Key Permissions
Setting the policy grants access to corporate keys to extensions or Android applications. Keys are designated for corporate usage only if they're generated using the chrome.enterprise.platformKeys API on a managed account. Users can't grant or withdraw access to corporate keys to or from extensions or Android applications.
By default, an extension or an Android applications can't use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to False for it. Only if allowCorporateKeyUsage is set to True for an extension or an Android application can it use any platform key marked for corporate usage to sign arbitrary data. Only grant this permission if the extension or the Android application is trusted to secure access to the key against attackers.
See https://cloud.google.com/docs/chrome-enterprise/policies/?policy=KeyPermissions for more information about schema and formatting.
Example value:
{
"extension1": {
"allowCorporateKeyUsage": true
},
"extension2": {
"allowCorporateKeyUsage": false
},
"com.example.app": {
"allowCorporateKeyUsage": true
},
"com.example.app2": {
"allowCorporateKeyUsage": false
}
}
Supported on: At least Microsoft Windows 7 or Windows Server 2008 family
Key Permissions (The single-line field is deprecated and will be removed in the future. Please start using the multi-line textbox below.)
| Registry Hive | HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Google\ChromeOS |
| Value Name | KeyPermissions |
| Value Type | REG_SZ |
| Default Value |
| Registry Hive | HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Google\ChromeOS |
| Value Name | KeyPermissions |
| Value Type | REG_MULTI_SZ |
| Default Value |
chromeos.admx
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set the screen magnifier type on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set default state of the large cursor on the login screen
- Set default state of the on-screen keyboard on the login screen
- Set the default screen magnifier type enabled on the login screen
- Set the default state of high contrast mode on the login screen
- Set the default state of spoken feedback on the login screen
- Set the screen magnifier type on the login screen
- Android settings
- Borealis
- Certificate management settings
- Deprecated policies
- Device update settings
- Configure auto update expiration message for DeviceMinimumVersion policy
- Configure minimum allowed Chrome OS version for the device.
- Configure minimum allowed Chrome version for the device.
- Number of milestones rollback is allowed
- Provide users with Quick Fix Build
- Rollback to target version
- The staging schedule for applying a new update
- Update Time Restrictions
- Display
- Linux container
- Microsoft® Active Directory® management settings
- Network settings
- Other
- PluginVm
- Power management
- Battery charge mode
- Enable advanced battery charge mode
- Enable boot on AC (alternating current)
- Enable peak shift power management
- Set advanced battery charge mode day config
- Set battery charge custom start charging in percent
- Set battery charge custom stop charging in percent
- Set power peak shift battery threshold in percent
- Set power peak shift day config
- Printing
- Privacy screen settings
- Remote attestation
- Removed policies
- Sign-in settings
- Allow addition of Family Link accounts to the device
- Automatically select client certificates for these sites on the sign-in screen
- Configure the list of installed apps and extensions on the login screen
- Enable domain name autocomplete during user sign in
- Enable Site Isolation for specified origins
- Login user allow list
- SAML login authentication type
- Show numeric keyboard for password
- Wilco DTC
- Allow autoupdate downloads via HTTP
- Allow bluetooth on device
- Allow collection of system-wide performance trace
- Allow creation of new user accounts
- Allow debug network packet captures
- Allow device to receive LTS updates
- Allow Managed guest session to persist display properties
- Allow the device to request powerwash
- Allow users to redeem offers through Chrome OS Registration
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.
- Automatically reboot after update
- Automatic reboot on device shutdown
- Auto update P2P enabled
- Auto update scatter factor
- Block developer mode
- Configures System-proxy service for Google Chrome OS.
- Configure the automatic timezone detection method
- Configure the list of installed apps on the login screen
- Connection types allowed for updates
- Determine the availability of variations on Google Chrome OS
- Device-level network configuration
- Device printers configuration access policy.
