabled or left not set signing in leads to regular profiles.'''
},
{
'name': 'SAMLOfflineSigninTimeLimit',
'type': 'int',
'schema': { 'type': 'integer', 'minimum': -1 },
'supported_on': ['chrome_os:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 32,
'id': 254,
'caption': '''Limit the time for which a user authenticated via SAML can log in offline''',
'tags': [],
'desc': '''Limit the time for which a user authenticated via SAML can log in offline.
During login, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can authenticate against a server (online) or using a cached password (offline).
When this policy is set to a value of -1, the user can authenticate offline indefinitely. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again.
Leaving this policy not set will make <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> use a default time limit of 14 days after which the user must use online authentication again.
This policy affects only users who authenticated using SAML.
The policy value should be specified in seconds.''',
},
{
'name': 'AutoCleanUpStrategy',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [ 'remove-lru', 'remove-lru-if-dormant' ],
},
'items': [
{
'name': 'RemoveLRU',
'value': 'remove-lru',
'caption': '''Least recently used users are removed until there is enough free space''',
},
{
'name': 'RemoveLRUIfDormant',
'value': 'remove-lru-if-dormant',
'caption': '''Least recently used users who have not logged in within last 3 months are removed until there is enough free space''',
},
],
'supported_on': ['chrome_os:32-35'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'deprecated': True,
'example_value': 'remove-lru',
'id': 246,
'caption': '''Selects the strategy used to free up disk space during automatic clean-up (deprecated)''',
'tags': [],
'desc': '''This policy is deprecated. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will always use the 'RemoveLRU' clean-up strategy.
Controls the automatic clean-up behavior on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices. Automatic clean-up is triggered when the amount of free disk space reaches a critical level to recover some disk space.
If this policy is set to 'RemoveLRU', the automatic clean-up will keep removing users from the device in least-recently-logged-in order until there is enough free space.
If this policy is set to 'RemoveLRUIfDormant', the automatic clean-up will keep removing users who have not logged in for at least 3 months in least-recently-logged-in order until there is enough free space.
If this policy is not set, automatic clean-up uses the default built-in strategy. Currently, it is the 'RemoveLRUIfDormant' strategy.'''
},
{
'name': 'ReportDeviceVersionInfo',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:18-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 119,
'caption': '''Report OS and firmware version''',
'tags': ['admin-sharing'],
'desc': '''Report OS and firmware version of enrolled devices.
If this setting is not set or set to True, enrolled devices will report the OS and firmware version periodically. If this setting is set to False, version info will not be reported.''',
},
{
'name': 'ReportDeviceActivityTimes',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:18-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 120,
'caption': '''Report device activity times''',
'tags': ['admin-sharing'],
'desc': '''Report device activity times.
If this setting is not set or set to True, enrolled devices will report time periods when a user is active on the device. If this setting is set to False, device activity times will not be recorded or reported.''',
},
{
'name': 'ReportDeviceBootMode',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:18-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 121,
'caption': '''Report device boot mode''',
'tags': ['admin-sharing'],
'desc': '''Report the state of the device's dev switch at boot.
If the policy is set to false, the state of the dev switch will not be reported.''',
},
{
'name': 'ReportDeviceLocation',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:20-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'future': True,
'example_value': False,
'id': 143,
'caption': '''Report device location''',
'tags': ['admin-sharing'],
'desc': '''Report the geographic location of the device.
If the policy is not set, or set to false, the location will not be reported.''',
},
{
'name': 'ReportDeviceNetworkInterfaces',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 224,
'caption': '''Report device network interfaces''',
'tags': ['admin-sharing'],
'desc': '''Report list of network interfaces with their types and hardware addresses to the server.
If the policy is set to false, the interface list will not be reported.''',
},
{
'name': 'ReportDeviceUsers',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:32-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 248,
'caption': '''Report device users''',
'tags': ['admin-sharing'],
'desc': '''Report list of device users that have recently logged in.
If the policy is set to false, the users will not be reported.''',
},
{
'name': 'ReportDeviceHardwareStatus',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:42-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 290,
'caption': '''Report hardware status''',
'tags': ['admin-sharing'],
'desc': '''Report hardware statistics such as CPU/RAM usage.
If the policy is set to false, the statistics will not be reported.
If set to true or left unset, statistics will be reported.''',
},
{
'name': 'ReportDeviceSessionStatus',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:42-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 291,
'caption': '''Report information about active kiosk sessions''',
'tags': ['admin-sharing'],
'desc': '''Report information about the active kiosk session, such as
application ID and version.
If the policy is set to false, the session information will not be
reported. If set to true or left unset, session information will be
reported.''',
},
{
'name': 'ReportUploadFrequency',
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 60000 },
'supported_on': ['chrome_os:42-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 180000,
'id': 292,
'caption': '''Frequency of device status report uploads''',
'tags': ['admin-sharing'],
'desc': '''How frequently device status uploads are sent, in milliseconds.
If this policy is unset, the default frequency is 3 hours. The minimum
allowed frequency is 60 seconds.''',
},
{
'name': 'HeartbeatEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:43-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 293,
'caption': '''Send monitoring heartbeats to the management server''',
'tags': ['admin-sharing'],
'desc': '''Send monitoring heartbeats to the management server, to allow
the server to detect if the device is offline.
If this policy is set to true, monitoring heartbeats will be sent. If set
to false or unset, then no heartbeats will be sent.''',
},
{
'name': 'HeartbeatFrequency',
'type': 'int',
'schema': { 'type': 'integer', 'minimum': 30000 },
'supported_on': ['chrome_os:43-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 180000,
'id': 294,
'caption': '''Frequency of monitoring heartbeats''',
'tags': [],
'desc': '''How frequently monitoring heartbeats are sent, in milliseconds.
If this policy is unset, the default frequency is 3 minutes. The minimum
frequency is 30 seconds and the maximum frequency is 24 hours - values
outside of this range will be clamped to this range.''',
},
{
'name': 'LogUploadEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:46-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 306,
'caption': '''Send system logs to the management server''',
'tags': [],
'desc': '''Send system logs to the management server, to allow
admins to monitor system logs.
If this policy is set to true, system logs will be sent. If set
to false or unset, then no system logs will be sent.''',
},
{
'name': 'DeviceUserWhitelist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ 'madmax@managedchrome.com' ],
'id': 122,
'caption': '''Login user white list''',
'tags': [],
'desc': '''Defines the list of users that are allowed to login to the device. Entries are of the form <ph name="USER_WHITELIST_ENTRY_FORMAT">user@domain</ph>, such as <ph name="USER_WHITELIST_ENTRY_EXAMPLE">madmax@managedchrome.com</ph>. To allow arbitrary users on a domain, use entries of the form <ph name="USER_WHITELIST_ENTRY_WILDCARD">*@domain</ph>.
If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the <ph name="DEVICEALLOWNEWUSERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy to be configured appropriately.''',
},
{
'name': 'DeviceAllowNewUsers',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 123,
'caption': '''Allow creation of new user accounts''',
'tags': [],
'desc': '''Controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> allows new user accounts to be created. If this policy is set to false, users that do not have an account already will not be able to login.
If this policy is set to true or not configured, new user accounts will be allowed to be created provided that <ph name="DEVICEUSERWHITELISTPROTO_POLICY_NAME">DeviceUserWhitelist</ph> does not prevent the user from logging in.''',
},
{
'name': 'DeviceGuestModeEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 124,
'caption': '''Enable guest mode''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will enable guest logins. Guest logins are anonymous user sessions and do not require a password.
If this policy is set to false, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will not allow guest sessions to be started.''',
},
{
'name': 'DeviceShowUserNamesOnSignin',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 125,
'caption': '''Show usernames on login screen''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will show existing users on the login screen and allow to pick one. If this policy is set to false, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will use the username/password prompt for login.''',
},
{
'name': 'DeviceDataRoamingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:12-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 126,
'caption': '''Enable data roaming''',
'tags': [],
'desc': '''Determines whether data roaming should be enabled for the device. If set to true, data roaming is allowed. If left unconfigured or set to false, data roaming will be not available.''',
},
{
'name': 'DeviceMetricsReportingEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:14-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 127,
'caption': '''Enable metrics reporting''',
'tags': ['admin-sharing'],
'desc': '''Controls whether usage metrics are reported back to Google. If set to true, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will report usage metrics. If not configured or set to false, metrics reporting will be disabled.''',
},
{
'name': 'ChromeOsReleaseChannel',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [ 'stable-channel', 'beta-channel', 'dev-channel' ],
},
'items': [
{
'name': 'StableChannel',
'value': 'stable-channel',
'caption': '''Stable channel''',
},
{
'name': 'BetaChannel',
'value': 'beta-channel',
'caption': '''Beta channel''',
},
{
'name': 'DevChannel',
'value': 'dev-channel',
'caption': '''Dev channel (may be unstable)''',
},
],
'supported_on': ['chrome_os:11-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'stable-channel',
'id': 91,
'caption': '''Release channel''',
'tags': [],
'desc': '''Specifies the release channel that this device should be locked to.''',
},
{
'name': 'ChromeOsReleaseChannelDelegated',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 134,
'caption': '''Whether the release channel should be configurable by the user''',
'tags': [],
'desc': '''If this policy is set to True and the ChromeOsReleaseChannel policy is not specified then users of the enrolling domain will be allowed to change the release channel of the device. If this policy is set to false the device will be locked in whatever channel it was last set.
The user selected channel will be overridden by the ChromeOsReleaseChannel policy, but if the policy channel is more stable than the one that was installed on the device, then the channel will only switch after the version of the more stable channel reaches a higher version number than the one installed on the device.''',
},
{
'name': 'DeviceEphemeralUsersEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 128,
'caption': '''Wipe user data on sign-out''',
'tags': [],
'desc': '''Determines whether <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> keeps local account data after logout. If set to true, no persistent accounts are kept by <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> and all data from the user session will be discarded after logout. If this policy is set to false or not configured, the device may keep (encrypted) local user data.''',
},
{
'name': 'DeviceStartUpUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ 'https://google.com', 'chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaa/' ],
'id': 137,
'caption': '''Load specified urls on demo login''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Determines the set of URLs to be loaded when the demo session is started. This policy will override any other mechanisms for setting the initial URL and thus can only be applied to a session not associated with a particular user.''',
},
{
'name': 'DeviceIdleLogoutTimeout',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 60000,
'id': 130,
'caption': '''Timeout until idle user log-out is executed''',
'tags': [],
'desc': '''This policy is active in retail mode only.
When the value of this policy is set and is not 0 then the currently logged in demo user will be logged out automatically after an inactivity time of the specified duration has elapsed.
The policy value should be specified in milliseconds.''',
},
{
'name': 'DeviceIdleLogoutWarningDuration',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 15000,
'id': 131,
'caption': '''Duration of the idle log-out warning message''',
'tags': [],
'desc': '''This policy is active in retail mode only.
