Category filter
Configure ChromeOS device restrictions from Hexnode UEM
Hexnode UEM allows administrators to enforce various restrictions on ChromeOS devices. This document will help you effectively set up both basic and advanced restrictions on your managed devices. These restrictions allow admins to control various settings, such as display, Google Cast, cloud storage, security and privacy, lock screen accessibility and more.
Note:
The availability of device restrictions may vary depending on the Hexnode UEM plan you have subscribed to and the version of the endpoint.
Basic restrictions
To configure basic restrictions on your ChromeOS devices:
- Login to your Hexnode portal and navigate to Policies.
- Click on New Policy to create a new one by providing a policy name and description (optional) or click on any existing policy to edit it.
- Navigate to ChromeOS > Restrictions.
- Click on Configure.
- External display resolution scale – The available values range from 50 – 150, in multiples of 5.
- External display height – The available values range from 100 to 10000.
- External display width – The available values range from 1 to 10000.
- Remove immediately
- One hour
- One day
- One month
- One year
- Login to your Hexnode UEM portal.
- Navigate to Policies. You can either create a new policy or click on any policy name to edit an existing one.
- Enter the Policy Name and Description in the provided fields.
- Navigate to ChromeOS > Advanced Restrictions.
- Click on Configure.
- Disable screen magnifier– Disables the magnification on the device.
- Enable full-screen magnifier-Enlarges the entire screen for better visibility.
- Enable docked magnifier– Displays a magnified view in a fixed portion of the screen while keeping the rest at normal size.
- Disable screen magnifier on the sign-in screen
- Enable full-screen magnifier on the sign- in screen
- Enable docked magnifier on the sign-in screen
- Allow using create themes with AI
- Allow using create themes with AI without data collection
- Fully disable create themes with AI
- Allow using “Help me write”
- Allow using “Help me write” without data collection
- Fully disable “Help me write”
- Allow using tab organizer
- Allow using tab organizer without data collection
- Fully disable tab organizer
- Allow using DevTools AI features
- Allow using DevTools AI features without data collection
- Fully disable DevTools AI features
- Use pre-assigned MAC address.
- Use Chromebook built-in MAC address.
- Use dock built-in MAC address.
- Allow users to connect to networks not configured in this organizational unit.
- Restrict users to only connect to Wi-Fi networks configured for this organizational unit.
- Restrict users to only connect to Wi-Fi networks configured for this organizational unit, but only if such networks are in range of the device.
- To specific endpoints
- To no endpoints
- To any endpoint
- Restrict sign-in to a list of users
- Allow any user to sign in
- Do not allow any user to sign in
- Activate account recovery
- Defer activation of account recovery until migration phase
- Activate account recovery and allow users to override
- Deactivate account recovery
- Allow users to go directly to SAML SSO IdP page
- Take users to the default Google sign-in screen
- Allow users to go directly to SAML SSO IdP page
- Take users to the default Google sign-in screen
- Allow the user to decide
- Disable integrated second factor
- Enable integrated second factor
- Navigate to Policy Targets > Domains/OUs.
- Click on +Add Domain/OUs. From the list, select the Google Workspace account integrated with Hexnode, indicated by the (Google) tag.
- The parent OU will be listed here and is indicated with a briefcase icon to differentiate it from domains.
- Click the dropdown next to the parent OU to view its child OUs. Select the required Organizational Units and click OK.
- Note that a policy assigned to a parent OU will automatically apply to all its child OUs. Associate the policies to the OUs, to which the target devices are assigned.
- Click Save to associate the policy to the devices under the selected Organization Units.
Display Settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Allow user to change settings | Check this option to allow the user to modify the settings on the device end. | ChromeOS 72+ |
| Primary display resolution scale | Users can adjust the size of text and other UI elements on the primary screen. Different sizes can be selected from the drop-down menu. The available values are Default and range from 50 – 150. | ChromeOS 72+ |
| Use native resolution for external displays | When checked, external monitors automatically use their best supported resolution. If unchecked, you must manually adjust the resolution and scaling for the connected external monitors.