- Device sign-in screen keyboard layouts
- Device sign-in screen locale
- Device wallpaper image
- Disable Auto Update
- Disabled enterprise device printers
- Duration of inactivity before the screen saver is shown on the sign-in screen in retail mode
- Duration of the idle log-out warning message
- Enable data roaming
- Enabled enterprise device printers
- Enable guest mode
- Enable metrics reporting
- Enable queries to Quirks Server for hardware profiles
- Enable Thunderbolt/USB4 peripheral data access
- Enterprise printer configuration file for devices
- Force device reboot when user sign out
- List of AppPack extensions
- Load specified urls on demo login
- Login user white list
- Off hours intervals when the specified device policies are released
- Only allow connection to the Bluetooth services in the list
- Power management on the login screen
- Reduce Managed-guest session auto-launch notifications
- Refresh rate for Device Policy
- Release channel
- Screen saver to be used on the sign-in screen in retail mode
- Set default display rotation, reapplied on every reboot
- Show usernames on login screen
- System wide flags to be applied on Google Chrome start-up
- Target Auto Update Version
- Timeout until idle user log-out is executed
- Timezone
- Use 24 hour clock by default
- Users may configure the Chrome OS release channel
- Whitelist of USB detachable devices
- Wipe user data on sign-out
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Content settings
- Default search provider
- Default search provider encodings
- Default search provider icon
- Default search provider keyword
- Default search provider name
- Default search provider new tab page URL
- Default search provider search URL
- Default search provider suggest URL
- Enable the default search provider
- List of alternate URLs for the default search provider
- Parameter providing search-by-image feature for the default search provider
- Parameters for image URL which uses POST
- Parameters for search URL which uses POST
- Parameters for suggest URL which uses POST
- Deprecated policies
- Home page
- New Tab Page
- Other
- Password manager
- Printing
- Quick unlock
- Removed policies
- Safe Browsing settings
- Startup pages
- Allow default search provider context menu search access
- Allow download restrictions
- Block third party cookies
- Control shelf auto-hiding
- Control the shelf position
- Enable alternate error pages
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable lock when the device become idle or suspended
- Enable network prediction
- Enable or disable spell checking web service
- Enable Safe Browsing
- Enable search suggestions
- Enable Translate
- List of pinned apps to show in the launcher
- Printer configuration access policy.
- Select task scheduler configuration
- Set default download directory
- Set download directory
- Set the recommended locales for a managed session
- Show Full URLs
- Show Home button on toolbar
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable or disable various features on the on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enables the floating accessibility menu
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Android settings
- Borealis
- Certificate management settings
- Content settings
- Allow access to sensors on these sites
- Allow cookies on these sites
- Allow images on these sites
- Allow insecure content on these sites
- Allow JavaScript on these sites
- Allow JavaScript to use JIT on these sites
- Allow key generation on these sites
- Allow notifications on these sites
- Allow popups on these sites
- Allow read access via the File System API on these sites
- Allow the File Handling API on these web apps
- Allow the Flash plugin on these sites
- Allow the Serial API on these sites
- Allow WebUSB on these sites
- Allow write access to files and directories on these sites
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
- Automatically select client certificates for these sites
- Block access to sensors on these sites
- Block cookies on these sites
- Block images on these sites
- Block insecure content on these sites
- Block JavaScript from using JIT on these sites
- Block JavaScript on these sites
- Block key generation on these sites
- Block notifications on these sites
- Block popups on these sites
- Block read access via the File System API on these sites
- Block the File Handling API on these web apps
- Block the Flash plugin on these sites
- Block the Serial API on these sites
- Block WebUSB on these sites
