Atomic Policy Groups

Both Chromium and Google Chrome have some groups of policies that depend on each other to provide control over a feature. These sets are represented by the following policy groups. Given that policies can have multiple sources, only values coming from the highest priority source will be applied. Values coming from a lower priority source in the same group will be ignored. The order of priority is defined in

Policy NameDescription
ActiveDirectoryManagementMicrosoft® Active Directory® management settings
DeviceMachinePasswordChangeRateMachine password change rate
DeviceUserPolicyLoopbackProcessingModeUser policy loopback processing mode
DeviceKerberosEncryptionTypesAllowed Kerberos encryption types
DeviceGpoCacheLifetimeGPO cache lifetime
DeviceAuthDataCacheLifetimeAuthentication data cache lifetime
AttestationEnabledForDeviceEnable remote attestation for the device
AttestationEnabledForUserEnable remote attestation for the user
AttestationExtensionWhitelistExtensions allowed to to use the remote attestation API
AttestationForContentProtectionEnabledEnable the use of remote attestation for content protection for the device
BrowserSwitcherLegacy Browser Support
AlternativeBrowserPathAlternative browser to launch for configured websites.
AlternativeBrowserParametersCommand-line parameters for the alternative browser.
BrowserSwitcherChromePathPath to Chrome for switching from the alternative browser.
BrowserSwitcherChromeParametersCommand-line parameters for switching from the alternative browser.
BrowserSwitcherDelayDelay before launching alternative browser (milliseconds)
BrowserSwitcherEnabledEnable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrlURL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherExternalGreylistUrlURL of an XML file that contains URLs that should never trigger a browser switch.
BrowserSwitcherKeepLastChromeTabKeep last tab open in Chrome.
BrowserSwitcherUrlListWebsites to open in alternative browser
BrowserSwitcherUrlGreylistWebsites that should never trigger a browser switch.
BrowserSwitcherUseIeSitelistUse Internet Explorer's SiteList policy for Legacy Browser Support.
ChromeReportingExtensionChrome Reporting Extension
ReportVersionDataReport OS and Chromium Version Information
ReportPolicyDataReport Chromium Policy Information
ReportMachineIDDataReport Machine Identification information
ReportUserIDDataReport User Identification information
ReportExtensionsAndPluginsDataReport Extensions and Plugins information
ReportSafeBrowsingDataReport Safe Browsing information
CloudReportingEnabledEnables Chromium cloud reporting
ContentPackContent pack
ContentPackDefaultFilteringBehaviorDefault behavior for sites not in any content pack
ContentPackManualBehaviorHostsManaged user manual exception hosts
ContentPackManualBehaviorURLsManaged user manual exception URLs
CookiesSettingsCookies settings
DefaultCookiesSettingDefault cookies setting
CookiesAllowedForUrlsAllow cookies on these sites
CookiesBlockedForUrlsBlock cookies on these sites
CookiesSessionOnlyForUrlsLimit cookies from matching URLs to the current session
DateAndTimeDate and time
SystemTimezoneAutomaticDetectionConfigure the automatic timezone detection method
DefaultSearchProviderDefault search provider
DefaultSearchProviderEnabledEnable the default search provider
DefaultSearchProviderNameDefault search provider name
DefaultSearchProviderKeywordDefault search provider keyword
DefaultSearchProviderSearchURLDefault search provider search URL
DefaultSearchProviderSuggestURLDefault search provider suggest URL
DefaultSearchProviderInstantURLDefault search provider instant URL
DefaultSearchProviderIconURLDefault search provider icon
DefaultSearchProviderEncodingsDefault search provider encodings
DefaultSearchProviderAlternateURLsList of alternate URLs for the default search provider
DefaultSearchProviderSearchTermsReplacementKeyParameter controlling search term placement for the default search provider
DefaultSearchProviderImageURLParameter providing search-by-image feature for the default search provider