Choose the values from the drop-down menu. There are three fields from which you can select the values separately for each. |
ChromeOS 72+ |
Google Cast
| Restriction | Description | Supported OS versions |
|---|---|---|
| Google Cast | When unchecked, the Google Cast feature will be restricted, preventing users from casting content to external devices. | ChromeOS 52+ |
| Google Cast can connect to all devices | When unchecked, the Google Cast functionality will be limited to connecting only with devices on private IP addresses, such as those within the same local network (e.g., home or office Wi-Fi). | ChromeOS 67+ |
| Google Cast toolbar icon | If unchecked, the Google Cast icon will not appear in the toolbar by default. Users can manually pin or remove it from the contextual menu. | ChromeOS 58+ |
| Media controls for Google Cast sessions started by others | When unchecked, media controls (For e.g. play, pause, skip, volume adjustment, mute, unmute and more) will not appear on your device for Google Cast sessions started by other devices on the local network. | ChromeOS 110+ |
| Google Cast connection using access code/QR code | When unchecked, users will be unable to cast content to devices via a connection initiated with a QR code or access code. | ChromeOS 102+ |
| Time limit | This option is available only if Google Cast connection using access code/QR code option is checked. Specify the duration for which devices connected using an access code or QR code should remain visible in the cast menu. Once this duration expires, the devices will no longer appear in the cast menu, and users will need to re-scan the QR code or re-enter the access code to cast again. The available options are:
Note:
|
ChromeOS 103+ |
Cloud storage
| Restriction | Description | Supported OS versions |
|---|---|---|
| Google Drive sync | When unchecked, users will not be able to sync file contents with Google Drive using the Files app. | ChromeOS 19+ |
| Sync over mobile data | When unchecked, users will not be able to sync files with Google Drive using mobile data. Files will only be synced when connected to Wi-Fi or Ethernet. | ChromeOS 19+ |
| ChromeOS file sync feature | When unchecked, the File sync feature on the device end will be disabled and hidden from the settings.
Note:
|
ChromeOS 119+ |
General Settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Borealis | Borealis is a virtual machine on ChromeOS that lets users run Steam games. When enabled, device end users will be able to use Borealis on their devices to access and play games. | ChromeOS 91+ |
| Third-party apps can access Desk API | When enabled, this option allows third-party web applications to use the Desk API to control Google ChromeOS desks. | ChromeOS 115+ |
| Quick answers | When checked, this option enables the Quick Answers feature on the device end and disables it when unchecked. | ChromeOS 97+ |
These options are available only if Quick answers option is checked.
| Restriction | Description | Supported OS versions |
|---|---|---|
| Quick answers translation | When checked, this option enables the Translation option within Quick Answers feature on the device end, and disables it when unchecked. | ChromeOS 97+ |
| Quick answers definition | When checked, this option enables the Definition option within Quick Answers feature on the device end, and disables it when unchecked. |
ChromeOS 97+ |
| Quick answers unit conversion | When checked, this option enables the Unit conversion option within Quick Answers feature on the device end, and disables it when unchecked. | ChromeOS 97+ |
Advanced restrictions
To configure advanced restrictions on ChromeOS devices,
Home Screen Accessibility Settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Accessibility Shortcuts | When checked, this option enables the accessibility shortcuts on the device end and disables it when unchecked. | ChromeOS 81+ |
| Auto-click | When this option is checked, the user can click by simply hovering over an option, without physically pressing the mouse or touchpad. | ChromeOS 78+ |
| Caret Highlight | When checked, the Highlight text cursor option will be enabled on the device end. This option highlights the area around the caret while editing. | ChromeOS 78+ |
| Colour Correction | When checked, the Color correction option will be enabled on the device end. This setting helps users with color vision deficiency more easily distinguish between colors. | ChromeOS 78+ |
| Mouse Cursor Highlight | When checked, the Highlight the mouse cursor when its moving option will be enabled on the device end. This option highlights the area surrounding the mouse cursor while it is being moved. | ChromeOS 78+ |
| Dictation | When checked, the Dictation option will be enabled on the device end. This enables users to input text using their voice instead of typing. | ChromeOS 78+ |
| Select-to-speak | When checked, the Enable select-to-speak option will be enabled, allowing users to highlight text on the screen and have it read aloud. | ChromeOS 77+ |
| Enhanced Network Voices in Select-to-speak | When enabled, this setting allows the use of enhanced network text-to-speech voices with the Select-to-Speak accessibility feature on ChromeOS. | ChromeOS 94+ |
