# 10 Chrome managed-profile policy baseline

> v0.5.2 · role: Prevent · edition: All (Chrome Ent Core: free) · [policy: #27 · #7](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Chrome is where the session cookies live, so on any machine that is not fully managed the browser is the endpoint that matters. This baseline forces work browsing into a managed profile (sign-in restricted to your domains), forces Enhanced Safe Browsing, password-reuse warnings, relaunch for updates, makes third-party cookies session-only, removes the WebUSB/Web Serial surface and native messaging (bar an allowlist), and moves extensions from allow-by-default to allowlist-only with per-extension permission and host limits. Chrome Enterprise Core is free, so none of this is licence-gated.

Documentation: [Set Chrome policies for users or browsers](https://support.google.com/chrome/a/answer/2657289) · [Managing Extensions in Your Enterprise](https://support.google.com/chrome/a/answer/9296680)

## Caveats

- Google's DBSC account-binding is Windows-only as of 2026-07 — Google's server side currently doesn't offer DBSC registration to macOS clients.
- RestoreOnStartup restores the previous session's tabs with cookies — this ignores the Default cookie setting and those cookies persist indefinitely, so pin RestoreOnStartup to 5 (New Tab Page) or 4 (fixed URLs).
- RestrictSigninToPattern gates only the browser's profile account — the sync opt-in flow. It does nothing about a user opening gmail.com in a tab and signing into a personal account. This just prevents the personal account from becoming the browser profile.
- These are user/profile-scoped policies, not device-scoped — they follow the managed account onto an unmanaged machine, and they do not constrain a second browser. Pair with device trust (№27) if the threat model includes the endpoint itself.
- AI-agent browsing can also be isolated in a separate profile without sync — Gemini, Claude in Chrome and browser-automation extensions all reach whatever the profile can reach, and Chrome makes it easy to confuse two profiles signed into the same Workspace account. Set URLBlocklist/URLAllowlist on the agent profile and the user notices immediately when they are in the wrong one.

## Setup steps

1. Select the target OU (organizational unit) and force browser sign-in, so work browsing happens in a profile you control. — `Devices › Chrome › Settings › Users & browsers › Browser sign-in settings`

   - **Browser sign-in settings** = Force users to sign in to use the browser

   docs: [Force users to sign in to Chrome browser (user policies only)](https://support.google.com/chrome/a/answer/7572556)

2. Restrict which accounts may sign in to the browser, so a personal Google account cannot become the profile's primary account. — `Devices › Chrome › Settings › Users & browsers › Restrict sign-in to pattern`

   - **Restrict sign-in to pattern** = .*@<your-domain> (one pattern per Workspace domain)

   docs: [Force users to sign in to Chrome browser (user policies only)](https://support.google.com/chrome/a/answer/7572556)

3. Turn on managed profile reporting, so the fleet's browsers, versions and extensions actually show up in the console — the visibility the rest of this baseline is verified against. — `Devices › Chrome › Settings › Users & browsers › Managed profile reporting`

   - **Managed profile reporting** = Enabled

   docs: [Turn on managed profile reporting](https://support.google.com/chrome/a/answer/15669709)

4. Force Enhanced Safe Browsing. It sends more browsing data to Google — a real trade-off, but the detection it buys is worth it in most cases. — `Devices › Chrome › Settings › Users & browsers › Safe Browsing Protection`

   - **Safe Browsing Protection** = Safe Browsing is active in the enhanced mode (forced — users cannot override)

5. Block risky downloads at the browser, before the rendering-distance procedure ([№25](rendering-distance-handling.md)) even has to apply. — `Devices › Chrome › Settings › Users & browsers › Download restrictions`

   - **Download restrictions** = Block malicious downloads, uncommon or unwanted downloads and dangerous file types

   docs: [Prevent users from downloading harmful files](https://support.google.com/chrome/a/answer/7579271)

6. Where the organisation runs a dedicated password manager (1Password, Bitwarden), disable Chrome's built-in one, so credentials live in the audited store rather than in per-profile browser vaults. — `Devices › Chrome › Settings › Users & browsers › Password manager`