When DeviceIdleLogoutTimeout is specified this policy defines the duration of the warning box with a count down timer that is shown to the user before the logout is executed.
The policy value should be specified in milliseconds.''',
},
{
'name': 'DeviceLoginScreenSaverId',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'fhblcfnmnbehmifidkddcenilbpddlfk',
'id': 132,
'caption': '''Screen saver to be used on the sign-in screen in retail mode''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Determines the id of the extension to be used as a screen saver on the sign-in screen. The extension must be part of the AppPack that is configured for this domain through the DeviceAppPack policy.''',
},
{
'name': 'DeviceLoginScreenSaverTimeout',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 120000,
'id': 133,
'caption': '''Duration of inactivity before the screen saver is shown on the sign-in screen in retail mode''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Determines the duration before the screen saver is shown on the sign-in screen for devices in retail mode.
The policy value should be specified in milliseconds.''',
},
{
'name': 'DeviceAppPack',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:19-40'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ { "extension-id": "khgabmflimjjbclkmljlpmgaleanedem", "update-url": "https://clients2.google.com/service/update2/crx" } ],
'id': 135,
'caption': '''List of AppPack extensions''',
'tags': [],
'desc': '''This policy is active in retail mode only.
Lists extensions that are automatically installed for the Demo user, for devices in retail mode. These extensions are saved in the device and can be installed while offline, after the installation.
Each list entry contains a dictionary that must include the extension ID in the 'extension-id' field, and its update URL in the 'update-url' field.''',
},
{
'name': 'DeviceAutoUpdateDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 136,
'caption': '''Disables Auto Update''',
'tags': ['system-security'],
'desc': '''Disables automatic updates when set to True.
<ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices automatically check for updates when this setting is not configured or set to False.''',
},
{
'name': 'DeviceAutoUpdateP2PEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:31-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': False,
'id': 242,
'caption': '''Auto update p2p enabled''',
'tags': [],
'desc': '''Specifies whether p2p is to be used for OS update payloads. If set to True, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device will fall back to downloading from an update server. If set to False or not configured, p2p will not be used.''',
},
{
'name': 'DeviceTargetVersionPrefix',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:19-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': '1412.',
'id': 142,
'caption': '''Target Auto Update Version''',
'tags': ['system-security'],
'desc': '''Sets a target version for Auto Updates.
Specifies the prefix of a target version <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> should update to. If the device is running a version that's before the specified prefix, it will update to the latest version with the given prefix. If the device is already on a later version, there is no effect (i.e. no downgrades are performed) and the device will remain on the current version. The prefix format works component-wise as is demonstrated in the following example:
"" (or not configured): update to latest version available.
"1412.": update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2)
"1412.2.": update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2)
"1412.24.34": update to this specific version only''',
},
{
'name': 'DeviceUpdateScatterFactor',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:20-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 7200,
'id': 145,
'caption': '''Auto update scatter factor''',
'tags': ['system-security'],
'desc': '''Specifies the number of seconds up to which a device may randomly delay its download of an update from the time the update was first pushed out to the server. The device may wait a portion of this time in terms of wall-clock-time and the remaining portion in terms of the number of update checks. In any case, the scatter is upper bounded to a constant amount of time so that a device does not ever get stuck waiting to download an update forever.''',
},
{
'name': 'DeviceUpdateAllowedConnectionTypes',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:21-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ 'ethernet' ],
'id': 146,
'caption': '''Connection types allowed for updates''',
'tags': [],
'desc': ''' The types of connections that are allowed to use for OS updates. OS updates potentially put heavy strain on the connection due to their size and may incur additional cost. Therefore, they are by default not enabled for connection types that are considered expensive, which include WiMax, Bluetooth and Cellular at the moment.
The recognized connection type identifiers are "ethernet", "wifi", "wimax", "bluetooth" and "cellular".''',
},
{
'name': 'DeviceUpdateHttpDownloadsEnabled',
'type': 'main',
'schema': {
'type': 'boolean',
},
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 243,
'caption': '''Allow autoupdate downloads via HTTP''',
'tags': [],
'desc': '''Auto-update payloads on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can be downloaded via HTTP instead of HTTPS. This allows transparent HTTP caching of HTTP downloads.
If this policy is set to true, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will attempt to download auto-update payloads via HTTP. If the policy is set to false or not set, HTTPS will be used for downloading auto-update payloads.''',
},
{
'name': 'DeviceLocalAccounts',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:25-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': [ "demo@example.com" ],
'id': 163,
'caption': '''Device-local accounts''',
'tags': [],
'desc': '''Specifies the list of device-local accounts to be shown on the login screen.
Every list entry specifies an identifier, which is used internally to tell the different device-local accounts apart.''',
},
{
'name': 'DeviceLocalAccountAutoLoginId',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:26-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': "public@example.com",
'id': 194,
'caption': '''Public session for auto-login''',
'tags': [],
'desc': '''A public session to auto-login after a delay.
If this policy is set, the specified session will be automatically logged in after a period of time has elapsed at the login screen without user interaction. The public session must already be configured (see |DeviceLocalAccounts|).
If this policy is unset, there will be no auto-login.''',
},
{
'name': 'DeviceLocalAccountAutoLoginDelay',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:26-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 180000,
'id': 195,
'caption': '''Public session auto-login timer''',
'tags': [],
'desc': '''The public session auto-login delay.
If the |DeviceLocalAccountAutoLoginId| policy is unset, this policy has no effect. Otherwise:
If this policy is set, it determines the amount of time without user activity that should elapse before automatically logging into the public session specified by the |DeviceLocalAccountAutoLoginId| policy.
If this policy is unset, 0 milliseconds will be used as the timeout.
This policy is specified in milliseconds.'''
},
{
'name': 'DeviceLocalAccountAutoLoginBailoutEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 202,
'caption': '''Enable bailout keyboard shortcut for auto-login''',
'tags': [],
'desc': '''Enable bailout keyboard shortcut for auto-login.
If this policy is unset or set to True and a device-local account is configured for zero-delay auto-login, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will honor the keyboard shortcut Ctrl+Alt+S for bypassing auto-login and showing the login screen.
If this policy is set to False, zero-delay auto-login (if configured) cannot be bypassed.'''
},
{
'name': 'DeviceLocalAccountPromptForNetworkWhenOffline',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:33-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 250,
'caption': '''Enable network configuration prompt when offline''',
'tags': [],
'desc': '''Enable network configuration prompt when offline.
If this policy is unset or set to True and a device-local account is configured for zero-delay auto-login and the device does not have access to the Internet, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will show a network configuration prompt.
If this policy is set to False, an error message will be displayed instead of the network configuration prompt.'''
},
{
'name': 'DeviceBlockDevmode',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:37-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 266,
'caption': '''Block developer mode''',
'tags': [],
'desc': '''Block developer mode.
If this policy is set to True, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will prevent the device from booting into developer mode. The system will refuse to boot and show an error screen when the developer switch is turned on.
If this policy is unset or set to False, developer mode will remain available for the device.'''
},
{
'name': 'BackgroundModeEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:19-', 'chrome.linux:19-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 138,
'caption': '''Continue running background apps when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is closed''',
'tags': ['system-security'],
'desc': '''Determines whether a <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> process is started on OS login and keeps running when the last browser window is closed, allowing background apps and the current browsing session to remain active, including any session cookies. The background process displays an icon in the system tray and can always be closed from there.
If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings.
If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings.
If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.''',
},
{
'name': 'Drive',
'type': 'group',
'caption': '''Configure Google Drive options''',
'desc': '''Configure Google Drive in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.''',
'policies': [
{
'name': 'DriveDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 139,
'caption': '''Disables Drive in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app''',
'tags': [],
'desc': '''Disables Google Drive syncing in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app when set to True. In that case, no data is uploaded to Google Drive.
If not set or set to False, then users will be able to transfer files to Google Drive.''',
},
{
'name': 'DriveDisabledOverCellular',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:19-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 140,
'caption': '''Disables Google Drive over cellular connections in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app''',
'tags': [],
'desc': '''Disables Google Drive syncing in the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> Files app when using a cellular connection when set to True. In that case, data is only synced to Google Drive when connected via WiFi or Ethernet.
If not set or set to False, then users will be able to transfer files to Google Drive via cellular connections.''',
},
],
},
{
'name': 'PinnedLauncherApps',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:20-' ],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['pjkljhegncpnkpknbcohdijeoejaedia'],
'id': 144,
'caption': '''List of pinned apps to show in the launcher''',
'tags': [],
'desc': '''Lists the application identifiers <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows as pinned apps in the launcher bar.
If this policy is configured, the set of applications is fixed and can't be changed by the user.
If this policy is left unset, the user may change the list of pinned apps in the launcher.''',
},
{
'name': 'RestrictSigninToPattern',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:21-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '*@domain.com',
'id': 147,
'caption': '''Restrict which users are allowed to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>''',
'tags': [],
'desc': '''Contains a regular expression which is used to determine which users can sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
An appropriate error is displayed if a user tries to log in with a username that does not match this pattern.
If this policy is left not set or blank, then any user can sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.''',
},
{
'name': 'DisableSafeBrowsingProceedAnyway',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:22-', 'chrome_os:22-', 'android:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 150,
'caption': '''Disable proceeding from the Safe Browsing warning page''',
'tags': [],
'desc': '''The Safe Browsing service shows a warning page when users navigate to sites that are flagged as potentially malicious. Enabling this setting prevents users from proceeding anyway from the warning page to the malicious site.
If this setting is disabled or not configured then users can choose to proceed to the flagged site after being shown the warning.''',
},
{
'name': 'SafeBrowsingExtendedReportingOptInAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:44-', 'chrome_os:44-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 299,
'caption': '''Allow users to opt in to Safe Browsing extended reporting''',
'tags': [],
'desc': '''Setting this policy to false stops users from choosing to send information about security errors they encounter to Google servers. If this setting is true or not configured, then users will be allowed to send information when they encounter an SSL error or Safe Browsing warning.''',
},
{
'name': 'SpellCheckServiceEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:22-', 'chrome_os:22-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 151,
'caption': '''Enable or disable spell checking web service''',
'tags': [],
'desc': '''<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can use a Google web service to help resolve spelling errors. If this setting is enabled, then this service is always used. If this setting is disabled, then this service is never used.
Spell checking can still be performed using a downloaded dictionary; this policy only controls the usage of the online service.
If this setting is not configured then users can choose whether the spell checking service should be used or not.''',
},
{
'name': 'ExternalStorageDisabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:22-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 152,
'caption': '''Disable mounting of external storage''',
'tags': [],
'desc': '''Disable mounting of external storage.
When this policy is set to true, external storage will not be available in the file browser.