| High-contrast mode | When checked, the High-contrast mode option will be enabled. This option helps make on-screen content easier to read by enhancing text and background contrast. | ChromeOS 29+ |
| Set Media keys to Function keys | When enabled, this option allows the top row of keys on the keyboard to act as function keys. | ChromeOS 35+ |
| Keyboard Focus Highlight | When enabled, this option highlights the object focused on during keyboard-based navigation. | ChromeOS 78+ |
| Larger cursor | When enabled, this option increases the size of the mouse cursor, making it easier to see and follow on the screen. | ChromeOS 29+ |
| Mono audio | When enabled, the same audio signal is sent to both the left and right headphones. | ChromeOS 78+ |
| Screen magnifier | This option is used to zoom in or magnify the screen, making it easier to find items on the device. The available options are:
|
ChromeOS 29+ |
| Display accessibility options in the system tray menu | When enabled, this option displays accessibility options in the system tray menu such as Dictation, Select-to-speech and so on. | ChromeOS 27+ |
| Spoken feedback | When enabled, this option provides audio feedback while navigating the device. | ChromeOS 29+ |
| Sticky keys | When enabled, this option allows modifier keys (such as Ctrl, Alt, or Shift) to remain active even after being released. | ChromeOS 76+ |
| Virtual keyboard | When enabled, it displays a keyboard on the screen that users can tap using a mouse or touchscreen. | ChromeOS 34+ |
| Provide automated image descriptions | When enabled, this option generates a description for images, helping the user understand what is being shown. | ChromeOS 84+ |
Lock Screen Accessibility Settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Login screen Accessibility Shortcuts | When checked, this option enables the accessibility features shortcuts on the login screen and disables it when unchecked. | ChromeOS 84+ |
| Auto-click | When this option is checked, the device user can click by simply hovering over an option, without physically pressing the mouse or touchpad. | ChromeOS 84+ |
| Caret Highlight | When enabled, the caret highlight feature highlights the area around the caret while editing. | ChromeOS 84+ |
| Mouse Cursor Highlight | When enabled, the cursor highlight feature highlights the area around the mouse cursor while it is moving. | ChromeOS 84+ |
| High-contrast mode | When enabled, this option helps make on-screen content easier to read for people with low vision by enhancing text and background contrast. | ChromeOS 84+ |
| Larger cursor | When enabled, this option increases the size of the mouse cursor, making it easier to see and follow on the lock screen. | ChromeOS 84+ |
| Screen magnifier | This option is used to zoom in or magnify the screen, making it easier to find items on the device. The available options are:
|
ChromeOS 84+ |
| Keyboard Focus Highlight | When enabled, this option highlights the object focused on during keyboard-based navigation. | ChromeOS 84+ |
| Mono audio | When enabled, the same audio signal is sent to both the left and right headphones. | ChromeOS 84+ |
| Select-to-speak | When enabled, this option allows users to highlight text on the lock screen and have it read aloud. | ChromeOS 84+ |
| Sticky keys | When enabled, this option allows modifier keys (such as Ctrl, Alt, or Shift) to remain active even after being released. When enabled, this option allows modifier keys (such as Ctrl, Alt, or Shift) to remain active even after being released. | ChromeOS 84+ |
| Virtual keyboard | When enabled, it displays a keyboard on the lock screen that users can tap using a mouse or touchscreen. | ChromeOS 84+ |
| Dictation | When enabled, this allows users to input text using their voice instead of typing. | ChromeOS 84+ |
Screen Capture
| Restriction | Description | Supported OS versions |
|---|---|---|
| Screen capture | When enabled, this option allows users to take screenshots or screen recordings. | ChromeOS 81+ |
| Screen capture allowlist | Admins can specify which websites should be allowed to use screen capture, all other sites will be blocked. | ChromeOS 94+ |
| Window capture allowlist | Admins can specify which websites should be allowed to use window capture, all other sites will be blocked. | ChromeOS 94+ |
| Tab capture allowlist | Admins can specify which websites should be allowed to use tab capture, all other sites will be blocked. | ChromeOS 94+ |
| Allow only same origin tab capture | Specify the domains that are allowed to use tab capture, while preventing from capturing tabs from other subdomains. | ChromeOS 94+ |
Android Runtime for Chrome (ARC)
| Restriction | Description | Supported OS versions |
|---|---|---|
| Android to Web App sharing | When enabled, Android apps can share files, text, or other content with supported web apps. | ChromeOS 94+ |
| Backup and Restore | When enabled, this option allows Android app data and settings to be backed up and restored via the user’s Google account. | ChromeOS 68+ |
