Configuring browser settings is essential for customizing user experiences, enhancing security, and optimizing performance. Managing these settings manually for a large fleet of devices is not practical. Hexnode UEM’s Browser Settings policy for ChromeOS provides IT administrators with a centralized way to efficiently configure and enforce Google Chrome settings. From setting default homepages to restricting access to specific websites, browser configurations can be pre-defined and deployed remotely. This reduces setup time, enhances user productivity, and supports compliance with organizational policies and security standards.
Pre-requisites:
Google Chrome has to be installed on the device before applying the policy.
The following steps will guide you on how to configure browser related settings for ChromeOS devices from Hexnode UEM.
- Log in to your Hexnode UEM portal.
- Navigate to the Policies tab.
- Click on New Policy to create a new one and enter the Policy Name and Description in the provided fields. Or click on any existing policy to edit it.
- Navigate to Windows and select Browser Settings under Configurations.
- Click on Configure.
Configure Google Chrome using the following settings:
Startup, Homepage and New Tab settings
Settings |
Description |
Supported Versions |
Show home button |
Select how the Home button should appear on Google Chrome’s toolbar. There are 3 options:
- User can choose
- Disabled
- Enabled
|
ChromeOS 11+ |
New tab URL |
Enter the URL that should automatically load when a new tab is opened in Google Chrome and restrict users from modifying this default new tab page. |
ChromeOS 58+ |
Set new tab page as homepage |
Select whether the new tab page should replace the user’s existing homepage, overriding any previously configured homepage URL. There are 3 options:
- User can choose
- Disabled
- Home page is always the new tab page
|
ChromeOS 11+ |
Homepage URL |
Enter the URL that should be used as the home page. |
ChromeOS 58+ |
Action on startup |
Select how Google Chrome should behave on startup from the provided options. There are 5 options:
- User can choose
- Open a new tab page
- Restore last session
- Open a list of URLs
- Open a list of URLs and restore last session
|
ChromeOS 11+ |
Startup URLs |
This option appears when Open a list of URLs or Open a list of URLs and restore last session is selected for the Action on startup field. You can enter valid server URLs separated by a comma or a semi-colon. |
ChromeOS 11+ |
Browser Extension
Settings |
Description |
Supported Versions |
Login screen manifest v2 extension availability |
Choose whether to allow Manifest V2 extensions on the ChromeOS sign-in screen by selecting one of the following options:
|
ChromeOS 111+ |
Allowed app/extension types |
Select which types of apps and extensions can be installed in Google Chrome. You may allow more than one of the following:
- Extension
- Theme
- User script
- Hosted app
- Legacy packaged app
- Platform app
|
ChromeOS 25+ |
Extended background lifetime origins |
Extensions that connect to one of the specified origins will be kept running if the port is connected. Enter valid server URLs in the field separated by a comma or a semi-colon. |
ChromeOS 112+ |
Restrict Extensions |
This option restricts the use of extensions in Google Chrome. There are 3 options that you can select:
- No restriction
- Restrict specific extension
- Allowed sources that can install extensions
|
ChromeOS 21+ |
Extension Blocklist |
If Command line access is enabled, block extensions from being loaded via the command line. This option is available when Restrict specific extension is selected in the Restrict Extensions field. |
ChromeOS 11+ |
Install extensions from specific sources |
Enter the URLs from which Chrome will offer to install app and extension packages. This option is available when Allowed sources that can install extensions option is selected. |
ChromeOS 11+ |
Manifest v2 extension availability |
This option determines how Manifest v2 extensions are handled; depending on the setting, v2 extensions can be blocked or allowed. The options are:
|
ChromeOS 110+ |
Allow unpublished extensions |
If enabled, control availability of extensions that are not listed on the Chrome Web Store. |
ChromeOS 115+ |
Safe Browser Settings
Settings |
Description |
Supported Versions |
Allow user to bypass safe browsing warning |
If enabled, users can bypass safe browsing warnings for malicious sites. |
ChromeOS 22+ |
Configure the change password URL |
Specify the URL where users can change their Google Account password after a password protection warning shows up in the browser. If no URL is configured, the service sends users to https://myaccount.google.com to change their password. |
ChromeOS 69+ |
List of login URLs where password protection service should capture salted hashes of passwords |
Enter a list of specific login page URLs where the password protection service should capture and store a secure version (salted hash) of the user’s password. |
ChromeOS 69+ |
Password protection warning trigger |
Choose when password protection warnings should trigger from a list of options. This prevents users from reusing their password on dangerous and unauthorized websites. The available options are:
- Disabled
- Show when password is reused
- Show when password is reused in a phishing website.