This policy affects all types of storage media. For example: USB flash drives, external hard drives, SD and other memory cards, optical storage etc. Internal storage is not affected, therefore files saved in the Download folder can still be accessed. Google Drive is also not affected by this policy.
If this setting is disabled or not configured then users can use all supported types of external storage on their device.''',
},
{
'name': 'AudioOutputAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:23-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 159,
'caption': '''Allow playing audio''',
'tags': [],
'desc': '''Allow playing audio.
When this policy is set to false, audio output will not be available on the device while the user is logged in.
This policy affects all types of audio output and not only the built-in speakers. Audio accessibility features are also inhibited by this policy. Do not enable this policy if a screen reader is required for the user.
If this setting is set to true or not configured then users can use all supported audio outputs on their device.''',
},
{
'name': 'AudioCaptureAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-', 'chrome_os:23-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 160,
'caption': '''Allow or deny audio capture''',
'tags': [],
'desc': '''Allow or deny audio capture.
If enabled or not configured (default), the user will be prompted for
audio capture access except for URLs configured in the
AudioCaptureAllowedUrls list which will be granted access without prompting.
When this policy is disabled, the user will never be prompted and audio
capture only be available to URLs configured in AudioCaptureAllowedUrls.
This policy affects all types of audio inputs and not only the built-in microphone.''',
},
{
'name': 'AudioCaptureAllowedUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:29-', 'chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com/', 'https://[*.]example.edu/'],
'id': 208,
'caption': '''URLs that will be granted access to audio capture devices without prompt''',
'tags': ['website-sharing'],
'desc': '''Patterns in this list will be matched against the security
origin of the requesting URL. If a match is found, access to audio
capture devices will be granted without prompt.
NOTE: Until version 45, this policy was only supported in Kiosk mode.''',
},
{
'name': 'VideoCaptureAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-', 'chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': False,
'id': 167,
'caption': '''Allow or deny video capture''',
'tags': [],
'desc': '''Allow or deny video capture.
If enabled or not configured (default), the user will be prompted for
video capture access except for URLs configured in the
VideoCaptureAllowedUrls list which will be granted access without prompting.
When this policy is disabled, the user will never be prompted and video
capture only be available to URLs configured in VideoCaptureAllowedUrls.
This policy affects all types of video inputs and not only the built-in camera.''',
},
{
'name': 'VideoCaptureAllowedUrls',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome.*:29-', 'chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['https://www.example.com/', 'https://[*.]example.edu/'],
'id': 209,
'caption': '''URLs that will be granted access to video capture devices without prompt''',
'tags': ['website-sharing'],
'desc': '''Patterns in this list will be matched against the security
origin of the requesting URL. If a match is found, access to audio
capture devices will be granted without prompt.
NOTE: Until version 45, this policy was only supported in Kiosk mode.''',
},
{
'name': 'DisableScreenshots',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:22-', 'chrome.*:22-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 153,
'caption': '''Disable taking screenshots''',
'tags': [],
'desc': '''Disables taking screenshots.
If enabled screenshots cannot be taken using keyboard shortcuts or extension APIs.
If disabled or not specified, taking screenshots is allowed.'''
},
{
'name': 'SystemTimezone',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:22-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'America/Los_Angeles',
'id': 158,
'caption': '''Timezone''',
'tags': [],
'desc': '''Specifies the timezone to be used for the device. Users can override the specified timezone for the current session. However, on logout it is set back to the specified timezone. If an invalid value is provided, the policy is still activated using "GMT" instead. If an empty string is provided, the policy is ignored.
If this policy is not used, the currently active timezone will remain in use however users can change the timezone and the change is persistent. Thus a change by one user affects the login-screen and all other users.
New devices start out with the timezone set to "US/Pacific".
The format of the value follows the names of timezones in the "IANA Time Zone Database" (see "https://en.wikipedia.org/wiki/Tz_database"). In particular, most timezones can be referred to by "continent/large_city" or "ocean/large_city".''',
},
{
'name': 'SystemUse24HourClock',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:30-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 236,
'caption': '''Use 24 hour clock by default''',
'tags': [],
'desc': '''Specifies the clock format be used for the device.
This policy configures the clock format to use on the login screen and as a default for user sessions. Users can still override the clock format for their account.
If the policy is set to true, the device will use a 24 hour clock format. If the policy is set to false, the device will use 12 hour clock format.
If this policy is not set, the device will default to a 24 hour clock format.''',
},
{
'name': 'TouchVirtualKeyboardEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:37-' ],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': False,
'id': 269,
'caption': '''Enable virtual keyboard''',
'tags': [],
'desc': '''This policy configures enabling the virtual keyboard as an input device on ChromeOS. Users cannot override this policy.
If the policy is set to true, the on-screen virtual keyboard will always be enabled.
If set to false, the on-screen virtual keyboard will always be disabled.
If you set this policy, users cannot change or override it. However, users will still be able to enable/disable an accessibility on-screen keyboard which takes precedence over the virtual keyboard controlled by this policy. See the |VirtualKeyboardEnabled| policy for controlling the accessibility on-screen keyboard.
If this policy is left unset, the on-screen keyboard is disabled initially but can be enabled by the user anytime. Heuristic rules may also be used to decide when to display the keyboard.''',
},
{
'name': 'ShowLogoutButtonInTray',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 164,
'caption': '''Add a logout button to the system tray''',
'tags': [],
'desc': '''Adds a logout button to the system tray.
If enabled, a big, red logout button is shown in the system tray while a session is active and the screen is not locked.
If disabled or not specified, no big, red logout button is shown in the system tray.''',
},
{
'name': 'BuiltInDnsClientEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 165,
'caption': '''Use built-in DNS client''',
'tags': [],
'desc': '''Controls whether the built-in DNS client is used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If this policy is set to true, the built-in DNS client will be used, if available.
If this policy is set to false, the built-in DNS client will never be used.
If this policy is left not set, the users will be able to change whether the built-in DNS client is used by editing chrome://flags or specifying a command-line flag.''',
},
{
'name': 'ShelfAutoHideBehavior',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'Always',
'Never'
],
},
'items': [
{
'name': 'AlwaysAutoHideShelf',
'value': 'Always',
'caption': '''Always auto-hide the shelf''',
},
{
'name': 'NeverAutoHideShelf',
'value': 'Never',
'caption': '''Never auto-hide the shelf''',
},
],
'supported_on': ['chrome_os:25-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'Always',
'id': 166,
'caption': '''Control shelf auto-hiding''',
'tags': [],
'desc': '''Control auto-hiding of the <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shelf.
If this policy is set to 'AlwaysAutoHideShelf', the shelf will always auto-hide.
If this policy is set to 'NeverAutoHideShelf', the shelf never auto-hide.
If you set this policy, users cannot change or override it.
If the policy is left not set, users can choose whether the shelf should auto-hide.''',
},
{
'name': 'UserDisplayName',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'Policy User',
'id': 169,
'caption': '''Set the display name for device-local accounts''',
'tags': [],
'desc': '''Controls the account name <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows on the login screen for the corresponding device-local account.
If this policy is set, the login screen will use the specified string in the picture-based login chooser for the corresponding device-local account.
If the policy is left not set, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will use the device-local account's email account ID as the display name on the login screen.
This policy is ignored for regular user accounts.''',
},
{
'name': 'SessionLengthLimit',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:25-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 3600000,
'id': 170,
'caption': '''Limit the session length''',
'tags': [],
'desc': '''Limit the maximum length of a user session.
When this policy is set, it specifies the length of time after which a user is automatically logged out, terminating the session. The user is informed about the remaining time by a countdown timer shown in the system tray.
When this policy is not set, the session length is not limited.
If you set this policy, users cannot change or override it.
The policy value should be specified in milliseconds. Values are clamped to a range of 30 seconds to 24 hours.''',
},
{
'name': 'FullscreenAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:31-', 'chrome.linux:31-', 'chrome_os:31-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 240,
'caption': '''Allow fullscreen mode''',
'tags': [],
'desc': '''Allow fullscreen mode.
This policy controls the availability of fullscreen mode in which all <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> UI is hidden and only web content is visible.
If this policy is set to true or not not configured, the user, apps and extensions with appropriate permissions can enter fullscreen mode.
If this policy is set to false, neither the user nor any apps or extensions can enter fullscreen mode.
On all platforms except <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>, kiosk mode is unavailable when fullscreen mode is disabled.''',
},
{
'name': 'PowerManagement',
'type': 'group',
'caption': '''Power management''',
'desc': '''Configure power management in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
These policies let you configure how <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> behaves when the user remains idle for some amount of time.''',
'policies': [
{
'name': 'ScreenDimDelayAC',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 420000,
'id': 172,
'caption': '''Screen dim delay when running on AC power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the screen is dimmed when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> dims the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not dim the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.''',
},
{
'name': 'ScreenOffDelayAC',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 480000,
'id': 173,
'caption': '''Screen off delay when running on AC power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the screen is turned off when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> turns off the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not turn off the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.''',
},
{
'name': 'ScreenLockDelayAC',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 600000,
'id': 174,
'caption': '''Screen lock delay when running on AC power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the screen is locked when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> locks the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not lock the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The recommended way to lock the screen on idle is to enable screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.''',
},
{
'name': 'IdleWarningDelayAC',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:27-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 545000,
'id': 197,
'caption': '''Idle warning delay when running on AC power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which a warning dialog is shown when running on AC power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows a warning dialog telling the user that the idle action is about to be taken.
When this policy is unset, no warning dialog is shown.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.''',
},
{
'name': 'IdleDelayAC',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 1800000,
'id': 175,
'caption': '''Idle delay when running on AC power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the idle action is taken when running on AC power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes the idle action, which can be configured separately.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds.''',
},
{
'name': 'ScreenDimDelayBattery',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 300000,
'id': 176,
'caption': '''Screen dim delay when running on battery power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the screen is dimmed when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> dims the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not dim the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.''',
},
{
'name': 'ScreenOffDelayBattery',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 360000,
'id': 177,
'caption': '''Screen off delay when running on battery power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the screen is turned off when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> turns off the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not turn off the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.''',
},
{
'name': 'ScreenLockDelayBattery',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 600000,
'id': 178,
'caption': '''Screen lock delay when running on battery power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the screen is locked when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> locks the screen.
When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not lock the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The recommended way to lock the screen on idle is to enable screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.''',
},
{
'name': 'IdleWarningDelayBattery',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:27-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 545000,
'id': 198,
'caption': '''Idle warning delay when running on battery power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which a warning dialog is shown when running on battery power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> shows a warning dialog telling the user that the idle action is about to be taken.
When this policy is unset, no warning dialog is shown.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.''',
},
{
'name': 'IdleDelayBattery',
'type': 'int',
'schema': {
'type': 'integer',
'minimum': 0
},
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 600000,
'id': 179,
'caption': '''Idle delay when running on battery power''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the idle action is taken when running on battery power.
