Atomic Policy Groups
This page is obsolete. Please see Chrome Enterprise policy list instead.
Both Chromium and Google Chrome have some groups of policies that depend on each other to provide control over a feature. These sets are represented by the following policy groups. Given that policies can have multiple sources, only values coming from the highest priority source will be applied. Values coming from a lower priority source in the same group will be ignored. The order of priority is defined in https://support.google.com/chrome/a/?p=policy_order.
Policy Name | Description |
ActiveDirectoryManagement | Microsoft® Active Directory® management settings |
DeviceMachinePasswordChangeRate | Machine password change rate |
DeviceUserPolicyLoopbackProcessingMode | User policy loopback processing mode |
DeviceKerberosEncryptionTypes | Allowed Kerberos encryption types |
DeviceGpoCacheLifetime | GPO cache lifetime |
DeviceAuthDataCacheLifetime | Authentication data cache lifetime |
Attestation | Attestation |
AttestationEnabledForDevice | Enable remote attestation for the device |
AttestationEnabledForUser | Enable remote attestation for the user |
AttestationExtensionWhitelist | Extensions allowed to to use the remote attestation API |
AttestationForContentProtectionEnabled | Enable the use of remote attestation for content protection for the device |
BrowserSwitcher | Legacy Browser Support |
AlternativeBrowserPath | Alternative browser to launch for configured websites. |
AlternativeBrowserParameters | Command-line parameters for the alternative browser. |
BrowserSwitcherChromePath | Path to Chrome for switching from the alternative browser. |
BrowserSwitcherChromeParameters | Command-line parameters for switching from the alternative browser. |
BrowserSwitcherDelay | Delay before launching alternative browser (milliseconds) |
BrowserSwitcherEnabled | Enable the Legacy Browser Support feature. |
BrowserSwitcherExternalSitelistUrl | URL of an XML file that contains URLs to load in an alternative browser. |
BrowserSwitcherExternalGreylistUrl | URL of an XML file that contains URLs that should never trigger a browser switch. |
BrowserSwitcherKeepLastChromeTab | Keep last tab open in Chrome. |
BrowserSwitcherUrlList | Websites to open in alternative browser |
BrowserSwitcherUrlGreylist | Websites that should never trigger a browser switch. |
BrowserSwitcherUseIeSitelist | Use Internet Explorer's SiteList policy for Legacy Browser Support. |
ChromeReportingExtension | Chrome Reporting Extension |
ReportVersionData | Report OS and Chromium Version Information |
ReportPolicyData | Report Chromium Policy Information |
ReportMachineIDData | Report Machine Identification information |
ReportUserIDData | Report User Identification information |
ReportExtensionsAndPluginsData | Report Extensions and Plugins information |
ReportSafeBrowsingData | Report Safe Browsing information |
CloudReportingEnabled | Enables Chromium cloud reporting |
ContentPack | Content pack |
ContentPackDefaultFilteringBehavior | Default behavior for sites not in any content pack |
ContentPackManualBehaviorHosts | Managed user manual exception hosts |
ContentPackManualBehaviorURLs | Managed user manual exception URLs |
CookiesSettings | Cookies settings |
DefaultCookiesSetting | Default cookies setting |
CookiesAllowedForUrls | Allow cookies on these sites |
CookiesBlockedForUrls | Block cookies on these sites |
CookiesSessionOnlyForUrls | Limit cookies from matching URLs to the current session |
DateAndTime | Date and time |
SystemTimezone | Timezone |
SystemTimezoneAutomaticDetection | Configure the automatic timezone detection method |
DefaultSearchProvider | Default search provider |
DefaultSearchProviderEnabled | Enable the default search provider |
DefaultSearchProviderName | Default search provider name |
DefaultSearchProviderKeyword | Default search provider keyword |
DefaultSearchProviderSearchURL | Default search provider search URL |
DefaultSearchProviderSuggestURL | Default search provider suggest URL |
DefaultSearchProviderInstantURL | Default search provider instant URL |
DefaultSearchProviderIconURL | Default search provider icon |
DefaultSearchProviderEncodings | Default search provider encodings |
DefaultSearchProviderAlternateURLs | List of alternate URLs for the default search provider |
DefaultSearchProviderSearchTermsReplacementKey | Parameter controlling search term placement for the default search provider |
DefaultSearchProviderImageURL | Parameter providing search-by-image feature for the default search provider |
DefaultSearchProviderNewTabURL | Default search provider new tab page URL |
DefaultSearchProviderSearchURLPostParams | Parameters for search URL which uses POST |
DefaultSearchProviderSuggestURLPostParams | Parameters for suggest URL which uses POST |
DefaultSearchProviderInstantURLPostParams | Parameters for instant URL which uses POST |