| Certificate availability for ARC-apps | When enabled, this option allows certificates to be shared between Android apps and ChromeOS for secure communication. | ChromeOS 52+ |
| Google location services | When enabled, this option allows Android apps to access Google Location Services. | ChromeOS 124+ |
| Unaffiliated users can use ARC apps | When enabled, this setting allows unaffiliated users to install and use Android apps from the Google Play Store on the device. | ChromeOS 64+ |
| Run Android apps on unaffiliated devices | When enabled, this setting allows Android apps to run on unaffiliated devices. | ChromeOS 120+ |
| Ghost Window | When enabled, ghost windows appear as placeholders for previously open apps, helping users easily restore their workspace after a restart or reconnect. Ghost windows are a preview of Android apps that are still loading. | ChromeOS 96+ |
GAIA User Identity Management Settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Offline user login timeout | This setting allows administrators to define the number of days a user who has signed in using a GAIA (Google Accounts and ID Administration) without SAML (single sign-on) can continue to log in to the device without an internet connection. However, once the specified number of days has passed, the user will be required to connect to the internet and authenticate online to verify their credentials before they can log in again. | ChromeOS 96+ |
Generative AI settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Create themes with AI | This option allows users to create custom themes/wallpapers using AI. The available options are:
|
ChromeOS 121+ |
| Help Me Write | This setting controls access to “Help Me Write,” an AI-powered writing assistant designed to help users generate or improve short-form content on the web. The available options are:
|
ChromeOS 121+ |
| Tab organizer | Tab Organizer is an AI-based tool that automatically creates tab groups based on a user’s open tabs. The available options are:
|
ChromeOS 121+ |
| Share data to train and improve AI | This setting in Chrome DevTools use generative AI to provide debugging insights. To enable this, Chrome collects data like error messages, stack traces, and network requests, sending them to Google’s server for AI processing. Sensitive data like response bodies, authentication, and cookie headers are not included. The available options are:
|
ChromeOS 125+ |
Network settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Network file sharing | When enabled, this setting allows users to connect to and access files on the local network. | ChromeOS 70+ |
| NTLM authentication | When enabled, this setting allows NTLM authentication to connect to and access files. | ChromeOS 71+ |
| NetBIOS share discovery | When enabled, this setting allows devices to discover shared files and folders on a network using NetBIOS. | ChromeOS 70+ |
| Compression dictionary transport feature | When enabled, this setting allows compression dictionaries to be used during network communication, improving the efficiency of data transfer. | ChromeOS 118+ |
| Mobile data roaming | When enabled, this setting allows the device to use data roaming for mobile network connections when the user is outside their primary network area. | ChromeOS 12+ |
| MAC address source | When configured, this setting allows the administrator to change the MAC address used by the device’s dock for Ethernet identification. By default, the device’s internal MAC address is used to identify the device, but this option enables the use of an alternative source for the MAC address.
The available options are: |
This policy only affects device types: Dell Latitude 5400 Chromebook Enterprise, Dell Latitude 5300 2-in-1 Chromebook Enterprise, Dell Latitude 7410 Chromebook Enterprise, Dell Latitude 7410 2-in-1 Chromebook Enterprise |
| Override the IPv6 reachability check | When enabled, this setting allows administrators to override the device’s default IPv6 reachability settings, controlling how it connects to IPv6 networks. | ChromeOS 120+ |
| Network throttling | This option enables the system to throttle and achieve the specified upload and download rates (in kbits/s). | ChromeOS 56+ |
| Zstd content-encoding | When enabled, Google Chrome will accept web contents compressed with zstd. | ChromeOS 119+ |
| Restrict Wi-Fi networks | This setting allows administrators to limit the device’s access to specific Wi-Fi networks. The available options are:
|
Password manager
| Restriction | Description | Supported OS versions |
|---|---|---|
| Save passwords using Password Manager | When enabled, this setting allows users to use Chrome’s built-in Password Manager, which can save, fill, and suggest passwords across websites and apps. | ChromeOS 11+ |
| Password leak detection | When enabled, this setting lets users to have Google Chrome check whether the usernames and passwords they enter were part of a leak. | ChromeOS 79+ |
| User can dismiss compromised password alerts | When enabled, this setting gives users the option to dismiss or restore alerts about compromised passwords detected by Chrome’s Password Manager. When disabled, users cannot dismiss these alerts. Alerts will remain visible until the user updates the affected password. | ChromeOS 100+ |