When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes the idle action, which can be configured separately.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds.''',
},
{
'name': 'IdleAction',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'IdleActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'IdleActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'IdleActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'IdleActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 0,
'id': 180,
'caption': '''Action to take when the idle delay is reached''',
'tags': [],
'desc': '''Specify the action to take when the idle delay is reached.
Note that this policy is deprecated and will be removed in the future.
This policy provides a fallback value for the more-specific <ph name="IDLEACTIONAC_POLICY_NAME">IdleActionAC</ph> and <ph name="IDLEACTIONBATTERY_POLICY_NAME">IdleActionBattery</ph> policies. If this policy is set, its value gets used if the respective more-specific policy is not set.
When this policy is unset, behavior of the more-specific policies remains unaffected.''',
},
{
'name': 'IdleActionAC',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'IdleActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'IdleActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'IdleActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'IdleActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
'supported_on': ['chrome_os:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 0,
'id': 226,
'caption': '''Action to take when the idle delay is reached while running on AC power''',
'tags': [],
'desc': '''Specify the action to take when the idle delay is reached while running on AC power.
When this policy is set, it specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
When this policy is unset, the default action is taken, which is suspend.
If the action is suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can separately be configured to either lock or not lock the screen before suspending.''',
},
{
'name': 'IdleActionBattery',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'IdleActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'IdleActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'IdleActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'IdleActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
'supported_on': ['chrome_os:30-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 0,
'id': 222,
'caption': '''Action to take when the idle delay is reached while running on battery power''',
'tags': [],
'desc': '''Specify the action to take when the idle delay is reached while running on battery power.
When this policy is set, it specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
When this policy is unset, the default action is taken, which is suspend.
If the action is suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can separately be configured to either lock or not lock the screen before suspending.''',
},
{
'name': 'LidCloseAction',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'LidCloseActionSuspend',
'value': 0,
'caption': '''Suspend''',
},
{
'name': 'LidCloseActionLogout',
'value': 1,
'caption': '''Log the user out''',
},
{
'name': 'LidCloseActionShutdown',
'value': 2,
'caption': '''Shut down''',
},
{
'name': 'LidCloseActionDoNothing',
'value': 3,
'caption': '''Do nothing''',
},
],
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 0,
'id': 181,
'caption': '''Action to take when the user closes the lid''',
'tags': [],
'desc': '''Specify the action to take when the user closes the lid.
When this policy is set, it specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> takes when the user closes the device's lid.
When this policy is unset, the default action is taken, which is suspend.
If the action is suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can separately be configured to either lock or not lock the screen before suspending.''',
},
{
'name': 'PowerManagementUsesAudioActivity',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 182,
'caption': '''Specify whether audio activity affects power management''',
'tags': [],
'desc': '''Specifies whether audio activity affects power management.
If this policy is set to True or is unset, the user is not considered to be idle while audio is playing. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off and screen lock will be performed after the configured timeouts, irrespective of audio activity.
If this policy is set to False, audio activity does not prevent the user from being considered idle.''',
},
{
'name': 'PowerManagementUsesVideoActivity',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 183,
'caption': '''Specify whether video activity affects power management''',
'tags': [],
'desc': '''Specifies whether video activity affects power management.
If this policy is set to True or is unset, the user is not considered to be idle while video is playing. This prevents the idle delay, screen dim delay, screen off delay and screen lock delay from being reached and the corresponding actions from being taken.
If this policy is set to False, video activity does not prevent the user from being considered idle.''',
},
{
'name': 'PresentationIdleDelayScale',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:26-28'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 200,
'id': 184,
'caption': '''Percentage by which to scale the idle delay in presentation mode (deprecated)''',
'tags': [],
'desc': '''This policy has been retired as of <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version 29. Please use the PresentationScreenDimDelayScale policy instead.''',
},
{
'name': 'PresentationScreenDimDelayScale',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 200,
'id': 220,
'caption': '''Percentage by which to scale the screen dim delay in presentation mode''',
'tags': [],
'desc': '''Specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode.
If this policy is set, it specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode. When the screen dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.
If this policy is unset, a default scale factor is used.
The scale factor must be 100% or more. Values that would make the screen dim delay in presentation mode shorter than the regular screen dim delay are not allowed.''',
},
{
'name': 'AllowScreenWakeLocks',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 203,
'caption': '''Allow screen wake locks''',
'tags': [],
'desc': '''Specifies whether screen wake locks are allowed. Screen wake locks can be requested by extensions via the power management extension API.
If this policy is set to true or left not set, screen wake locks will be honored for power management.
If this policy is set to false, screen wake lock requests will get ignored.''',
},
{
'name': 'UserActivityScreenDimDelayScale',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 200,
'id': 210,
'caption': '''Percentage by which to scale the screen dim delay if the user becomes active after dimming''',
'tags': [],
'desc': '''Specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off.
If this policy is set, it specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off. When the dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.
If this policy is unset, a default scale factor is used.
The scale factor must be 100% or more.''',
},
{
'name': 'WaitForInitialUserActivity',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:32-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 247,
'caption': '''Wait for initial user activity''',
'tags': [],
'desc': '''Specifies whether power management delays and the session length limit should only start running after the first user activity has been observed in a session.
If this policy is set to True, power management delays and the session length limit do not start running until after the first user activity has been observed in a session.
If this policy is set to False or left unset, power management delays and the session length limit start running immediately on session start.''',
},
{
'name': 'PowerManagementIdleSettings',
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'AC': {
'description': 'Delays and actions to take when the device is idle and running on AC power',
'type': 'object',
'id': 'PowerManagementDelays',
'properties': {
'Delays': {
'type': 'object',
'properties': {
'ScreenDim': {
'description': 'The length of time without user input after which the screen is dimmed, in milliseconds',
'type': 'integer',
'minimum': 0
},
'ScreenOff': {
'description': 'The length of time without user input after which the screen is turned off, in milliseconds',
'type': 'integer',
'minimum': 0
},
'IdleWarning': {
'description': 'The length of time without user input after which a warning dialog is shown, in milliseconds',
'type': 'integer',
'minimum': 0
},
'Idle': {
'description': 'The length of time without user input after which the idle action is taken, in milliseconds',
'type': 'integer',
'minimum': 0
}
}
},
'IdleAction': {
'description': 'Action to take when the idle delay is reached',
'type': 'string',
'enum': [ 'Suspend', 'Logout', 'Shutdown', 'DoNothing' ]
}
}
},
'Battery': {
'description': 'Delays and actions to take when the device is idle and running on battery',
'$ref': 'PowerManagementDelays'
}
}
},
'supported_on': ['chrome_os:35-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'AC': {
'IdleAction': 'DoNothing'
},
'Battery': {
'IdleAction': 'DoNothing'
}
},
'id': 258,
'caption': '''Power management settings when the user becomes idle''',
'tags': [],
'desc': '''Configure power management settings when the user becomes idle.
This policy controls multiple settings for the power management strategy when the user becomes idle.
There are four types of action:
* The screen will be dimmed if the user remains idle for the time specified by |ScreenDim|.
* The screen will be turned off if the user remains idle for the time specified by |ScreenOff|.
* A warning dialog will be shown if the user remains idle for the time specified by |IdleWarning|, telling the user that the idle action is about to be taken.
* The action specified by |IdleAction| will be taken if the user remains idle for the time specified by |Idle|.
For each of above actions, the delay should be specified in milliseconds, and needs to be set to a value greater than zero to trigger the corresponding action. In case the delay is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will not take the corresponding action.
For each of the above delays, when the length of time is unset, a default value will be used.
Note that |ScreenDim| values will be clamped to be less than or equal to |ScreenOff|, |ScreenOff| and |IdleWarning| will be clamped to be less than or equal to |Idle|.
|IdleAction| can be one of four possible actions:
* |Suspend|
* |Logout|
* |Shutdown|
* |DoNothing|
When the |IdleAction| is unset, the default action is taken, which is suspend.
There are also separate settings for AC power and battery.
'''
},
{
'name': 'ScreenLockDelays',
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'AC': {
'description': 'The length of time without user input after which the screen is locked when running on AC power, in milliseconds',
'type': 'integer',
'minimum': 0
},
'Battery': {
'description': 'The length of time without user input after which the screen is locked when running on battery, in milliseconds',
'type': 'integer',
'minimum': 0
}
}
},
'supported_on': ['chrome_os:35-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': {
'AC': 600000,
'Battery': 300000
},
'id': 259,
'caption': '''Screen lock delays''',
'tags': [],
'desc': '''Specifies the length of time without user input after which the screen is locked when running on AC power or battery.
When the length of time is set to a value greater than zero, it represents the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> locks the screen.
When the length of time is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> does not lock the screen when the user becomes idle.
When the length of time is unset, a default length of time is used.
The recommended way to lock the screen on idle is to enable screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.''',
},
],
},
{
'name': 'DeviceLoginScreenPowerManagement',
'type': 'dict',
'schema': {
'type': 'object',
'properties': {
'AC': {
'description': 'Power management settings applicable only when running on AC power',
'type': 'object',
'id': 'DeviceLoginScreenPowerSettings',
'properties': {
'Delays': {
'type': 'object',
'properties': {
'ScreenDim': {
'description': 'The length of time without user input after which the screen is dimmed, in milliseconds',
'type': 'integer',
'minimum': 0
},
'ScreenOff': {
'description': 'The length of time without user input after which the screen is turned off, in milliseconds',
'type': 'integer',
'minimum': 0
},
'Idle': {
'description': 'The length of time without user input after which the idle action is taken, in milliseconds',
'type': 'integer',
'minimum': 0
}
}
},
'IdleAction': {
'description': 'Action to take when the idle delay is reached',
'type': 'string',
'enum': [ 'Suspend', 'Shutdown', 'DoNothing' ]
}
}
},
'Battery': {
'description': 'Power management settings applicable only when running on battery power',
'$ref': 'DeviceLoginScreenPowerSettings'
},
'LidCloseAction': {
'description': 'Action to take when the lid is closed',
'type': 'string',
'enum': [ 'Suspend', 'Shutdown', 'DoNothing' ]
},
'UserActivityScreenDimDelayScale': {
'description': 'Percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off',
'type': 'integer',
'minimum': 100
}
}
},
'supported_on': ['chrome_os:30-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': {
'AC': {
'IdleAction': 'DoNothing'
},
'Battery': {
'IdleAction': 'DoNothing'
}
},
'id': 225,
'caption': '''Power management on the login screen''',
'tags': [],
'desc': '''Configure power management on the login screen in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
This policy lets you configure how <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> behaves when there is no user activity for some amount of time while the login screen is being shown. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session. The only deviations from these policies are:
* The actions to take on idle or lid close cannot be to end the session.