- Block write access to files and directories on these sites
- Control use of insecure content exceptions
- Control use of JavaScript JIT
- Control use of the File Handling API
- Control use of the File System API for reading
- Control use of the File System API for writing
- Control use of the Serial API
- Control use of the Web Bluetooth API
- Control use of the WebUSB API
- Default cookies setting
- Default Flash setting
- Default geolocation setting
- Default images setting
- Default JavaScript setting
- Default key generation setting
- Default legacy SameSite cookie behavior setting
- Default notification setting
- Default popups setting
- Default sensors setting
- Limit cookies from matching URLs to the current session
- Revert to legacy SameSite behavior for cookies on these sites
- Default search provider
- Default search provider encodings
- Default search provider icon
- Default search provider instant URL
- Default search provider keyword
- Default search provider name
- Default search provider new tab page URL
- Default search provider search URL
- Default search provider suggest URL
- Enable the default search provider
- List of alternate URLs for the default search provider
- Parameter controlling search term placement for the default search provider
- Parameter providing search-by-image feature for the default search provider
- Parameters for image URL which uses POST
- Parameters for instant URL which uses POST
- Parameters for search URL which uses POST
- Parameters for suggest URL which uses POST
- Deprecated policies
- Action to take when the idle delay is reached
- Action to take when the idle delay is reached while running on AC power
- Action to take when the idle delay is reached while running on battery power
- Allow access to native CUPS printers
- Allow insecure algorithms in integrity checks on extension updates and installs
- Allow sites to simultaneously navigate and open pop-ups
- Allow users to show passwords in Password Manager (deprecated)
- Choose how to specify proxy server settings
- Clear site data on browser shutdown (deprecated)
- Configure the required domain name for remote access clients
- Configure the required domain name for remote access hosts
- Control the User-Agent Client Hints feature.
- Default mediastream setting
- Disable SPDY protocol
- Disable URL protocol schemes
- Enable DHE cipher suites in TLS
- Enable firewall traversal from remote access client
- Enable Incognito mode
- Enable Instant
- Enable JavaScript
- Enable network prediction
- Enable RC4 cipher suites in TLS
- Enterprise web store name (deprecated)
- Enterprise web store URL (deprecated)
- Force SafeSearch
- Force YouTube Safety Mode
- Idle delay when running on AC power
- Idle delay when running on battery power
- Idle warning delay when running on AC power
- Idle warning delay when running on battery power
- Minimum TLS version to fallback to
- Percentage by which to scale the idle delay in presentation mode (deprecated)
- Prevent app promotions from appearing on the new tab page
- Screen dim delay when running on AC power
- Screen dim delay when running on battery power
- Screen lock delay when running on AC power
- Screen lock delay when running on battery power
- Screen off delay when running on AC power
- Screen off delay when running on battery power
- Specify a list of disabled plugins
- Specify a list of enabled plugins
- Specify a list of plugins that the user can enable or disable
- Use a default referrer policy of no-referrer-when-downgrade.
- Extensions
- Configure allowed app/extension types
- Configure extension, app, and user script install sources
- Configure extension installation allow list
- Configure extension installation blacklist
- Configure extension installation blocklist
- Configure extension installation whitelist
- Configure the list of force-installed apps and extensions
- Extension management settings
- Gaia user identity management settings
- Google Assistant
- Google Cast
- Google Drive
- Home page
- HTTP authentication
- Allow Basic authentication for HTTP
- Allow reusing the Google Chrome OS login credentials for network authentication
- Authentication server allowlist
- Authentication server whitelist
- Cross-origin HTTP Authentication prompts
- Disable CNAME lookup when negotiating Kerberos authentication
- Enable NTLMv2 authentication.
- Include non-standard port in Kerberos SPN
- Kerberos delegation server allowlist
- Kerberos delegation server whitelist
- Supported authentication schemes
- Use KDC policy to delegate credentials.
