Force users to create a separate profile

For administrators who enroll Windows, Mac, or Linux computers in Chrome Enterprise Core.

As a Chrome Enterprise admin, you can force users to set up a separate profile when they sign in to Chrome browser using their managed Google Account on an unmanaged device. Creating different Chrome profiles lets users switch between their managed account and their other Google accounts, such as personal or test accounts, without signing out each time. No data or content is shared between profiles.

Your user-level Chrome policies and settings in the Google Admin console are applied only to the managed profile, not to their other profiles. You can manage and monitor managed profiles, including:

  • Install your organizations Chrome extensions.
  • Block installation of certain unapproved extensions.
  • Track which extensions are installed on managed profiles.
  • Delete a managed profile, such as when a user leaves an organization.
  • Enforce certain browser settings in the managed profile.
  • Enable a secure browser session to access corporate data using Chrome Enterprise Premium.

Note: When users create their new managed profile on their personal device, they must accept the disclaimer that they are managed.

Step 1: Review policies

Policy Description

SigninInterceptionEnabled

Controls whether Chrome browser offers to create or switch profiles when users sign in to a Google Account that’s different to the account that they’re currently using.

Unset: Users aren’t prompted to create separate profiles.

ProfileSeparationSettings

This policy is only supported in the Admin console.

Use this policy with SigninInterceptionEnabled to require users to create a separate profile when users sign in to their managed Google Account on an unmanaged device.

Suggested: When the user signs into a managed account, they are asked to continue using a managed profile as if it was enforced. If they refuse, they can continue their browsing in an unmanaged environment.

Enforced: When the user signs into a managed account, they are required to continue using a managed profile. If they refuse, they are signed out of their account. This enforcement is not affected by the SigninInterceptionEnabled policy.

Disabled: When the user signs into a managed account, they might see a bubble asking them to create a new profile. They can dismiss the bubble and the continue their browsing in an unmanaged environment. The bubble is controlled by the SigninInterceptionEnabled policy.

Step 2: Set the policies

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  3. (Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  4. Go to Sign-in settings:
    1. Click Signin interception:
      • Select Enable signin interception.
      • Click Save. Or, you might click Override for an organizational unit.

        To later restore the inherited value, click Inherit (or Unset for a group).

    2. Click Enterprise profile separation, and do the following:
      • Choose one of the following options :
        • Suggest profile separation
        • Enforce profile separation
        • Disable profile separation
      • Click Save. Or, you might click Override for an organizational unit.

        To later restore the inherited value, click Inherit (or Unset for a group).

Step 3: Verify policies are applied

After you apply any Chrome policies, users need to restart Chrome for the settings to take effect. You can check users’ devices to make sure the policy was applied correctly.

  1. On a user’s device, go to chrome://policy.
  2. Click Reload policies.
  3. Check the Show policies with no value set box.
  4. For the policies that you set, make sure that Status is set to OK:
    • SigninInterceptionEnabled
    • ProfileSeparationSettings
  5. For the policies that you set, make sure that the policy values match what you set in the policy.
    • SigninInterceptionEnabled
      • Not set—Enable signin interception
      • True—Enable signin interception
      • False—Disable signin interception
    • ProfileSeparationSettings
      • 0—Suggest profile separation
      • 1—Enforce profile separation
      • 2—Disable profile separation

On a user's device, to view information about how Chrome profiles are being managed, go to chrome://management.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
3091993122008815015
true
Search Help Center
true
true
true
true
true
410864
false
false