DefaultSearchProviderNewTabURLDefault search provider new tab page URL
DefaultSearchProviderSearchURLPostParamsParameters for search URL which uses POST
DefaultSearchProviderSuggestURLPostParamsParameters for suggest URL which uses POST
DefaultSearchProviderInstantURLPostParamsParameters for instant URL which uses POST
DefaultSearchProviderImageURLPostParamsParameters for image URL which uses POST
DeviceDisplayResolutionSet display resolution and scale factor
DisplayRotationDefaultSet default display rotation, reapplied on every reboot
DriveDisabledDisable Drive in the Chromium OS Files app
DriveDisabledOverCellularDisable Google Drive over cellular connections in the Chromium OS Files app
ExtensionInstallBlacklistConfigure extension installation blacklist
ExtensionInstallWhitelistConfigure extension installation whitelist
ExtensionInstallForcelistConfigure the list of force-installed apps and extensions
ExtensionInstallSourcesConfigure extension, app, and user script install sources
ExtensionAllowedTypesConfigure allowed app/extension types
ExtensionAllowInsecureUpdatesAllow insecure algorithms in integrity checks on extension updates and installs
ExtensionSettingsExtension management settings
GoogleCastGoogle Cast
CastReceiverEnabledEnable casting content to the device
CastReceiverNameName of the Google Cast destination
HomepageLocationConfigure the home page URL
HomepageIsNewTabPageUse New Tab Page as homepage
NewTabPageLocationConfigure the New Tab page URL
ShowHomeButtonShow Home button on toolbar
ImageSettingsImage settings
DefaultImagesSettingDefault images setting
ImagesAllowedForUrlsAllow images on these sites
ImagesBlockedForUrlsBlock images on these sites
JavascriptSettingsJavascript settings
DefaultJavaScriptSettingDefault JavaScript setting
JavaScriptAllowedForUrlsAllow JavaScript on these sites
JavaScriptBlockedForUrlsBlock JavaScript on these sites
KeygenSettingsKeygen settings
DefaultKeygenSettingDefault key generation setting
KeygenAllowedForUrlsAllow key generation on these sites
KeygenBlockedForUrlsBlock key generation on these sites
KioskKiosk settings
DeviceLocalAccountsDevice-local accounts
DeviceLocalAccountAutoLoginIdDevice-local account for auto-login
DeviceLocalAccountAutoLoginDelayDevice-local account auto-login timer
DeviceLocalAccountAutoLoginBailoutEnabledEnable bailout keyboard shortcut for auto-login
DeviceLocalAccountPromptForNetworkWhenOfflineEnable network configuration prompt when offline
LoginScreenOriginsLogin and screen origins
DeviceLoginScreenIsolateOriginsEnable Site Isolation for specified origins
DeviceLoginScreenSitePerProcessEnable Site Isolation for every site
NativeMessagingNative messaging
NativeMessagingBlacklistConfigure native messaging blacklist
NativeMessagingWhitelistConfigure native messaging whitelist
NativeMessagingUserLevelHostsAllow user-level Native Messaging hosts (installed without admin permissions)
NetworkFileSharesNetwork File Shares settings
NetworkFileSharesAllowedContorls Network File Shares for ChromeOS availability
NetBiosShareDiscoveryEnabledControls Network File Share discovery via NetBIOS
NTLMShareAuthenticationEnabledControls enabling NTLM as an authentication protocol for SMB mounts
NetworkFileSharesPreconfiguredSharesList of preconfigured network file shares.
NotificationsSettingsNotification settings
DefaultNotificationsSettingDefault notification setting
NotificationsAllowedForUrlsAllow notifications on these sites
NotificationsBlockedForUrlsBlock notifications on these sites
PasswordManagerPassword manager
PasswordManagerEnabledEnable saving passwords to the password manager
PasswordManagerAllowShowPasswordsAllow users to show passwords in Password Manager (deprecated)
PasswordProtectionPassword protection
PasswordProtectionWarningTriggerPassword protection warning trigger
PasswordProtectionLoginURLsConfigure the list of enterprise login URLs where password protection service should capture fingerprint of password.
PasswordProtectionChangePasswordURLConfigure the change password URL.