- Linux container
- New Tab Page
- Other
- Parental supervision settings
- Password manager
- PluginVm
- Power management
- Action to take when the user closes the lid
- Allow screen wake locks
- Allow wake locks
- Enable smart dim model to extend the time until the screen is dimmed
- Percentage by which to scale the screen dim delay if the user becomes active after dimming
- Percentage by which to scale the screen dim delay in presentation mode
- Power management settings when the user becomes idle
- Screen brightness percent
- Screen lock delays
- Specify whether audio activity affects power management
- Specify whether video activity affects power management
- Wait for initial user activity
- Printing
- Allow access to CUPS printers
- Allow print job history to be deleted
- Configures a list of printers
- Default background graphics printing mode
- Default PIN printing mode
- Default printing color mode
- Default printing duplex mode
- Default printing page size
- Disabled enterprise printers
- Disable printer types on the deny list
- Enabled enterprise printers
- Enabled external print servers
- Enabled external print servers
- Enterprise printer configuration file
- Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
- Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
- External print servers
- Maximal number of sheets allowed to use for a single print job
- Printer configuration access policy.
- Restrict background graphics printing mode
- Restrict PIN printing mode
- Restrict printing color mode
- Restrict printing duplex mode
- Send username and filename to native printers
- Set the time period in days for storing print jobs metadata
- Privacy screen settings
- Proxy server
- Quick unlock
- Configure allowed quick unlock modes
- Configure allowed quick unlock modes
- Enable PIN auto-submit feature on the lock and login screen.
- Enable users to set weak PINs for the lock screen PIN
- Set how often user has to enter password to use quick unlock
- Set the maximum length of the lock screen PIN
- Set the minimum length of the lock screen PIN
- Remote access
- Allow gnubby authentication for remote access hosts
- Client certificate for connecting to RemoteAccessHostTokenValidationUrl
- Configure the required domain names for remote access clients
- Configure the required domain names for remote access hosts
- Configure the TalkGadget prefix for remote access hosts
- Enable curtaining of remote access hosts
- Enable firewall traversal from remote access host
- Enable or disable PIN-less authentication for remote access hosts
- Enable the use of relay servers by the remote access host
- Policy overrides for Debug builds of the remote access host
- Require that the name of the local user and the remote access host owner match
- Restrict the UDP port range used by the remote access host
- URL for validating remote access client authentication token
- URL where remote access clients should obtain their authentication token
- Remote attestation
- Removed policies
- Safe Browsing settings
- Configure the change password URL.
- Configure the list of domains on which Safe Browsing will not trigger warnings.
- Configure the list of domains on which Safe Browsing will not trigger warnings.
- Configure the list of enterprise login URLs where password protection service should capture salted hashes of passwords.
- Enable Safe Browsing Extended Reporting
- Password protection warning trigger
- Safe Browsing Protection Level
- Startup pages
- Abusive Experience Intervention Enforce
- Action on security token removal (e.g., smart card) for Google Chrome OS.
- Add a logout button to the system tray
- Ads setting for sites with intrusive ads
- Allow access to a list of URLs
- Allow access to a list of URLs
- Allow background tabs freeze
- Allow certificates issued by local trust anchors without subjectAlternativeName extension
- Allow collection of WebRTC event logs from Google services
- Allow default search provider context menu search access
- Allow Dinosaur Easter Egg Game
- Allow DNS queries for additional DNS record types
- Allow download restrictions
- Allow fullscreen mode
- Allow Google Cast to connect to Cast devices on all IP addresses.
- Allow Instant Tethering to be used.
- Allow legacy TLS/DTLS downgrade in WebRTC
- Allow managed session on device
- Allow media autoplay
- Allow media autoplay on a allowlist of URL patterns
- Allow media autoplay on a whitelist of URL patterns
- Allow merging dictionary policies from different sources
- Allow merging list policies from different sources
- Allow or deny audio capture
- Allow or deny screen capture
- Allow or deny video capture
- Allow origins to query for device attributes
- Allow Phone Hub notifications to be enabled.
- Allow Phone Hub task continuation to be enabled.
- Allow Phone Hub to be enabled.