|
ChromeOS 69+ |
Safe browsing allowlist domains |
Enter the trusted domains that Safe Browsing will exempt from checks for phishing, malware, unwanted software, and password reuse. Additionally, the password protection service in Safe Browsing will not check for password reuse on these domains. |
ChromeOS 86+ |
Deep scans for downloads |
If enabled, Google Chrome sends suspicious downloads from Safe Browsing-enabled users to Google to scan for malware. |
ChromeOS 119+ |
Report system information and page content |
Select whether to enable or disable sending system information and page content to Google servers to help detect dangerous apps and sites. The options available are:
- Users can choose
- Disable sending extra information to help improve Safe Browsing.
- Enable sending extra information to help improve Safe Browsing.
|
ChromeOS 66+ |
Safe browsing protection level |
This setting controls whether safe browsing is enabled in Google Chrome and the mode it operates in. You can choose any of the following options:
- Never Active
- Standard mode
- Active mode
- User can choose
|
ChromeOS 83+ |
Allow higher-protection proxied lookups |
If enabled, Safe Browsing’s standard protection mode can use proxy servers to check website safety. |
ChromeOS 118+ |
Receive safe browsing surveys |
If enabled, users can receive surveys related to safe browsing. |
ChromeOS 117+ |
Enforce abusive experience intervention |
If enabled, this option prevents sites with abusive experiences from opening new windows or tabs if Safe Browsing is enabled. |
ChromeOS 65+ |
Privacy Sandbox Settings
Settings |
Description |
Supported Versions |
Show privacy sandbox prompt |
If enabled, users can see the privacy sandbox prompt in Google Chrome, which informs them about privacy sandbox settings. |
ChromeOS 111+ |
Ad measurements setting |
If enabled, the Ad measurement setting will be turned off for your users. |
ChromeOS 111+ |
Ad topics setting |
If enabled, the Ad topics setting will be turned off for your users. |
ChromeOS 111+ |
Site-suggested ad setting |
If enabled, the Privacy Sandbox site-suggested ads setting is disabled for your users. |
ChromeOS 111+ |
Note:
The Ad measurements, Ad topics, and Site-suggested ad settings can be enabled only if the Show privacy sandbox prompt is disabled.
Content Settings
Settings |
Description |
Supported Versions |
Clipboard restrictions |
You can control whether websites are allowed to access the clipboard, whether they can request permission to do so, or whether all access is unrestricted. You can also define a list of specific URLs that are either permitted or denied permission to request clipboard access. The options available are:
- No restrictions
- Block all URLs from accessing clipboard
- Allow sites to ask the user for clipboard permission
- Allow specific URLs
- Block specific URLs
|
ChromeOS 103+ |
Cookie restrictions |
This option lets you configure cookie restriction on Google Chrome. The options available are:
- No restrictions
- Block cookies
- Allow cookies
- Keep cookies for the duration of the session
- Allow cookies for specific URLs
- Block cookies for specific URLs
- Allow session-only cookies for specific URLs – This option allows certain websites to store cookies, but those cookies will be cleared when the browser is closed, keeping them session-only. You can enter valid URLs in the URLs with session –only cookies field.
|
ChromeOS 11+ |
File system read access |
Use this option to specify URL patterns for sites that can request read access to files or directories in the host operating system’s file system. The options are:
- User can choose
- Allow file system read access for specified URLs – Enter valid URLs in the URLs allowed read access field.
- Do not allow file system read access for specified URLs – Enter valid URLs in the URLs not allowed read access field.
|
ChromeOS 86+ |
File system write access |
Use this option to specify URL patterns for sites that are allowed to request write access to files or folders on the device’s file system. The options are:
- User can choose
- Allow file system write access for specified URLs – Enter valid URLs in the URLs allowed read access field.
