Chromium-Based Browser Configuration
Browsers built on Chromium share a common policy infrastructure derived from the open-source Chromium project. This means many configuration options, policy names, and deployment patterns are similar across browsers like Chrome, Edge, Brave, Opera, and Vivaldi.
Shared Policy Framework
Most Chromium-based browsers support the same core policy mechanisms:
| Platform | Method | Location |
|---|---|---|
| Windows | Group Policy (ADMX) | Vendor-specific ADMX templates |
| Windows | Registry | HKLM\SOFTWARE\Policies\{Vendor}\{Browser} |
| macOS | Managed Preferences | Vendor-specific preference domain |
| Linux | JSON policies | /etc/{vendor}/policies/ |
The Chrome Enterprise Policy List serves as a useful reference, as many Chromium browsers implement the same policy keys. However, each vendor typically maintains their own registry path, preference domain, and policy namespace.
Browser-Specific Variations
While the underlying policy architecture is shared, each Chromium browser may:
- Use different registry/preference paths — Edge uses
Microsoft\Edge, Brave usesBraveSoftware\Brave-Browser, etc. - Support a subset of policies — Not all browsers implement every Chromium policy
- Add vendor-specific policies — Browsers often add unique policies for their own features
- Provide their own ADMX templates — Download templates from each vendor's enterprise documentation
For specific policy paths, supported policies, and vendor management tools, refer to the individual browser documentation pages on this site.
Chrome Configuration for Enterprise Environments
This page provides practical guidance for configuring Google Chrome in managed environments using Chrome Enterprise policies. It focuses on controls that matter most to security, privacy, and productivity, so IT teams can make deliberate choices instead of relying on defaults.
AI and Automation Controls
Chrome increasingly includes AI- and automation-assisted features that can improve user productivity but may send page content, user inputs, or usage metadata to Google for processing. Organizations with strict data-handling rules or GenAI policies often prefer to limit or disable these features, while others may selectively enable them to support knowledge workers.
AI and Automation Policies
These policies control AI-assisted writing, summarization, and other proactive browser features. Disabling them reduces the risk of sensitive content being transmitted to Google services, but also removes convenience features that some teams find valuable.
| Policy | Description | Values |
|---|---|---|
HelpMeWriteSettings |
Controls Chrome's AI writing assistance and related generative help experiences. | 0 = Disabled for all users, 1 = Enabled without sending data for improvement, 2 = Fully enabled including data for improving suggestions |
TabOrganizerSettings |
Controls AI-powered tab organization, grouping, and similar automation. | 0 = Disabled, 1 = Enabled without logging usage to Google, 2 = Enabled with usage logging to Google services |
OptimizationGuideModelExecution |
Controls on-device vs. cloud-based model execution for optimization and assistant features. | 0 = Disallow model execution, 1 = Allow only on-device models, 2 = Allow cloud-backed models where available |
Recommended Enterprise Configuration
Tightly regulated organizations (for example, finance, healthcare, public sector) that want to minimize AI data exposure:
HelpMeWriteSettings: 0
TabOrganizerSettings: 0
OptimizationGuideModelExecution: 1
Knowledge-worker organizations with an approved AI usage policy and low sensitivity data in the browser:
HelpMeWriteSettings: 1
TabOrganizerSettings: 1
OptimizationGuideModelExecution: 2
Privacy and Telemetry Controls
Chrome ships with telemetry and cloud-connected services that help improve security, performance, and stability. Limiting these can reduce data sent to Google but may also weaken protections such as Safe Browsing or site-compatibility checks. The key decision is how much diagnostic and usage data your organization is comfortable sharing.
Privacy and Telemetry Policies
These policies govern whether Chrome sends usage and crash data, what search suggestions users get, and how much prefetching/metadata is allowed. Strict settings favor privacy; more permissive settings can improve user experience and Google's ability to detect issues.