* The default action taken on idle when running on AC power is to shut down.
If a setting is left unspecified, a default value is used.
If this policy is unset, defaults are used for all settings.''',
},
{
'name': 'DeviceAllowRedeemChromeOsRegistrationOffers',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:26-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 185,
'caption': '''Allow users to redeem offers through Chrome OS Registration''',
'tags': [],
'desc': '''IT admins for enterprise devices can use this flag to control whether to allow users to redeem offers through Chrome OS Registration.
If this policy is set to true or left not set, users will be able to redeem offers through Chrome OS Registration.
If this policy is set to false, user will not be able to redeem offers.''',
},
{
'name': 'TermsOfServiceURL',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'https://www.example.com/terms_of_service.txt',
'id': 186,
'caption': '''Set the Terms of Service for a device-local account''',
'tags': [],
'desc': '''Sets the Terms of Service that the user must accept before starting a device-local account session.
If this policy is set, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will download the Terms of Service and present them to the user whenever a device-local account session is starting. The user will only be allowed into the session after accepting the Terms of Service.
If this policy is not set, no Terms of Service are shown.
The policy should be set to a URL from which <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can download the Terms of Service. The Terms of Service must be plain text, served as MIME type text/plain. No markup is allowed.''',
},
{
'name': 'Accessibility',
'type': 'group',
'caption': '''Accessibility settings''',
'desc': '''Configure <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> accessibility features.''',
'policies': [
{
'name': 'ShowAccessibilityOptionsInSystemTrayMenu',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:27-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 188,
'caption': '''Show accessibility options in system tray menu''',
'tags': [],
'desc': '''Show <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> accessibility options in the system menu.
If this policy is set to true, Accessibility options always appear in system tray menu.
If this policy is set to false, Accessibility options never appear in system tray menu.
If you set this policy, users cannot change or override it.
If this policy is left unset, Accessibility options will not appear in the system tray menu, but the user can cause the Accessibility options to appear via the Settings page.'''
},
{
'name': 'LargeCursorEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 211,
'caption': '''Enable large cursor''',
'tags': [],
'desc': '''Enable the large cursor accessibility feature.
If this policy is set to true, the large cursor will always be enabled.
If this policy is set to false, the large cursor will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the large cursor is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'SpokenFeedbackEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 212,
'caption': '''Enable spoken feedback''',
'tags': [],
'desc': '''Enable the spoken feedback accessibility feature.
If this policy is set to true, spoken feedback will always be enabled.
If this policy is set to false, spoken feedback will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, spoken feedback is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'HighContrastEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 213,
'caption': '''Enable high contrast mode''',
'tags': [],
'desc': '''Enable the high contrast mode accessibility feature.
If this policy is set to true, high contrast mode will always be enabled.
If this policy is set to false, high contrast mode will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, high contrast mode is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'VirtualKeyboardEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:34-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 255,
'caption': '''Enable on-screen keyboard''',
'tags': [],
'desc': '''Enable the on-screen keyboard accessibility feature.
If this policy is set to true, the on-screen keyboard will always be enabled.
If this policy is set to false, the on-screen keyboard will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the on-screen keyboard is disabled initially but can be enabled by the user anytime.'''
},
{
'name': 'KeyboardDefaultToFunctionKeys',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:35-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 260,
'caption': '''Media keys default to function keys''',
'tags': [],
'desc': '''Changes the default behaviour of the top row keys to function keys.
If this policy is set to true, the keyboard's top row of keys will produce function key commands per default. The search key has to be pressed to revert their behavior back to media keys.
If this policy is set to false or left unset, the keyboard will produce media key commands per default and function key commands when the search key is held.'''
},
{
'name': 'ScreenMagnifierType',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'None',
'value': 0,
'caption': '''Screen magnifier disabled''',
},
{
'name': 'Full-screen',
'value': 1,
'caption': '''Full-screen magnifier enabled''',
},
],
'supported_on': ['chrome_os:29-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': 1,
'id': 214,
'caption': '''Set screen magnifier type''',
'tags': [],
'desc': '''Set the type of screen magnifier that is enabled.
If this policy is set, it controls the type of screen magnifier that is enabled. Setting the policy to "None" disables the screen magnifier.
If you set this policy, users cannot change or override it.
If this policy is left unset, the screen magnifier is disabled initially but can be enabled by the user anytime.''',
},
{
'name': 'DeviceLoginScreenDefaultLargeCursorEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 215,
'caption': '''Set default state of the large cursor on the login screen''',
'tags': [],
'desc': '''Set the default state of the large cursor accessibility feature on the login screen.
If this policy is set to true, the large cursor will be enabled when the login screen is shown.
If this policy is set to false, the large cursor will be disabled when the login screen is shown.
If you set this policy, users can temporarily override it by enabling or disabling the large cursor. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.
If this policy is left unset, the large cursor is disabled when the login screen is first shown. Users can enable or disable the large cursor anytime and its status on the login screen is persisted between users.''',
},
{
'name': 'DeviceLoginScreenDefaultSpokenFeedbackEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 216,
'caption': '''Set the default state of spoken feedback on the login screen''',
'tags': [],
'desc': '''Set the default state of the spoken feedback accessibility feature on the login screen.
If this policy is set to true, spoken feedback will be enabled when the login screen is shown.
If this policy is set to false, spoken feedback will be disabled when the login screen is shown.
If you set this policy, users can temporarily override it by enabling or disabling spoken feedback. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.
If this policy is left unset, spoken feedback is disabled when the login screen is first shown. Users can enable or disable spoken feedback anytime and its status on the login screen is persisted between users.''',
},
{
'name': 'DeviceLoginScreenDefaultHighContrastEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 217,
'caption': '''Set the default state of high contrast mode on the login screen''',
'tags': [],
'desc': '''Set the default state of the high contrast mode accessibility feature on the login screen.
If this policy is set to true, high contrast mode will be enabled when the login screen is shown.
If this policy is set to false, high contrast mode will be disabled when the login screen is shown.
If you set this policy, users can temporarily override it by enabling or disabling high contrast mode. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.
If this policy is left unset, high contrast mode is disabled when the login screen is first shown. Users can enable or disable high contrast mode anytime and its status on the login screen is persisted between users.''',
},
{
'name': 'DeviceLoginScreenDefaultVirtualKeyboardEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:34-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 256,
'caption': '''Set default state of the on-screen keyboard on the login screen''',
'tags': [],
'desc': '''Set the default state of the on-screen keyboard accessibility feature on the login screen.
If this policy is set to true, the on-screen keyboard will be enabled when the login screen is shown.
If this policy is set to false, the on-screen keyboard will be disabled when the login screen is shown.
If you set this policy, users can temporarily override it by enabling or disabling the on-screen keyboard. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.
If this policy is left unset, the on-screen keyboard is disabled when the login screen is first shown. Users can enable or disable the on-screen keyboard anytime and its status on the login screen is persisted between users.''',
},
{
'name': 'DeviceLoginScreenDefaultScreenMagnifierType',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1 ],
},
'items': [
{
'name': 'None',
'value': 0,
'caption': '''Screen magnifier disabled''',
},
{
'name': 'Full-screen',
'value': 1,
'caption': '''Full-screen magnifier enabled''',
},
],
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 1,
'id': 218,
'caption': '''Set the default screen magnifier type enabled on the login screen''',
'tags': [],
'desc': '''Set the default type of screen magnifier that is enabled on the login screen.
If this policy is set, it controls the type of screen magnifier that is enabled when the login screen is shown. Setting the policy to "None" disables the screen magnifier.
If you set this policy, users can temporarily override it by enabling or disabling the screen magnifier. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.
If this policy is left unset, the screen magnifier is disabled when the login screen is first shown. Users can enable or disable the screen magnifier anytime and its status on the login screen is persisted between users.''',
},
],
},
{
'name': 'HideWebStoreIcon',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:26-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 189,
'caption': '''Hide the web store from the New Tab Page and app launcher''',
'tags': [],
'desc': '''Hide the Chrome Web Store app and footer link from the New Tab Page and <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> app launcher.
When this policy is set to true, the icons are hidden.
When this policy is set to false or is not configured, the icons are visible.''',
},
{
'name': 'DeviceStartUpFlags',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:27-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': [ "enable-managed-mode", "my-cool-flag" ],
'id': 191,
'caption': '''System wide flags to be applied on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> start-up''',
'tags': [],
'desc': '''Specifies the flags that should be applied to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when it starts. The specified flags are applied on the login screen only. Flags set via this policy do not propagate into user sessions.''',
},
{
'name': 'UptimeLimit',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 86400,
'id': 192,
'caption': '''Limit device uptime by automatically rebooting''',
'tags': [],
'desc': '''Limit the device uptime by scheduling automatic reboots.
When this policy is set, it specifies the length of device uptime after which an automatic reboot is scheduled.
When this policy is not set, the device uptime is not limited.
If you set this policy, users cannot change or override it.
An automatic reboot is scheduled at the selected time but may be delayed on the device by up to 24 hours if a user is currently using the device.
Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.
The policy value should be specified in seconds. Values are clamped to be at least 3600 (one hour).''',
},
{
'name': 'RebootAfterUpdate',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 193,
'caption': '''Automatically reboot after update''',
'tags': [],
'desc': '''Schedule an automatic reboot after a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> update has been applied.
When this policy is set to true, an automatic reboot is scheduled when a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> update has been applied and a reboot is required to complete the update process. The reboot is scheduled immediately but may be delayed on the device by up to 24 hours if a user is currently using the device.
When this policy is set to false, no automatic reboot is scheduled after applying a <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> update. The update process is completed when the user next reboots the device.
If you set this policy, users cannot change or override it.
Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.''',
},
{
'name': 'VariationsRestrictParameter',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome.*:27-', 'android:34-', 'ios:35-47'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': 'restricted',
'id': 196,
'future': True,
'caption': '''Set the restriction on the fetching of the Variations seed''',
'tags': [],
'desc': '''Add a parameter to the fetching of the Variations seed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
If specified, will add a query parameter called 'restrict' to the URL used to fetch the Variations seed. The value of the parameter will be the value specified in this policy.
If not specified, will not modify the Variations seed URL.''',
},
{
'name': 'DeviceVariationsRestrictParameter',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': False,
},
'device_only': True,
'example_value': 'restricted',
'id': 199,
'future': True,
'caption': '''Set the restriction on the fetching of the Variations seed''',
'tags': [],
'desc': '''Add a parameter to the fetching of the Variations seed in <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>.
If specified, will add a query parameter called 'restrict' to the URL used to fetch the Variations seed. The value of the parameter will be the value specified in this policy.