- Allow playing audio
- Allow proceeding from the SSL warning page
- Allow proceeding from the SSL warning page on specific origins
- Allow QUIC protocol
- Allow remote debugging
- Allow running plugins that are outdated
- Allows a page to perform synchronous XHR requests during page dismissal.
- Allows a page to show popups during its unloading
- Allow SHA-1 signed certificates issued by local trust anchors
- Allow Sign-in To Additional Google Accounts
- Allow Smart Lock Signin to be used.
- Allow Smart Lock to be used
- Allow SMS Messages to be synced from phone to Chromebook.
- Allows the AppCache feature to be re-enabled even if it is off by default.
- Allows users to play media when the device is locked
- Allow the listed sites to make requests to more-private network endpoints from insecure contexts.
- Allow the user to manage VPN connections
- Allow usage of Lacros
- Allow user feedback
- Allow users to create and use secondary profiles, and use guest mode in the Lacros browser
- Allow users to customize the background on the New Tab page
- Allow users to manage installed CA certificates.
- Allow users to manage installed client certificates.
- Allow users to opt in to Safe Browsing extended reporting
- Allow websites to query for available payment methods.
- Allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone.
- Always runs plugins that require authorization (deprecated)
- Ask where to save each file before downloading
- Block access to a list of URLs
- Block access to a list of URLs
- Block third party cookies
- Browser experiments icon in toolbar
- Browsing Data Lifetime Settings
- Captive portal authentication ignores proxy
- CECPQ2 post-quantum key-agreement enabled for TLS
- Clear Browsing Data on Exit
- Configure ARC
- Configure list of force-installed Web Apps
- Configure the allowed input methods in a user session
- Configure the allowed languages in a user session
- Configure the camera, browser settings, os settings, scanning, web store, canvas, Google news and explore features to be disabled
- Control SafeSites adult content filtering.
- Control shelf auto-hiding
- Controls the mode of DNS-over-HTTPS
- Control the IntensiveWakeUpThrottling feature.
- Control the shelf position
- Control the user behavior in a multiprofile session
- Control use of the Headless Mode
- Control where Developer Tools can be used
- Default printer selection rules
- Define domains allowed to access Google Workspace
- Determines whether the built-in certificate verifier will be used to verify server certificates
- Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
- Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
- Disable Certificate Transparency enforcement for a list of URLs
- Disabled enterprise printers
- Disable Developer Tools
- Disable mounting of external storage
- Disable proceeding from the Safe Browsing warning page
- Disable saving browser history
- Disable support for 3D graphics APIs
- Disable synchronization of data with Google
- Disable taking screenshots
- Disable TLS False Start
- Display the logout confirmation dialog
- DNS interception checks enabled
- Do not set window.opener for links targeting _blank
- Duration of the notification on smart card removal for Google Chrome OS.
- Enable 3DES cipher suites in TLS
- Enable additional protections for users enrolled in the Advanced Protection program
- Enable alternate error pages
- Enable Ambient Authentication for profile types.
- Enable Android Backup Service
- Enable Android Google Location Service
- Enable ARC
- Enable a TLS 1.3 security feature for local trust anchors.
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable chrome://devices
- Enable component updates in Google Chrome
- Enable CORS check mitigations in the new CORS implementation
- Enable data leak prevention reporting
- Enable deleting browser and download history
- Enabled enterprise printers
- Enable deprecated privet printing
- Enable deprecated web platform features for a limited time
- Enable displaying Sync Consent during sign-in
- Enable Emoji Suggestion
- Enable ending processes in Task Manager
- Enable fullscreen alert
- Enable Get Image Descriptions from Google.
