← All controls

10 Chrome managed-profile policy baseline

Chrome is where the session cookies live, so on any machine that is not fully managed the browser is the endpoint that matters. This baseline forces work browsing into a managed profile (sign-in restricted to your domains), forces Enhanced Safe Browsing, password-reuse warnings, relaunch for updates, makes third-party cookies session-only, removes the WebUSB/Web Serial surface and native messaging (bar an allowlist), and moves extensions from allow-by-default to allowlist-only with per-extension permission and host limits. Chrome Enterprise Core is free, so none of this is licence-gated.

Caveats

Setup steps

  1. open ↗ Devices › Chrome › Settings › Users & browsers › Browser sign-in settings
    Browser sign-in settings
    Force users to sign in to use the browser

    Force users to sign in to Chrome browser (user policies only) ↗

  2. open ↗ Devices › Chrome › Settings › Users & browsers › Restrict sign-in to pattern
    Restrict sign-in to pattern
    .*@<your-domain> (one pattern per Workspace domain)

    Force users to sign in to Chrome browser (user policies only) ↗

  3. open ↗ Devices › Chrome › Settings › Users & browsers › Managed profile reporting
    Managed profile reporting
    Enabled

    Turn on managed profile reporting ↗

  4. open ↗ Devices › Chrome › Settings › Users & browsers › Safe Browsing Protection
    Safe Browsing Protection
    Safe Browsing is active in the enhanced mode (forced — users cannot override)
  5. open ↗ Devices › Chrome › Settings › Users & browsers › Download restrictions
    Download restrictions
    Block malicious downloads, uncommon or unwanted downloads and dangerous file types

    Prevent users from downloading harmful files ↗

  6. open ↗ Devices › Chrome › Settings › Users & browsers › Password manager
    Password manager
    Never allow use of password manager
  7. open ↗ Devices › Chrome › Settings › Users & browsers › Relaunch notification
    Relaunch notification
    Force relaunch after a period
    Time period
    48 hours

    Notify users to restart to apply pending updates ↗

  8. open ↗ Devices › Chrome › Settings › Users & browsers › Cookies
    Default cookie setting
    Keep cookies for the duration of the session
    Allow cookies for URL patterns
    your corp domains, accounts.google.com, mail.google.com, your Slack (or, inverted, session-only for a named list). Do NOT overlap patterns across the allow/block/session-only lists
  9. open ↗ Devices › Chrome › Settings › Users & browsers
    WebUSB
    Do not allow sites to request access
    Web Serial API
    Do not allow sites to request access
  10. open ↗ Devices › Chrome › Settings › Users & browsers › Native messaging blocked
    Native messaging blocked hosts
    *
  11. open ↗ Devices › Chrome › Settings › Users & browsers › Native messaging allowed
    Native messaging allowed hosts
    e.g. com.1password.1password (1Password), com.8bit.bitwarden (Bitwarden)
  12. open ↗ Devices › Chrome › Settings › Users & browsers › File system write access
    File system write access
    Do not allow sites to request write access
  13. open ↗ Devices › Chrome › Apps & extensions › Users & browsers › Settings › Allow/block mode

    Allow/block mode (Play Store and Chrome Web Store) = Block all apps, admin manages allowlist

    Allow or block apps and extensions ↗

  14. open ↗ Devices › Chrome › Apps & extensions › Users & browsers

    Force install: password manager, content blocker; allowlisted: the approved optional set

    Automatically install apps and extensions ↗

  15. open ↗ Devices › Chrome › Apps & extensions › Users & browsers › Settings › Block extensions by permission

    Blocked permissions (e.g. accessibilityFeatures.modify); ExtensionSettings JSON per extension: runtime_blocked_hosts; pin versions with a cooldown before updates roll

    Set app and extension policies ↗ Prevent Chrome extensions from altering webpages ↗

Ongoing maintenance

How to verify

  1. On a managed profile, open chrome://policy and confirm the baseline policies are present with status OK and the expected source (Cloud user policy) — no admin access needed.

  2. Confirm the browser is actually current — the forced-update policy only matters if versions move.

    chrome://version shows a release ≤ 2 versions behind stable

Further screens

Screen 1 of 2: Devices > Chrome > Settings > Users & browsers

open ↗
Admin console screen — Devices > Chrome > Settings > Users & browsers
https://admin.google.com/ac/chrome/settings/user captured 2026-07-15

Screen 2 of 2: Security > Security center > Investigation tool (DBSC binding events — who is actually covered)

open ↗
Admin console screen — Security > Security center > Investigation tool (DBSC binding events — who is actually covered)
https://admin.google.com/ac/sc/investigation captured 2026-07-15

v0.5.2Preventedition All (Chrome Ent Core: free) policy #27 · #7 ↗