Security and Privacy
| Restriction | Description | Supported OS versions |
|---|---|---|
| Privacy screen | When enabled, this setting turns on the device’s built-in privacy screen, which helps limit viewing angles and prevents others nearby from easily seeing the screen content. | ChromeOS 83+ |
| Privacy screen on the login page | When enabled, this setting activates the device’s privacy screen on the login screen, helping protect sensitive information by limiting screen visibility to only the person directly in front of the display. | ChromeOS 83+ |
| Restrict requests to more-private network endpoints | When enabled, this setting enforces restrictions on web pages and apps trying to access private network resources (like local servers or internal IP addresses) from public or less-trusted origins. It helps improve security by blocking unauthorized cross-origin requests to devices on local or private networks. |
ChromeOS 120+ |
| Websites can make insecure requests | This setting allows web pages served over HTTP to make requests to private network resources. The available options are:
|
ChromeOS 92+ |
| Allow URLs to perform device attestation | This setting allows administrators to define a list of specific URLs or origins that are permitted to make insecure (HTTP) requests to private network resources. | ChromeOS 80+ |
| SAML login timeout | Specify the time for which a user authenticated via SAML can authenticate offline. | ChromeOS 34+ |
| Password expiry notification | Admins can set the advance notification period for SAML users before their passwords expire. | ChromeOS 98+ |
| Screencast | When enabled, this setting allows enterprise users to grant screencast permission to record their screen and upload the recording to Google Drive. | ChromeOS 99+ |
| Users can store data locally | When enabled, this setting allows users to store files and data directly on the device’s local storage. | ChromeOS 126+ |
Sign-in settings
| Restriction | Description | Supported OS versions |
|---|---|---|
| Sign in settings | This option controls whether ChromeOS allows new user accounts to sign in on the device. The available options are:
|
ChromeOS 12+ |
| List of allowed users | Specify the list of users allowed to login to the device. This option is only available if Restrict sign-in to a list of users is selected. | ChromeOS 107+ |
| Autofill username on SAML IdP page | When enabled, this setting allows ChromeOS to automatically fill in the username field on a SAML-based sign-in page using the user’s known credentials. | ChromeOS 19+ |
| Wipe user data on sign-out | When enabled, this setting ensures that user data is not stored permanently on the device. Each time a user signs out, their profile and local data are automatically deleted, keeping the device clean and secure ideal for shared or public environments. |
ChromeOS 12+ |
| Guest mode | When enabled, this setting allows users to sign in to the device using guest mode, which lets them browse without signing into a Google Account. | ChromeOS 44+ |
| Domain name auto-completion during user sign-in | When enabled and configured, users only need to enter their username, as the domain part (e.g., @yourdomain.com) is automatically appended, simplifying the sign-in process. | ChromeOS 96+ |
| Prompt the user to select the client certificate | When enabled, this setting prompts the user to select a client certificate on the sign-in screen whenever the auto-selection policy matches multiple certificates. | ChromeOS 83+ |
| Display system information on login screen | When enabled, these setting forces system information (e.g., device model, OS version) to be visible on the login screen. | ChromeOS 79+ |
| Account recovery | This setting controls how ChromeOS handles recovery factors during device recovery, such as a password reset or device restoration. The available options are:
|
ChromeOS 112+ |
| Set numeric keyboard as default for password | When enabled, the numeric keyboard is displayed by default for entering the password on the login screen. Users can still switch to the standard keyboard. | ChromeOS 80+ |
| Show available usernames on login screen | When enabled, existing users will be displayed on the login screen, allowing one to be selected. | ChromeOS 12+ |
| Transfer SAML SSO Cookies into user session during sign-in |
When checked, enables transfer of SAML SSO Cookies into user session during sign-in.
Specify how users should authenticate when signing in to the device. The available options are: |
ChromeOS 38+ |
| Login authentication mode | Specify how users should authenticate when signing in to the device. The available options are:
|
ChromeOS 51+ |
| Second factor authentication mode | This setting controls how the built-in secure element (like a TPM or security chip) on a ChromeOS device can be used to support second factor authentication. The available options are:
|
ChromeOS 61+ |
Associating the policy to Organizational Units (OUs)
Policies cannot be directly associated with ChromeOS devices; they can only be applied through Organizational Units (OUs). To associate a policy with ChromeOS devices,
Need more help?