- Enable globally scoped HTTP auth cache
- Enable HTTP/0.9 support on non-default ports
- Enable lock icon in the omnibox for secure connections
- Enable lock when the device become idle or suspended
- Enable Media Recommendations
- Enable network prediction
- Enable online OCSP/CRL checks
- Enable or disable bookmark editing
- Enable or disable spell checking web service
- Enable PAC URL stripping (for https://)
- Enable PDF Annotations
- Enable printing
- Enable Safe Browsing
- Enable scrolling to text specified in URL fragments
- Enable search suggestions
- Enables experimental policies
- Enable Signed HTTP Exchange (SXG) support
- Enable Site Isolation for every site
- Enable Site Isolation for specified origins
- Enables managed extensions to use the Enterprise Hardware Platform API
- Enable spellcheck
- Enables the concept of policy atomic groups
- Enable stricter treatment for mixed content
- Enable the Click to Call Feature
- Enable Translate
- Enable URL-keyed anonymized data collection
- Enable virtual keyboard
- Enable warnings for insecure forms
- Enable WPAD optimization
- Enterprise printer configuration file
- Explicitly allowed network ports
- Extend Flash content setting to all content (deprecated)
- Force disable spellcheck languages
- Force disable spellcheck languages
- Force enable spellcheck languages
- Force Google SafeSearch
- Force minimum YouTube Restricted Mode
- Hide the web store from the New Tab Page and app launcher
- Incognito mode availability
- Intranet Redirection Behavior
- Key Permissions
- Limit the length of a user session
- Limit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen
- Limit the time for which a user authenticated via SAML can log in offline at the lock screen
- Limit the time for which a user authenticated via SAML can log in offline
- List of file types that should be automatically opened on download
- List of names that will bypass the HSTS policy check
- List of pinned apps to show in the launcher
- List of types that should be excluded from synchronization
- Make the Lacros browser available
- Make Unified Desktop available and turn on by default
- Managed Bookmarks
- Maximize the first browser window on first run
- Maximum fetch delay after a policy invalidation
- Maximum SSL version enabled
- Migration strategy for ecryptfs
- Minimum SSL version enabled
- Native Printing
- Notify a user that a browser relaunch or device restart is recommended or required
- Origins or hostname patterns for which restrictions on insecure origins should not apply
- Permit locking the screen
- Printer configuration access policy.
- Proxy settings
- Re-enable Web Components v0 API until M84.
- Refresh rate for user policy
- Require online OCSP/CRL checks for local trust anchors
- Restrict the range of local UDP ports used by WebRTC
- Select task scheduler configuration
- Set certificate availability for ARC-apps
- Set download directory
- Set minimal size limit for data leak prevention clipboard restriction
- Sets a list of data leak prevention rules.
- Sets managed configuration values to websites to specific origins
- Set the display name for device-local accounts
- Set the recommended locales for a managed session
- Set the Terms of Service for a device-local account
- Set the time interval for relaunch
- Set the time of the first user relaunch notification
- Set the time period for update notifications
- Set the user experience of disabled features
- Show cards on the New Tab Page
- Show Full URLs
- Show Home button on toolbar
- Show the display password button on the login and lock screen
- Specifies whether to allow insecure websites to make requests to more-private network endpoints
- Specify URI template of desired DNS-over-HTTPS resolver
- Specify VM CLI permission
- Specify whether the plugin finder should be disabled (deprecated)
- Suppress JavaScript Dialogs triggered from different origin subframes
- Suppress launching of browser window
- Suppress lookalike domain warnings on domains
- Suppress the unsupported OS warning
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- The IP handling policy of WebRTC
- The list of note-taking apps allowed on the Google Chrome OS lock screen
- Treat external storage devices as read-only
- URLs/domains automatically permitted direct Security Key attestation
- URLs for which local IPs are exposed in WebRTC ICE candidates
- URLs that will be granted access to audio capture devices without prompt
- URLs that will be granted access to video capture devices without prompt
- URLs where AutoOpenFileTypes can apply
- Use built-in DNS client
- User-level network configuration
- User avatar image
- Use the legacy CORS implementation rather than new CORS
- Wallpaper image
- Whitelist note-taking apps allowed on the Google Chrome OS lock screen
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)