If not specified, will not modify the Variations seed URL.''',
},
{
'name': 'Attestation',
'type': 'group',
'caption': 'Remote Attestation',
'desc': 'Configure the remote attestation with TPM mechanism.',
'policies': [
{
'name': 'AttestationEnabledForDevice',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': True,
},
'device_only': True,
'example_value': True,
'id': 207,
'caption': '''Enable remote attestation for the device''',
'tags': [],
'desc': '''If true, remote attestation is allowed for the device and a certificate will automatically be generated and uploaded to the Device Management Server.
If it is set to false, or if it is not set, no certificate will be generated and calls to the enterprise.platformKeysPrivate extension API will fail.''',
},
{
'name': 'AttestationEnabledForUser',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 200,
'caption': '''Enable remote attestation for the user''',
'tags': [],
'desc': '''If true, the user can use the hardware on Chrome devices to remote attest its identity to the privacy CA via the Enterprise Platform Keys API chrome.enterprise.platformKeysPrivate.challengeUserKey().
If it is set to false, or if it is not set, calls to the API will fail with an error code.''',
},
{
'name': 'AttestationExtensionWhitelist',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ghdilpkmfbfdnomkmaiogjhjnggaggoi'],
'id': 201,
'caption': '''Extensions allowed to to use the remote attestation API''',
'tags': [],
'desc': '''This policy specifies the allowed extensions to use Enterprise Platform Keys API chrome.enterprise.platformKeysPrivate.challengeUserKey() for remote attestation. Extensions must be added to this list to use the API.
If an extension is not in the list, or the list is not set, the call to the API will fail with an error code.''',
},
{
'name': 'AttestationForContentProtectionEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:31-'],
'features': {
'dynamic_refresh': True,
},
'device_only': True,
'example_value': True,
'id': 239,
'caption': '''Enable the use of remote attestation for content protection for the device''',
'tags': [],
'desc': '''Chrome OS devices can use remote attestation (Verified Access) to get a certificate issued by the Chrome OS CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the Chrome OS CA which uniquely identifies the device.
If this setting is false, the device will not use remote attestation for content protection and the device may be unable to play protected content.
If this setting is true, or if it is not set, remote attestation may be used for content protection.''',
},
],
},
{
'name': 'SuppressChromeFrameTurndownPrompt',
'caption': '''Suppress the <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> turndown prompt''',
'tags': [],
'desc': '''Suppresses the turndown prompt that appears when a site is rendered by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>.''',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_frame:29-32'],
'features': {
'dynamic_refresh': False,
},
'example_value': True,
'id': 221,
},
{
'name': 'LocallyManagedUsers',
'type': 'group',
'caption': '''Locally managed users settings''',
'desc': '''Configure settings for managed users.''',
'policies': [
{
'name': 'ContentPackDefaultFilteringBehavior',
'future': True,
'deprecated': True,
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2 ],
},
'items': [
{
'name': 'Allow',
'value': 0,
'caption': '''Allow access to sites outside of content packs''',
},
{
'name': 'Warn',
'value': 1,
'caption': '''Warn when visiting sites outside of content packs''',
},
{
'name': 'Block',
'value': 2,
'caption': '''Block access to sites outside of content packs''',
},
],
'supported_on': ['chrome.*:28-', 'chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': 2,
'id': 204,
'caption': '''Default behavior for sites not in any content pack''',
'tags': [],
'desc': '''The default behavior for sites not in any content pack.
This policy is for internal use by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> itself.''',
},
{
'name': 'ContentPackManualBehaviorHosts',
'future': True,
'deprecated': True,
'type': 'dict',
'schema': {
'type': 'object',
'additionalProperties': {
'type': 'boolean'
}
},
'supported_on': ['chrome.*:28-', 'chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': {
'www.example.com': True,
'moose.org': False
},
'id': 205,
'caption': '''Managed user manual exception hosts''',
'tags': [],
'desc': '''A dictionary mapping hostnames to a boolean flag specifying whether access to the host should be allowed (true) or blocked (false).
This policy is for internal use by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> itself.''',
},
{
'name': 'ContentPackManualBehaviorURLs',
'future': True,
'deprecated': True,
'type': 'dict',
'schema': {
'type': 'object',
'additionalProperties': {
'type': 'boolean'
}
},
'supported_on': ['chrome.*:28-', 'chrome_os:28-'],
'features': {
'dynamic_refresh': True,
'per_profile': True
},
'example_value': {
'https://www.example.com': True,
'https://moose.org': False
},
'id': 206,
'caption': '''Managed user manual exception URLs''',
'tags': [],
'desc': '''A dictionary mapping URLs to a boolean flag specifying whether access to the host should be allowed (true) or blocked (false).
This policy is for internal use by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> itself.''',
},
{
'name': 'SupervisedUsersEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:29-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': True,
'id': 219,
'caption': '''Enable supervised users''',
'tags': [],
'desc': '''If set to true, supervised users can be created and used.
If set to false or not configured, supervised-user creation and login will be disabled. All existing supervised users will be hidden.
NOTE: The default behavior for consumer and enterprise devices differs: on consumer devices supervised users are enabled by default, but on enterprise devices they are disabled by default.'''
},
{
'name': 'SupervisedUserCreationEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:29-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 223,
'caption': '''Enable creation of supervised users''',
'tags': [],
'desc': '''If set to false, supervised-user creation by this user will be disabled. Any existing supervised users will still be available.
If set to true or not configured, supervised users can be created and managed by this user.'''
},
{
# SupervisedUserContentProviderEnabled is never accessed through the policy framework, but is
# instead directly accessed as an Android App Restriction (see SupervisedUserContentProvider.java).
# It, however, needs to be here both because this is the source of the list of Chrome's App
# Restrictions on Android, and to avoid possible future naming conflicts with policies.
'name': 'SupervisedUserContentProviderEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:49-'],
'features': {
'dynamic_refresh': True,
'per_profile' : True,
},
'example_value': True,
'id': 312,
'caption': '''Enable the supervised user content provider''',
'tags': [],
'desc': '''If true and the user is a supervised user then other Android apps can query the user's web restrictions through a content provider.
If false or unset then the content provider returns no information.'''
},
],
},
{
'name': 'ManagedBookmarks',
'type': 'dict',
'schema': {
'type': 'array',
'items': {
'type': 'object',
'id': 'BookmarkType',
'properties': {
'name': { 'type': 'string' },
'url': { 'type': 'string' },
'children': {
'type': 'array',
'items': { '$ref': 'BookmarkType' },
},
},
},
},
'supported_on': [
'android:30-',
'ios:35-47',
'chrome.*:37-',
'chrome_os:37-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': [
{
"name": "Google",
"url": "google.com"
}, {
"name": "Youtube",
"url": "youtube.com"
}, {
"name": "Chrome links",
"children": [
{
"name": "Chromium",
"url": "chromium.org"
},
{
"name": "Chromium Developers",
"url": "dev.chromium.org"
}
]
}
],
'id': 227,
'caption': '''Managed Bookmarks''',
'tags': [],
'desc': '''Configures a list of managed bookmarks.
The policy consists of a list of bookmarks whereas each bookmark is a
dictionary containing the keys <ph name="NAME">"name"</ph> and <ph
name="URL">"url"</ph> which hold the bookmark's name and its target. A
subfolder may be configured by defining a bookmark without an <ph
name="URL">"url"</ph> key but with an additional <ph
name="CHILDREN">"children"</ph> key which itself contains a list of
bookmarks as defined above (some of which may be folders again). <ph
name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> amends incomplete URLs
as if they were submitted via the Omnibox, for example <ph
name="GOOGLE_COM">"google.com"</ph> becomes <ph
name="HTTPS_GOOGLE_COM">"https://google.com/"</ph>.
These bookmarks are placed in a "Managed bookmarks" folder that can't be modified by the user, but the user can choose to hide it from the bookmark bar. Managed bookmarks are not synced to the user account and can't be modified by extensions.''',
},
{
'name': 'DataCompressionProxyEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['android:31-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 241,
'caption': '''Enable the data compression proxy feature''',
'tags': [],
'desc': '''Enable or disable the data compression proxy and prevents users from changing this setting.
If you enable or disable this setting, users cannot change or override this setting.
If this policy is left not set, the data compression proxy feature will be available for the user to choose whether to use it or not.''',
},
{
'name': 'UserAvatarImage',
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': { "type": "string" },
'hash': { "type": "string" }
},
},
'supported_on': ['chrome_os:34-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': { "url": "https://example.com/avatar.jpg", "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" },
'max_size': 524288,
'id': 249,
'caption': '''User avatar image''',
'tags': [],
'desc': '''Configure user avatar image.
This policy allows you to configure the avatar image representing the user on the login screen. The policy is set by specifying the URL from which <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can download the avatar image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its size must not exceed 512kB. The URL must be accessible without any authentication.
The avatar image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
The policy should be specified as a string that expresses the URL and hash in JSON format, conforming to the following schema:
{
"type": "object",
"properties": {
"url": {
"description": "The URL from which the avatar image can be downloaded.",
"type": "string"
},
"hash": {
"description": "The SHA-256 hash of the avatar image.",
"type": "string"
}
}
}
If this policy is set, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will download and use the avatar image.
If you set this policy, users cannot change or override it.
If the policy is left not set, the user can choose the avatar image representing him/her on the login screen.''',
},
{
'name': 'WallpaperImage',
'type': 'external',
'schema': {
'type': 'object',
'properties': {
'url': { "type": "string" },
'hash': { "type": "string" }
},
},
'supported_on': ['chrome_os:35-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': { "url": "https://example.com/wallpaper.jpg", "hash": "baddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecaf" },
'max_size': 16777216,
'id': 262,
'caption': '''Wallpaper image''',
'tags': [],
'desc': '''Configure wallpaper image.
This policy allows you to configure the wallpaper image that is shown on the desktop and on the login screen background for the user. The policy is set by specifying the URL from which <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication.
The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
The policy should be specified as a string that expresses the URL and hash in JSON format, conforming to the following schema:
{
"type": "object",
"properties": {
"url": {
"description": "The URL from which the wallpaper image can be downloaded.",
"type": "string"
},
"hash": {
"description": "The SHA-256 hash of the wallpaper image.",
"type": "string"
}
}
}
If this policy is set, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will download and use the wallpaper image.
If you set this policy, users cannot change or override it.
If the policy is left not set, the user can choose an image to be shown on the desktop and on the login screen background.''',
},
{
'name': 'EnableDeprecatedWebPlatformFeatures',
'type': 'string-enum-list',
'schema': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'ShowModalDialog_EffectiveUntil20150430'
],
},
},
'items': [
{
'name': 'ShowModalDialog',
'value': 'ShowModalDialog_EffectiveUntil20150430',
'caption': '''Enable ShowModalDialog API through 2015.04.30''',
}
],
'supported_on': ['chrome.*:37-', 'chrome_os:37-', 'android:37-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['ShowModalDialog_EffectiveUntil20150430'],
'id': 270,
'caption': '''Enable deprecated web platform features for a limited time''',
'tags': ['system-security'],
'desc': '''Specify a list of deprecated web platform features to re-enable temporarily.