   - **Password manager** = Never allow use of password manager

7. Enforce patching with a forced relaunch, so a browser that has downloaded a security fix cannot sit un-restarted for weeks. — `Devices › Chrome › Settings › Users & browsers › Relaunch notification`

   - **Relaunch notification** = Force relaunch after a period
   - **Time period** = 48 hours

   docs: [Notify users to restart to apply pending updates](https://support.google.com/chrome/a/answer/7679871)

8. Shorten the life of third-party session cookies, so a stolen or agent-hijacked session on a consumer site does not survive a browser restart. Keep cookies only for the work SaaS you actually need logged in. — `Devices › Chrome › Settings › Users & browsers › Cookies`

   - **Default cookie setting** = Keep cookies for the duration of the session
   - **Allow cookies for URL patterns** = your corp domains, accounts.google.com, mail.google.com, your Slack (or, inverted, session-only for a named list). Do NOT overlap patterns across the allow/block/session-only lists

9. Close the hardware-API surface: block WebUSB and the Web Serial API by default. Neither is widely enough used to be missed, and each is a large surface if abused (WebUSB has been used to attack security keys). — `Devices › Chrome › Settings › Users & browsers`

   - **WebUSB** = Do not allow sites to request access
   - **Web Serial API** = Do not allow sites to request access

10. Block native messaging by default — it is the bridge from an extension into arbitrary local binaries. — `Devices › Chrome › Settings › Users & browsers › Native messaging blocked`

   - **Native messaging blocked hosts** = *

11. Then allow the specific native-messaging hosts the fleet actually needs — typically the password manager's browser integration and nothing else. — `Devices › Chrome › Settings › Users & browsers › Native messaging allowed`

   - **Native messaging allowed hosts** = e.g. com.1password.1password (1Password), com.8bit.bitwarden (Bitwarden)

12. Turn off file system write access for sites, closing the path where a page writes directly to the local disk. — `Devices › Chrome › Settings › Users & browsers › File system write access`

   - **File system write access** = Do not allow sites to request write access

13. Move extensions from allow-by-default to allowlist-only, so every extension in the fleet is one someone approved. — `Devices › Chrome › Apps & extensions › Users & browsers › Settings › Allow/block mode`

   Allow/block mode (Play Store and Chrome Web Store) = Block all apps, admin manages allowlist

   docs: [Allow or block apps and extensions](https://support.google.com/chrome/a/answer/6177431)

14. Force-install the extensions everyone must run, and add the approved optional ones to the allowlist. — `Devices › Chrome › Apps & extensions › Users & browsers`

   Force install: password manager, content blocker; allowlisted: the approved optional set

   docs: [Automatically install apps and extensions](https://support.google.com/chrome/a/answer/6306504)

15. Constrain what the allowed extensions may do — an approved extension with host access to every site is still a supply-chain risk ([65 Apps Script / add-on / AI-agent governance](appsscript-governance.md) makes the same argument for Workspace add-ons). — `Devices › Chrome › Apps & extensions › Users & browsers › Settings › Block extensions by permission`

   Blocked permissions (e.g. accessibilityFeatures.modify); ExtensionSettings JSON per extension: runtime_blocked_hosts; pin versions with a cooldown before updates roll

   docs: [Set app and extension policies](https://support.google.com/chrome/a/answer/9039146) · [Prevent Chrome extensions from altering webpages](https://support.google.com/chrome/a/answer/9031935)

## Ongoing maintenance

- **[automatable: AI agent]** On every Chrome major release: read the enterprise release notes and adjust policies that changed meaning or default.

## How to verify

1. On a managed profile, open chrome://policy and confirm the baseline policies are present with status OK and the expected source (Cloud user policy) — no admin access needed.