- Do not allow file system write access for specified URLs – Enter valid URLs in the URLs not allowed read access field.
|
ChromeOS 86+ |
Images |
Use this option to specify URL patterns for sites that can or cannot display images. The options are:
- User can choose
- Allowed on all sites
- Blocked on all sites
- Allowed on specific sites
- Blocked on specific sites
|
ChromeOS 11+ |
Insecure content |
Use this option to specify URL patterns for sites that are allowed or not allowed to display blockable (i.e., active) mixed content—such as HTTP content on HTTPS sites—and control whether optionally blockable mixed content is automatically upgraded or if exceptions are permitted. The options are:
- Restricted on all websites
- User can add exceptions
- Allowed on specific websites
- Blocked on specific websites
|
ChromeOS 79+ |
Javascript |
Use this option to specify URL patterns for sites that can or cannot run Java script. The options are:
- User can choose
- Allowed on all sites
- Blocked on all sites
- Allowed on specific sites
- Blocked on specific sites
|
ChromeOS 11+ |
Javascript JIT |
Use this option to specify URL patterns for sites allowed or not allowed to run JavaScript JIT (Just In Time) compiler. The options are:
- Allowed on all sites
- Blocked on all sites
- Allowed on specific sites
- Blocked on specific sites
|
ChromeOS 11+ |
Notification settings |
Use this option to specify URL patterns for sites allowed or disallowed to display notifications. The options are:
- User can choose
- Ask every time
- Allowed on all sites
- Blocked on all sites
- Allowed on specific sites
- Blocked on specific sites
|
ChromeOS 11+ |
Popup settings |
Use this option to specify URL patterns for sites that can or can’t open pop-ups. The options are:
- User can choose
- Allowed on all sites
- Blocked on all sites
- Allowed on specific sites
- Blocked on specific sites
|
ChromeOS 11+ |
Sensors |
Use this option to specify which websites are permitted or restricted from accessing device sensors such as motion and light. In cases of conflict between allow and block rules, the block rule will take precedence. The options are:
- User can choose
- Allowed on all sites
- Blocked on all sites
- Allowed on specific sites
- Blocked on specific sites
|
ChromeOS 88+ |
Serial ports |
Use this option to specify which sites can or cannot access available serial ports. The options are:
- User can choose
- Allowed on all sites
- Blocked on all sites
- Allowed on specific sites
- Blocked on specific sites
|
ChromeOS 86+ |
Third party storage partitioning |
This option sets third-party storage partitioning behavior and specify top-level origins (main website loaded in the browser’s address bar) to block partitioning. The options are:
- Allow third-party storage partitioning
- Block third-party storage partitioning
- Block third-party storage partitioning on specific sites
|
ChromeOS 113+ |
Web USB |
This option specifies access settings for websites requesting connection to USB devices. The options are:
- User can choose
- Allow sites to request for access
- Block Web USB
- Allowed on specific sites
- Blocked on specific sites
- Allow specific USBs on allowlisted URLs – Enter the website URL and USB devices separated by comma in the USB restrictions field. (Format – vendor_id:product_id).
|
ChromeOS 68+ |
WebHID |
This option specifies access settings for websites requesting connection to HID devices. Enter the website URL and HID devices separated by comma in the Web HID restrictions field. (Format – vendor_id:product_id). |
ChromeOS 68+ |
Note:
For the fields under Content Settings, if you select the options to Allow/Block specific URLs enter valid URLs separated by a comma or a semi-colon.
Other Settings
Settings |
Description |
Supported Versions |
Data URL support in SVGUseElement |
If this option is enabled, Data URL support in SVGUseElement is enabled, which is disabled by default starting in Chrome version 119 (M119). |
ChromeOS 120+ |
Geolocation |
Select whether to permit sites to track users’ physical location. The available options are:
- User can choose
- Allow all sites to track user location
- Block all sites from accessing user location
- Ask every time
|
ChromeOS 11+ |
Web Bluetooth Guard |
Choose if websites are allowed to request access to nearby Bluetooth devices. The available options are:
- User can choose
- Allow Web Bluetooth access
- Deny Web Bluetooth access
|
ChromeOS 50+ |
Associate the policy with target entities
To associate policy with ChromeOS devices,
- Navigate to Policy Targets > Domains/OUs.
- Click on +Add Domains/OUs. From the list click the dropdown corresponding to the Google Workspace account integrated with Hexnode UEM.
- The parent OUs will be listed and click the dropdown next to the parent OU to view its child OUs.
- Select the required child OU/parent OU and click OK.
- Click Save to associate the policy to the devices in the selected OU.