DefaultSearchProviderImageURLPostParams | Parameters for image URL which uses POST |
Display | Display |
DeviceDisplayResolution | Set display resolution and scale factor |
DisplayRotationDefault | Set default display rotation, reapplied on every reboot |
Drive | Drive |
DriveDisabled | Disable Drive in the Chromium OS Files app |
DriveDisabledOverCellular | Disable Google Drive over cellular connections in the Chromium OS Files app |
Extensions | Extensions |
ExtensionInstallBlacklist | Configure extension installation blacklist |
ExtensionInstallWhitelist | Configure extension installation whitelist |
ExtensionInstallForcelist | Configure the list of force-installed apps and extensions |
ExtensionInstallSources | Configure extension, app, and user script install sources |
ExtensionAllowedTypes | Configure allowed app/extension types |
ExtensionAllowInsecureUpdates | Allow insecure algorithms in integrity checks on extension updates and installs |
ExtensionSettings | Extension management settings |
GoogleCast | Google Cast |
CastReceiverEnabled | Enable casting content to the device |
CastReceiverName | Name of the Google Cast destination |
Homepage | Homepage |
HomepageLocation | Configure the home page URL |
HomepageIsNewTabPage | Use New Tab Page as homepage |
NewTabPageLocation | Configure the New Tab page URL |
ShowHomeButton | Show Home button on toolbar |
ImageSettings | Image settings |
DefaultImagesSetting | Default images setting |
ImagesAllowedForUrls | Allow images on these sites |
ImagesBlockedForUrls | Block images on these sites |
JavascriptSettings | Javascript settings |
DefaultJavaScriptSetting | Default JavaScript setting |
JavaScriptAllowedForUrls | Allow JavaScript on these sites |
JavaScriptBlockedForUrls | Block JavaScript on these sites |
KeygenSettings | Keygen settings |
DefaultKeygenSetting | Default key generation setting |
KeygenAllowedForUrls | Allow key generation on these sites |
KeygenBlockedForUrls | Block key generation on these sites |
Kiosk | Kiosk settings |
DeviceLocalAccounts | Device-local accounts |
DeviceLocalAccountAutoLoginId | Device-local account for auto-login |
DeviceLocalAccountAutoLoginDelay | Device-local account auto-login timer |
DeviceLocalAccountAutoLoginBailoutEnabled | Enable bailout keyboard shortcut for auto-login |
DeviceLocalAccountPromptForNetworkWhenOffline | Enable network configuration prompt when offline |
LoginScreenOrigins | Login and screen origins |
DeviceLoginScreenIsolateOrigins | Enable Site Isolation for specified origins |
DeviceLoginScreenSitePerProcess | Enable Site Isolation for every site |
NativeMessaging | Native messaging |
NativeMessagingBlacklist | Configure native messaging blacklist |
NativeMessagingWhitelist | Configure native messaging whitelist |
NativeMessagingUserLevelHosts | Allow user-level Native Messaging hosts (installed without admin permissions) |
NetworkFileShares | Network File Shares settings |
NetworkFileSharesAllowed | Controls Network File Shares for ChromeOS availability |
NetBiosShareDiscoveryEnabled | Controls Network File Share discovery via NetBIOS |
NTLMShareAuthenticationEnabled | Controls enabling NTLM as an authentication protocol for SMB mounts |
NetworkFileSharesPreconfiguredShares | List of preconfigured network file shares. |
NotificationsSettings | Notification settings |
DefaultNotificationsSetting | Default notification setting |
NotificationsAllowedForUrls | Allow notifications on these sites |
NotificationsBlockedForUrls | Block notifications on these sites |
PasswordManager | Password manager |
PasswordManagerEnabled | Enable saving passwords to the password manager |
PasswordManagerAllowShowPasswords | Allow users to show passwords in Password Manager (deprecated) |
PasswordProtection | Password protection |
PasswordProtectionWarningTrigger | Password protection warning trigger |
PasswordProtectionLoginURLs | Configure the list of enterprise login URLs where password protection service should capture fingerprint of password. |
PasswordProtectionChangePasswordURL | Configure the change password URL. |
PinUnlock | Pin unlock |
PinUnlockMinimumLength | Set the minimum length of the lock screen PIN |
PinUnlockMaximumLength | Set the maximum length of the lock screen PIN |
PinUnlockWeakPinsAllowed | Enable users to set weak PINs for the lock screen PIN |
PluginVm | PluginVm |
PluginVmAllowed | Allow devices to use a PluginVm on Chromium OS |
PluginVmLicenseKey | PluginVm license key |
PluginVmImage | PluginVm image |
PluginsSettings | Plugins settings |
DefaultPluginsSetting | Default Flash setting |
PluginsAllowedForUrls | Allow the Flash plugin on these sites |
PluginsBlockedForUrls | Block the Flash plugin on these sites |
PopupsSettings | Popups settings |
DefaultPopupsSetting | Default popups setting |
PopupsAllowedForUrls | Allow popups on these sites |