This policy gives administrators the ability to re-enable deprecated web platform features for a limited time. Features are identified by a string tag and the features corresponding to the tags included in the list specified by this policy will get re-enabled.
If this policy is left not set, or the list is empty or does not match one of the supported string tags, all deprecated web platform features will remain disabled.
While the policy itself is supported on the above platforms, the feature it is enabling may be available on fewer platforms. Not all deprecated Web Platform features can be re-enabled. Only the ones explicitly listed below can be for a limited period of time, which is different per feature. The general format of the string tag will be [DeprecatedFeatureName]_EffectiveUntil[yyyymmdd]. As reference, you can find the intent behind the Web Platform feature changes at https://bit.ly/blinkintents.
''',
},
{
'name': 'DeviceTransferSAMLCookies',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:38-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 271,
'caption': '''Transfer SAML IdP cookies during login''',
'tags': [],
'desc': '''Specifies whether authentication cookies set by a SAML IdP during login should be transferred to the user's profile.
When a user authenticates via a SAML IdP during login, cookies set by the IdP are written to a temporary profile at first. These cookies can be transferred to the user's profile to carry forward the authentication state.
When this policy is set to true, cookies set by the IdP are transferred to the user's profile every time he/she authenticates against the SAML IdP during login.
When this policy is set to false or unset, cookies set by the IdP are transferred to the user's profile during his/her first login on a device only.
This policy affects users whose domain matches the device's enrollment domain only. For all other users, cookies set by the IdP are transferred to the user's profile during his/her first login on the device only.''',
},
{
'name': 'EasyUnlockAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:38-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'default_for_enterprise_users': False,
'id': 272,
'caption': '''Allows Smart Lock to be used''',
'tags': [],
'desc': '''Allows Smart Lock to be used on <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> devices.
If you enable this setting, users will be allowed to use Smart Lock if the requirements for the feature are satisfied.
If you disable this setting, users will not be allowed to use Smart Lock.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.''',
},
{
'name': 'SessionLocales',
'type': 'list',
'schema': {
'type': 'array',
'items': { 'type': 'string' },
},
'supported_on': ['chrome_os:38-'],
'features': {
'can_be_recommended': True,
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': ['de', 'fr'],
'id': 274,
'caption': '''Set the recommended locales for a public session''',
'tags': [],
'desc': '''Sets one or more recommended locales for a public session, allowing users to easily choose one of these locales.
The user can choose a locale and a keyboard layout before starting a public session. By default, all locales supported by <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> are listed in alphabetic order. You can use this policy to move a set of recommended locales to the top of the list.
If this policy is not set, the current UI locale will be pre-selected.
If this policy is set, the recommended locales will be moved to the top of the list and will be visually separated from all other locales. The recommended locales will be listed in the order in which they appear in the policy. The first recommended locale will be pre-selected.
If there is more than one recommended locale, it is assumed that users will want to select among these locales. Locale and keyboard layout selection will be prominently offered when starting a public session. Otherwise, it is assumed that most users will want to use the pre-selected locale. Locale and keyboard layout selection will be less prominently offered when starting a public session.
When this policy is set and automatic login is enabled (see the |DeviceLocalAccountAutoLoginId| and |DeviceLocalAccountAutoLoginDelay| policies), the automatically started public session will use the first recommended locale and the most popular keyboard layout matching this locale.
The pre-selected keyboard layout will always be the most popular layout matching the pre-selected locale.
This policy can only be set as recommended. You can use this policy to move a set of recommended locales to the top but users are always allowed to choose any locale supported by <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> for their session.
''',
},
{
'name': 'BrowserGuestModeEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:38-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 275,
'caption': '''Enable guest mode in browser''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will enable guest logins. Guest logins are <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles where all windows are in incognito mode.
If this policy is set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not allow guest profiles to be started.''',
},
{
'name': 'BrowserAddPersonEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:39-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 276,
'caption': '''Enable add person in profile manager''',
'tags': [],
'desc': '''If this policy is set to true or not configured, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will allow Add Person from the user manager.
If this policy is set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not allow creation of new profiles from the profile manager.''',
},
{
'name': 'SSLVersionMin',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'ssl3',
'tls1',
'tls1.1',
'tls1.2',
],
},
'items': [
{
'name': 'SSLv3',
'value': 'ssl3',
'caption': 'SSL 3.0',
},
{
'name': 'TLSv1',
'value': 'tls1',
'caption': 'TLS 1.0',
},
{
'name': 'TLSv1.1',
'value': 'tls1.1',
'caption': 'TLS 1.1',
},
{
'name': 'TLSv1.2',
'value': 'tls1.2',
'caption': 'TLS 1.2',
},
],
'supported_on': [
'chrome.*:39-43',
'chrome_os:39-43',
'android:39-43',
'ios:39-43',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'ssl3',
'id': 279,
'caption': '''Minimum SSL version enabled''',
'tags': [],
'desc': '''Warning: SSLv3 support will be entirely removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 43 (around July 2015) and this policy will be removed at the same time.
If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses a default minimum version which is SSLv3 in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 39 and TLS 1.0 in later versions.
Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". When set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored.
Note that, despite the number, "sslv3" is an earlier version than "tls1".''',
},
{
'name': 'SSLVersionFallbackMin',
'type': 'string-enum',
'schema': {
'type': 'string',
'enum': [
'tls1.1',
'tls1.2',
],
},
'items': [
{
'name': 'TLSv1.1',
'value': 'tls1.1',
'caption': 'TLS 1.1',
},
{
'name': 'TLSv1.2',
'value': 'tls1.2',
'caption': 'TLS 1.2',
},
],
'supported_on': [
'chrome.*:50-52',
'chrome_os:50-52',
'android:50-52',
'ios:50-52',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 'tls1.1',
'id': 280,
'caption': '''Minimum TLS version to fallback to''',
'tags': ['system-security'],
'desc': '''Warning: The TLS version fallback will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then.
When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would previously retry the connection with a lesser version of TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't apply. Regardless, the resulting connection must still comply with SSLVersionMin.
If this policy is not configured or if it is set to "tls1.2" then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback. Note this does not disable support for older TLS versions, only whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers which cannot negotiate versions correctly.
Otherwise, if compatibility with a buggy server must be maintained, this policy may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.''',
},
{
'name': 'RC4Enabled',
'type': 'main',
'schema': {
'type': 'boolean',
},
'supported_on': [
'chrome.*:48-52',
'chrome_os:48-52',
'android:48-52',
'ios:48-52',
],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 310,
'caption': '''Whether RC4 cipher suites in TLS are enabled''',
'tags': ['system-security'],
'desc': '''Warning: RC4 will be completely removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then.
If the policy is not set, or is set to false, then RC4 cipher suites in TLS will not be enabled. Otherwise it may be set to true to retain compatibility with an outdated server. This is a stopgap measure and the server should be reconfigured.''',
},
{
'name': 'ContextualSearchEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': [
'android:40-',
],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 281,
'caption': '''Enable Touch to Search''',
'tags': [],
'desc': '''Enables the availability of Touch to Search in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s content view.
If you enable this setting, Touch to Search will be available to the user and they can choose to turn the feature on or off.
If you disable this setting, Touch to Search will be disabled completely.
If this policy is left not set, it is equivalent to being enabled, see description above.''',
},
{
'name': 'DeviceRebootOnShutdown',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:41-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 284,
'caption': '''Automatic reboot on device shutdown''',
'tags': [],
'desc': '''If this policy is set to false or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will allow the user to shut down the device.
If this policy is set to true, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will trigger a reboot when the user shuts down the device. <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> replaces all occurrences of shutdown buttons in the UI by reboot buttons. If the user shuts down the device using the power button, it will not automatically reboot, even if the policy is enabled.''',
},
{
'name': 'ExtensionCacheSize',
'type': 'int',
'schema': { 'type': 'integer' },
'supported_on': ['chrome_os:43-'],
'device_only': True,
'features': {
'dynamic_refresh': False,
},
'example_value': 104857600,
'id': 296,
'caption': '''Set Apps and Extensions cache size (in bytes)''',
'tags': [],
'desc': '''<ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> caches Apps and Extensions for installation by multiple users of a single device to avoid re-downloading them for each user.
If this policy is not configured or the value is lower than 1 MB, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will use the default cache size.''',
},
{
'name': 'DeviceLoginScreenDomainAutoComplete',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': [ 'chrome_os:44-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': 'students.school.edu',
'id': 297,
'caption': '''Enable domain name autocomplete during user sign in''',
'tags': [],
'desc': '''If this policy is set to a blank string or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will not show an autocomplete option during user sign-in flow.
If this policy is set to a string representing a domain name, <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> will show an autocomplete option during user sign-in allowing the user to type in only his user name without the domain name extension. The user will be able to overwrite this domain name extension.''',
},
{
'name': 'ForceMaximizeOnFirstRun',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:43-'],
'features': {
'dynamic_refresh': False,
'per_profile': True,
},
'example_value': True,
'id': 298,
'caption': '''Maximize the first browser window on first run''',
'tags': [],
'desc': '''If this policy is set to true, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will unconditionally maximize the the first window shown on first run.
If this policy is set to false or not configured, the decision whether to maximize the first window shown will be based on the screen size.''',
},
{
'name': 'SSLErrorOverrideAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:44-', 'chrome_os:44-', 'android:44-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': True,
'id': 300,
'caption': '''Allow proceeding from the SSL warning page''',
'tags': [],
'desc': '''Chrome shows a warning page when users navigate to sites that have SSL errors. By default or when this policy is set to true, users are allowed to click through these warning pages.
Setting this policy to false disallows users to click through any warning page.''',
},
{
'name': 'QuicAllowed',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:43-', 'chrome_os:43-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 301,
'caption': '''Allows QUIC protocol''',
'tags': [],
'desc': '''If this policy is set to true or not set usage of QUIC protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is allowed.
If this policy is set to false usage of QUIC protocol is disallowed.''',
},
{
'name': 'KeyPermissions',
'type': 'dict',
'schema': {
'type': 'object',
'additionalProperties': {
'type': 'object',
'properties': {
'allowCorporateKeyUsage': {
'description': '''If set to true, this extension can use all keys that are designated for corporate usage to sign arbitrary data. If set to false, it cannot access any such keys and the user cannot grant such permission either.''',
'type': 'boolean',
},
},
},
},
'supported_on': ['chrome_os:45-'],
'features': {
'dynamic_refresh': True,
'per_profile': True,
},
'example_value': {
'extension1': {
'allowCorporateKeyUsage': True
},
'extension2': {
'allowCorporateKeyUsage': False
}
},
'id': 302,
'caption': 'Key Permissions',
'tags': [],
'desc': '''Grants access to corporate keys to extensions.