| Policy | Description | Values |
|---|---|---|
MetricsReportingEnabled |
Controls sending usage statistics and crash reports to Google. | 0 = Do not send metrics or crash reports, 1 = Allow sending metrics and crash reports |
UrlKeyedAnonymizedDataCollectionEnabled |
Controls anonymized URL-keyed data collection used for features like navigation error suggestions. | 0 = Disabled, 1 = Enabled |
SearchSuggestEnabled |
Controls whether the omnibox shows search and URL suggestions based on entered text. | 0 = Suggestions disabled, 1 = Suggestions enabled |
NetworkPredictionOptions |
Controls DNS prefetching and preloading of pages/resources to improve performance. | 0 = Disabled, 1 = Enabled only on Wi‑Fi, 2 = Always enabled |
SafeBrowsingProtectionLevel |
Controls Google Safe Browsing protections. | 0 = Disabled, 1 = Standard protection, 2 = Enhanced protection with additional telemetry |
Recommended Enterprise Configuration
For organizations prioritizing privacy and minimal telemetry while maintaining baseline phishing/malware protection:
MetricsReportingEnabled: 0
UrlKeyedAnonymizedDataCollectionEnabled: 0
SearchSuggestEnabled: 1
NetworkPredictionOptions: 1
SafeBrowsingProtectionLevel: 1
For organizations comfortable with higher telemetry in exchange for stronger protections and better diagnostics:
MetricsReportingEnabled: 1
UrlKeyedAnonymizedDataCollectionEnabled: 1
SearchSuggestEnabled: 1
NetworkPredictionOptions: 2
SafeBrowsingProtectionLevel: 2
Security and Hardening Settings
Chrome's security posture in the enterprise is driven by a combination of Safe Browsing, download controls, site isolation, and restrictions on risky content. Tightening these controls can significantly reduce exposure to malware, phishing, and data exfiltration, though aggressive settings may impact usability and some legacy workflows.
Core Security Policies
These policies address the most common enterprise security concerns: malicious sites and downloads, mixed content, and cross-site isolation for sensitive applications.
| Policy | Description | Values |
|---|---|---|
SafeBrowsingProtectionLevel |
Controls integrated protection against dangerous sites, downloads, and extensions. | 0 = Disabled, 1 = Standard protection, 2 = Enhanced protection |
DownloadRestrictions |
Controls which file downloads are allowed. | 0 = No special restrictions, 1 = Block dangerous downloads, 2 = Block potentially dangerous downloads, 3 = Block all downloads |
BlockMixedContent |
Controls loading of insecure (HTTP) content on HTTPS pages. | 0 = Allow mixed content, 1 = Block active mixed content only, 2 = Block all mixed content |
SitePerProcess |
Forces full site isolation, running each site in its own process for stronger sandboxing. | 0 = Default (Chromium's decision), 1 = Force site-per-process for all sites |
InsecurePrivateNetworkRequestsAllowed |
Controls whether public sites can make requests to private network resources (anti-SSRF). | 0 = Block such requests, 1 = Allow such requests |
Recommended Enterprise Configuration
For general corporate environments with standard SaaS and internal web apps:
SafeBrowsingProtectionLevel: 2
DownloadRestrictions: 2
BlockMixedContent: 2
SitePerProcess: 1
InsecurePrivateNetworkRequestsAllowed: 0
For tightly controlled kiosk/VDI or high-risk environments:
SafeBrowsingProtectionLevel: 2
DownloadRestrictions: 3
BlockMixedContent: 2
SitePerProcess: 1
InsecurePrivateNetworkRequestsAllowed: 0
Data Loss Prevention and Copy/Clipboard Controls
Chrome itself does not provide full DLP, but it exposes controls that govern copy/paste behavior, printing, and access to the clipboard and filesystem. In combination with identity and network controls, these settings help reduce casual exfiltration and align browser behavior with corporate DLP policies.
DLP-Adjacent Policies
These policies limit how users can move data out of browser sessions, especially in shared or sensitive environments.
| Policy | Description | Values |
|---|---|---|
ClipboardAllowed |
Controls whether sites can read from or write to the system clipboard via the Clipboard API. | 0 = Disallow clipboard access, 1 = Allow clipboard access (default) |
PrintingAllowed |
Controls whether printing is allowed from Chrome. | 0 = Printing disabled, 1 = Printing allowed |
DisableScreenshots |
Controls whether screenshots of the browser window can be taken (where platform supports it). | 0 = Screenshots allowed, 1 = Screenshots blocked |
FileSystemWriteBlockedForUrls |
Blocks write access to the local file system (downloads or file-system APIs) for specified URL patterns. | String list = URL patterns where writes are blocked |
FileSystemReadBlockedForUrls |
Blocks read access (uploads) from the local file system for specified URL patterns. | String list = URL patterns where reads are blocked |
Recommended Enterprise Configuration
For environments with moderate data-sensitivity and an external DLP stack:
ClipboardAllowed: 1
PrintingAllowed: 1
DisableScreenshots: 0
FileSystemWriteBlockedForUrls: ["https://sensitive-app.example.com/*"]
FileSystemReadBlockedForUrls: ["https://sensitive-app.example.com/*"]
For high-sensitivity kiosks or contractor access profiles:
ClipboardAllowed: 0
PrintingAllowed: 0
DisableScreenshots: 1
FileSystemWriteBlockedForUrls: ["*"]
FileSystemReadBlockedForUrls: ["*"]
Policy Reference
For a complete and authoritative list of Chrome Enterprise policies, including platform-specific details and the latest additions or deprecations, see the Chrome Enterprise Policy List.