2. Confirm the browser is actually current — the forced-update policy only matters if versions move.

   chrome://version shows a release ≤ 2 versions behind stable

## Settings screens

- Devices > Chrome > Settings > Users & browsers
  - console: https://admin.google.com/ac/chrome/settings/user
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user.png
- Devices > Chrome > Settings > Users & browsers > Browser sign-in settings
  - console: https://admin.google.com/ac/chrome/settings/user/details/browser_signin_category_item
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/browser_signin_category_item.png
- Devices > Chrome > Settings > Users & browsers > Restrict sign-in to pattern
  - console: https://admin.google.com/ac/chrome/settings/user/details/restrict_signin_to_pattern_category_item
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/restrict_signin_to_pattern_category_item.png
- Devices > Chrome > Settings > Users & browsers > Managed profile reporting
  - console: https://admin.google.com/ac/chrome/settings/user/details/cloud_profile_reporting
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/cloud_profile_reporting.png
- Devices > Chrome > Settings > Users & browsers > Safe Browsing Protection
  - console: https://admin.google.com/ac/chrome/settings/user/details/safe_browsing_protection_level_category_item?f=SEARCH.safe%2520browsing
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/safe_browsing_protection_level_category_item__f-SEARCH.safe-browsing.png
- Devices > Chrome > Settings > Users & browsers > Download restrictions
  - console: https://admin.google.com/ac/chrome/settings/user/details/download_restrictions?f=SEARCH.download
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/download_restrictions__f-SEARCH.download.png
- Devices > Chrome > Settings > Users & browsers > Password manager
  - console: https://admin.google.com/ac/chrome/settings/user/details/password_manager?f=SEARCH.password%2520protection
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/password_manager__f-SEARCH.password-protection.png
- Devices > Chrome > Settings > Users & browsers > Relaunch notification
  - console: https://admin.google.com/ac/chrome/settings/user/details/relaunch_notification_with_duration?f=SEARCH.relaunch
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/relaunch_notification_with_duration__f-SEARCH.relaunch.png
- Devices > Chrome > Settings > Users & browsers > Cookies
  - console: https://admin.google.com/ac/chrome/settings/user/details/cookies?f=SEARCH.cookies
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/cookies__f-SEARCH.cookies.png
- Devices > Chrome > Settings > Users & browsers (filtered to WebUSB / Web Serial)
  - console: https://admin.google.com/ac/chrome/settings/user?f=SEARCH.WebUSB%2520Web%2520Serial
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user__f-SEARCH.WebUSB-Web-Serial.png
- Devices > Chrome > Settings > Users & browsers > Native messaging blocked
  - console: https://admin.google.com/ac/chrome/settings/user/details/native_messaging_blocked?f=SEARCH.native%2520messaging
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/native_messaging_blocked__f-SEARCH.native-messaging.png
- Devices > Chrome > Settings > Users & browsers > Native messaging allowed
  - console: https://admin.google.com/ac/chrome/settings/user/details/native_messaging_allowed?f=SEARCH.native%2520messaging
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/native_messaging_allowed__f-SEARCH.native-messaging.png
- Devices > Chrome > Settings > Users & browsers > File system write access
  - console: https://admin.google.com/ac/chrome/settings/user/details/default_file_system_write_guard_setting_category_item?f=SEARCH.default%2520file%2520system
  - screenshot: ../screenshots/admin.google.com/ac/chrome/settings/user/details/default_file_system_write_guard_setting_category_item__f-SEARCH.default-file-system.png
- Devices > Chrome > Apps & extensions > Users & browsers > Settings > Allow/block mode
  - console: https://admin.google.com/ac/chrome/apps/user/settings/details/allow_block_mode_setting
  - screenshot: ../screenshots/admin.google.com/ac/chrome/apps/user/settings/details/allow_block_mode_setting.png
- Devices > Chrome > Apps & extensions > Users & browsers (force-install + allowlist)
  - console: https://admin.google.com/ac/chrome/apps/user
  - screenshot: ../screenshots/admin.google.com/ac/chrome/apps/user.png
- Devices > Chrome > Apps & extensions > Users & browsers > Settings > Block extensions by permission
  - console: https://admin.google.com/ac/chrome/apps/user/settings/details/block_extensions_by_permission
  - screenshot: ../screenshots/admin.google.com/ac/chrome/apps/user/settings/details/block_extensions_by_permission.png
- Security > Security center > Investigation tool (DBSC binding events — who is actually covered)
  - console: https://admin.google.com/ac/sc/investigation
  - screenshot: ../screenshots/admin.google.com/ac/sc/investigation.png