PinUnlockPin unlock
PinUnlockMinimumLengthSet the minimum length of the lock screen PIN
PinUnlockMaximumLengthSet the maximum length of the lock screen PIN
PinUnlockWeakPinsAllowedEnable users to set weak PINs for the lock screen PIN
PluginVmAllowedAllow devices to use a PluginVm on Chromium OS
PluginVmLicenseKeyPluginVm license key
PluginVmImagePluginVm image
PluginsSettingsPlugins settings
DefaultPluginsSettingDefault Flash setting
PluginsAllowedForUrlsAllow the Flash plugin on these sites
PluginsBlockedForUrlsBlock the Flash plugin on these sites
PopupsSettingsPopups settings
DefaultPopupsSettingDefault popups setting
PopupsAllowedForUrlsAllow popups on these sites
PopupsBlockedForUrlsBlock popups on these sites
ProxyModeChoose how to specify proxy server settings
ProxyServerModeChoose how to specify proxy server settings
ProxyServerAddress or URL of proxy server
ProxyPacUrlURL to a proxy .pac file
ProxyBypassListProxy bypass rules
ProxySettingsProxy settings
QuickUnlockQuick unlock
QuickUnlockModeWhitelistConfigure allowed quick unlock modes
QuickUnlockTimeoutSet how often user has to enter password to use quick unlock
RemoteAccessRemote access
RemoteAccessClientFirewallTraversalEnable firewall traversal from remote access client
RemoteAccessHostClientDomainConfigure the required domain name for remote access clients
RemoteAccessHostClientDomainListConfigure the required domain names for remote access clients
RemoteAccessHostFirewallTraversalEnable firewall traversal from remote access host
RemoteAccessHostDomainConfigure the required domain name for remote access hosts
RemoteAccessHostDomainListConfigure the required domain names for remote access hosts
RemoteAccessHostRequireTwoFactorEnable two-factor authentication for remote access hosts
RemoteAccessHostTalkGadgetPrefixConfigure the TalkGadget prefix for remote access hosts
RemoteAccessHostRequireCurtainEnable curtaining of remote access hosts
RemoteAccessHostAllowClientPairingEnable or disable PIN-less authentication for remote access hosts
RemoteAccessHostAllowGnubbyAuthAllow gnubby authentication for remote access hosts
RemoteAccessHostAllowRelayedConnectionEnable the use of relay servers by the remote access host
RemoteAccessHostUdpPortRangeRestrict the UDP port range used by the remote access host
RemoteAccessHostMatchUsernameRequire that the name of the local user and the remote access host owner match
RemoteAccessHostTokenUrlURL where remote access clients should obtain their authentication token
RemoteAccessHostTokenValidationUrlURL for validating remote access client authentication token
RemoteAccessHostTokenValidationCertificateIssuerClient certificate for connecting to RemoteAccessHostTokenValidationUrl
RemoteAccessHostDebugOverridePoliciesPolicy overrides for Debug builds of the remote access host
RemoteAccessHostAllowUiAccessForRemoteAssistanceAllow remote users to interact with elevated windows in remote assistance sessions
RemoteAccessHostAllowFileTransferAllow remote access users to transfer files to/from the host
RestoreOnStartupAction on startup
RestoreOnStartupAction on startup
RestoreOnStartupURLsURLs to open on startup
DeviceSamlLoginAuthenticationTypeSAML login authentication type
DeviceTransferSAMLCookiesTransfer SAML IdP cookies during login
SafeBrowsingSafe Browsing settings
SafeBrowsingEnabledEnable Safe Browsing
SafeBrowsingExtendedReportingEnabledEnable Safe Browsing Extended Reporting
SafeBrowsingExtendedReportingOptInAllowedAllow users to opt in to Safe Browsing extended reporting
SafeBrowsingWhitelistDomainsConfigure the list of domains on which Safe Browsing will not trigger warnings.
SupervisedUsersSupervised users
SupervisedUsersEnabledEnable supervised users
SupervisedUserCreationEnabledEnable creation of supervised users
SupervisedUserContentProviderEnabledEnable the supervised user content provider
UserAndDeviceReportingUser and device reporting
ReportDeviceVersionInfoReport OS and firmware version
ReportDeviceBootModeReport device boot mode
ReportDeviceUsersReport device users
ReportDeviceActivityTimesReport device activity times
ReportDeviceLocationReport device location
ReportDeviceNetworkInterfacesReport device network interfaces
ReportDeviceHardwareStatusReport hardware status
ReportDeviceSessionStatusReport information about active kiosk sessions
ReportDeviceBoardStatusReport board status
ReportDevicePowerStatusReport power status
ReportDeviceStorageStatusReport storage status
ReportUploadFrequencyFrequency of device status report uploads
ReportArcStatusEnabledReport information about status of Android
HeartbeatEnabledSend network packets to the management server to monitor online status
HeartbeatFrequencyFrequency of monitoring network packets
LogUploadEnabledSend system logs to the management server
DeviceMetricsReportingEnabledEnable metrics reporting
WebUsbSettingsWeb USB settings
DefaultWebUsbGuardSettingControl use of the WebUSB API
DeviceWebUsbAllowDevicesForUrlsAutomatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
WebUsbAllowDevicesForUrlsAutomatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
WebUsbAskForUrlsAllow WebUSB on these sites
WebUsbBlockedForUrlsBlock WebUSB on these sites
DeviceWiFiFastTransitionEnabledEnable 802.11r Fast Transition
DeviceWiFiAllowedEnable WiFi