Keys are designated for corporate usage if they're generated using the chrome.enterprise.platformKeys API on a managed account. Keys imported or generated in another way are not designated for corporate usage.
Access to keys designated for corporate usage is solely controlled by this policy. The user can neither grant nor withdraw access to corporate keys to or from extensions.
By default an extension cannot use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to false for that extension.
Only if allowCorporateKeyUsage is set to true for an extension, it can use any platform key marked for corporate usage to sign arbitrary data. This permission should only be granted if the extension is trusted to secure access to the key against attackers.''',
},
{
'name': 'WelcomePageOnOSUpgradeEnabled',
'supported_on': ['chrome.win:45-'],
'type': 'main',
'schema': { 'type': 'boolean' },
'id': 303,
'caption': 'Enable showing the welcome page on the first browser launch following OS upgrade.',
'tags': [],
'desc': '''Enable showing the welcome page on the first browser launch following OS upgrade.
If this policy is set to true or not configured, the browser will re-show the welcome page on the first launch following an OS upgrade.
If this policy is set to false, the browser will not re-show the welcome page on the first launch following an OS upgrade.''',
'features': {
'dynamic_refresh': False,
'per_profile': False
},
'example_value': False
},
{
'name': 'HardwareAccelerationModeEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.*:46-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 304,
'caption': '''Use hardware acceleration when available''',
'tags': [],
'desc': '''Use hardware acceleration when available.
If this policy is set to true or left unset, hardware acceleration will be enabled unless a certain GPU feature is blacklisted.
If this policy is set to false, hardware acceleration will be disabled.''',
},
{
'name': 'UnifiedDesktopEnabledByDefault',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:47-'],
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': True,
'id': 307,
'caption': '''Make Unified Desktop available and turn on by default.''',
'tags': [],
'desc': '''If this policy is set to true, Unified Desktop is allowed and
enabled by default, which allows applications to span multiple displays.
The user may disable Unified Desktop for individual displays by unchecking
it in the display settings.
If this policy is set to false or unset, Unified Desktop will be
disabled. In this case, the user cannot enable the feature.''',
},
{
'name': 'DisplayRotationDefault',
'type': 'int-enum',
'schema': {
'type': 'integer',
'enum': [ 0, 1, 2, 3 ],
},
'items': [
{
'name': 'ROTATE_0',
'value': 0,
'caption': '''Rotate screen by 0 degrees''',
},
{
'name': 'ROTATE_90',
'value': 1,
'caption': '''Rotate screen clockwise by 90 degrees''',
},
{
'name': 'ROTATE_180',
'value': 2,
'caption': '''Rotate screen by 180 degrees''',
},
{
'name': 'ROTATE_270',
'value': 3,
'caption': '''Rotate screen clockwise by 270 degrees''',
},
],
'supported_on': ['chrome_os:48-'],
'device_only': True,
'features': {
'can_be_recommended': False,
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': 1,
'id': 311,
'caption': '''Set default display rotation, reapplied on every reboot''',
'tags': [],
'desc': '''If this policy is set, each display is rotated to the
specified orientation on every reboot, and the first time it is connected
after the policy value has changed. Users may change the display
rotation via the settings page after logging in, but their
setting will be overridden by the policy value at the next reboot.
This policy applies to both the primary and all secondary displays.
If the policy is not set, the default value is 0 degrees and the user is
free to change it. In this case, the default value is not reapplied at
restart.''',
},
{
'name': 'ArcEnabled',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:50-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': False,
'id': 317,
'default_for_enterprise_users': False,
'caption': '''Enable ARC''',
'tags': [],
'desc':
'''When this policy is set to true, ARC will be enabled for the user
(subject to additional policy settings checks - ARC will still be
unavailable if either ephemeral mode or multiple sign-in is enabled
in the current user session).
If this setting is disabled or not configured then enterprise users are
unable to use ARC.''',
},
{
'name': 'ArcApplicationPolicy',
'type': 'string',
'schema': { 'type': 'string' },
'supported_on': ['chrome_os:50-'],
'features': {
'dynamic_refresh': True,
'per_profile': False,
},
'example_value': '',
'id': 318,
'caption': '''Configure ARC apps''',
'tags': [],
'desc':
'''Specifies the ARC application policy as JSON string which can be
handed-off as-is to the ARC runtime. At the moment, this setting is used
solely to specify force-installation of the apps.
If this policy is left not set, no apps are installed automatically.'''
},
{
'name': 'AllowKioskAppControlChromeVersion',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome_os:51-'],
'device_only': True,
'features': {
'dynamic_refresh': True,
},
'example_value': True,
'id': 319,
'caption': '''Allow the auto launched with zero delay kiosk app to control <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version''',
'tags': [],
'desc': '''Whether to allow the auto launched with zero delay kiosk app to control <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version.
This policy controls whether to allow the auto launched with zero delay kiosk app to control <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> version by declaring a required_platform_version in its manifest and use it as the auto update target version prefix.
If the policy is set to true, the value of required_platform_version manifest key of the auto launched with zero delay kiosk app is used as auto update target version prefix.
If the policy is not configured or set to false, the required_platform_version manifest key is ignored and auto update proceeds as normal.''',
},
],
'messages': {
# Messages that are not associated to any policies.
'win_supported_winxpsp2': {
'desc': '''A label specifying the oldest possible compatible version of Windows. This text will appear right next to a label containing the text 'Supported on:'.''',
'text': '''Microsoft Windows XP SP2 or later'''
},
'mac_chrome_preferences': {
'desc': '''A text indicating in Mac OS X Workgroup Manager, that currently the preferences of Chromium are being edited''',
'text': '''<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> preferences'''
},
'doc_data_type': {
'desc': '''Caption text of the field 'data type' in the summary chart of a policy in the generated documentation''',
'text': '''Data type:'''
},
'doc_win_reg_loc': {
'desc': '''Caption text of the field 'windows registry location' in the summary chart of a policy in the generated documentation''',
'text': '''Windows registry location:'''
},
'doc_mac_linux_pref_name': {
'desc': '''Caption text of the field 'mac/linux preference name' in the summary chart of a policy in the generated documentation''',
'text': '''Mac/Linux preference name:'''
},
'doc_android_restriction_name': {
'desc': '''Caption text of the field 'android restriction name' in the summary chart of a policy in the generated documentation''',
'text': '''Android restriction name:'''
},
'doc_android_webview_restriction_name': {
'desc': '''Caption text of the field 'android webview restriction name' in the summary chart of a policy in the generated documentation''',
'text': '''Android WebView restriction name:'''
},
'doc_supported_on': {
'desc': '''Caption text of the list of 'products, platforms and versions where this policy is supported' in the summary chart of a policy in the generated documentation''',
'text': '''Supported on:'''
},
'doc_since_version': {
'desc': '''Text in the summary chart of a policy that specifies the version number in which the policy was introduced.''',
'text': '''since version <ph name="SINCE_VERSION">$6<ex>8</ex></ph>'''
},
'doc_until_version': {
'desc': '''Text in the summary chart of a policy that specifies the version number after which the policy was dropped.''',
'text': '''until version <ph name="UNTIL_VERSION">$6<ex>10</ex></ph>'''
},
'doc_supported_features': {
'desc': '''Caption text of the list of 'policy features that this policy supports' in the summary chart of a policy in the generated documentation''',
'text': '''Supported features:'''
},
'doc_description': {
'desc': '''Caption text of the 'description text' in the summary chart of a policy in the generated documentation''',
'text': '''Description:'''
},
'doc_example_value': {
'desc': '''Caption text of the field 'example value' in the summary chart of a policy in the generated documentation''',
'text': '''Example value:'''
},
'doc_intro': {
'desc': '''Introduction text for the generated policy documentation''',
'text': '''Both Chromium and Google Chrome support the same set of
policies. Please note that this document may include policies that are
targeted for unreleased software versions (i.e. their 'Supported on' entry
refers to an unreleased version) and that such policies are subject to
change or removal without prior notice.
These policies are strictly intended to be used to configure instances of
<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> internal to your
organization. Use of these policies outside of your organization (for
example, in a publicly distributed program) is considered malware and will
likely be labeled as malware by Google and anti-virus vendors.
These settings don't need to be configured manually! Easy-to-use
templates for Windows, Mac and Linux are available for download from <ph
name="POLICY_TEMPLATE_DOWNLOAD_URL">https://www.chromium.org/administrators/policy-templates<ex>
https://www.chromium.org/administrators/policy-templates</ex></ph>.
The recommended way to configure policy on Windows is via GPO, although
provisioning policy via registry is still supported for Windows instances
that are joined to an Active Directory domain.'''
},
'doc_back_to_top': {
'desc': '''Text of a link in the generated policy documentation, that takes the user to the top of the page''',
'text': '''Back to top'''
},
'doc_supported': {
'desc': '''Appears next to the name of each supported feature in the 'list of supported policy features' in the generated policy documentation''',
'text': '''Yes'''
},
'doc_not_supported': {
'desc': '''Appears next to the name of each unsupported feature in the 'list of supported policy features' in the generated policy documentation''',
'text': '''No'''
},
'doc_name_column_title': {
'desc': '''Appears at the top of the policy summary table, over the column of policy names, in the generated policy documentation''',
'text': '''Policy Name'''
},
'doc_description_column_title': {
'desc': '''Appears at the top of the policy summary table, over the column of short policy descriptions, in the generated policy documentation''',
'text': '''Description'''
},
'doc_feature_dynamic_refresh': {
'desc': '''The name of the feature that indicates for a given policy that changes to it are respected by Chromium without a browser restart''',
'text': '''Dynamic Policy Refresh'''
},
'doc_feature_can_be_recommended': {
'desc': '''The name of the feature that indicates for a given policy that it can be recommended, instead of mandatory''',
'text': '''Can Be Recommended'''
},
'doc_feature_can_be_mandatory': {
'desc': '''The name of the feature that indicates for a given policy that it can be mandatory, instead of recommended''',
'text': '''Can Be Mandatory'''
},
'doc_feature_per_profile': {
'desc': '''The name of the feature that indicates whether a policy is applicable to browser Profiles individually or whether it affects the entire browser.''',
'text': '''Per Profile'''
},
'doc_deprecated': {
'desc': '''Text appended in parentheses to the policy name to indicate that it has been deprecated''',
'text': 'deprecated',
},
'doc_recommended': {
'desc': '''Text appended in parentheses next to the policies top-level container to indicate that those policies are of the Recommended level''',
'text': 'Default Settings (users can override)',
},
'doc_complex_policies_on_windows': {
'desc': '''Text pointing the user to a help article for complex policies on Windows''',
'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POLICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<ex>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>''',
},
},
'placeholders': [],
}