PopupsBlockedForUrls | Block popups on these sites |
Proxy | Proxy |
ProxyMode | Choose how to specify proxy server settings |
ProxyServerMode | Choose how to specify proxy server settings |
ProxyServer | Address or URL of proxy server |
ProxyPacUrl | URL to a proxy .pac file |
ProxyBypassList | Proxy bypass rules |
ProxySettings | Proxy settings |
QuickUnlock | Quick unlock |
QuickUnlockModeWhitelist | Configure allowed quick unlock modes |
QuickUnlockTimeout | Set how often user has to enter password to use quick unlock |
RemoteAccess | Remote access |
RemoteAccessClientFirewallTraversal | Enable firewall traversal from remote access client |
RemoteAccessHostClientDomain | Configure the required domain name for remote access clients |
RemoteAccessHostClientDomainList | Configure the required domain names for remote access clients |
RemoteAccessHostFirewallTraversal | Enable firewall traversal from remote access host |
RemoteAccessHostDomain | Configure the required domain name for remote access hosts |
RemoteAccessHostDomainList | Configure the required domain names for remote access hosts |
RemoteAccessHostRequireTwoFactor | Enable two-factor authentication for remote access hosts |
RemoteAccessHostTalkGadgetPrefix | Configure the TalkGadget prefix for remote access hosts |
RemoteAccessHostRequireCurtain | Enable curtaining of remote access hosts |
RemoteAccessHostAllowClientPairing | Enable or disable PIN-less authentication for remote access hosts |
RemoteAccessHostAllowGnubbyAuth | Allow gnubby authentication for remote access hosts |
RemoteAccessHostAllowRelayedConnection | Enable the use of relay servers by the remote access host |
RemoteAccessHostUdpPortRange | Restrict the UDP port range used by the remote access host |
RemoteAccessHostMatchUsername | Require that the name of the local user and the remote access host owner match |
RemoteAccessHostTokenUrl | URL where remote access clients should obtain their authentication token |
RemoteAccessHostTokenValidationUrl | URL for validating remote access client authentication token |
RemoteAccessHostTokenValidationCertificateIssuer | Client certificate for connecting to RemoteAccessHostTokenValidationUrl |
RemoteAccessHostDebugOverridePolicies | Policy overrides for Debug builds of the remote access host |
RemoteAccessHostAllowUiAccessForRemoteAssistance | Allow remote users to interact with elevated windows in remote assistance sessions |
RemoteAccessHostAllowFileTransfer | Allow remote access users to transfer files to/from the host |
RestoreOnStartup | Action on startup |
RestoreOnStartup | Action on startup |
RestoreOnStartupURLs | URLs to open on startup |
SAML | SAML |
DeviceTransferSAMLCookies | Transfer SAML IdP cookies during login |
SafeBrowsing | Safe Browsing settings |
SafeBrowsingEnabled | Enable Safe Browsing |
SafeBrowsingExtendedReportingEnabled | Enable Safe Browsing Extended Reporting |
SafeBrowsingExtendedReportingOptInAllowed | Allow users to opt in to Safe Browsing extended reporting |
SafeBrowsingWhitelistDomains | Configure the list of domains on which Safe Browsing will not trigger warnings. |
SupervisedUsers | Supervised users |
SupervisedUsersEnabled | Enable supervised users |
SupervisedUserCreationEnabled | Enable creation of supervised users |
SupervisedUserContentProviderEnabled | Enable the supervised user content provider |
UserAndDeviceReporting | User and device reporting |
ReportDeviceVersionInfo | Report OS and firmware version |
ReportDeviceBootMode | Report device boot mode |
ReportDeviceUsers | Report device users |
ReportDeviceActivityTimes | Report device activity times |
ReportDeviceLocation | Report device location |
ReportDeviceNetworkInterfaces | Report device network interfaces |
ReportDeviceHardwareStatus | Report hardware status |
ReportDeviceSessionStatus | Report information about active kiosk sessions |
ReportDeviceBoardStatus | Report board status |
ReportDevicePowerStatus | Report power status |
ReportDeviceStorageStatus | Report storage status |
ReportUploadFrequency | Frequency of device status report uploads |
ReportArcStatusEnabled | Report information about status of Android |
HeartbeatEnabled | Send network packets to the management server to monitor online status |
HeartbeatFrequency | Frequency of monitoring network packets |
LogUploadEnabled | Send system logs to the management server |
DeviceMetricsReportingEnabled | Enable metrics reporting |
WebUsbSettings | Web USB settings |
DefaultWebUsbGuardSetting | Control use of the WebUSB API |
DeviceWebUsbAllowDevicesForUrls | Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs. |
WebUsbAllowDevicesForUrls | Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs. |
WebUsbAskForUrls | Allow WebUSB on these sites |
WebUsbBlockedForUrls | Block WebUSB on these sites |
WiFi | WiFi |
DeviceWiFiFastTransitionEnabled | Enable 802.11r Fast Transition |
DeviceWiFiAllowed | Enable WiFi |