For managed ChromeOS devices.
By default, users can sign in to multiple Google Accounts at the same time on a ChromeOS device. Users can switch between accounts without signing out and in again.
As a Chrome admin, you can control if and how multiple users can sign in to a device.
- You can block any managed account from becoming a secondary account (recommended).
- You can specify that the first user must sign in to a managed Google Account.
Considerations
- The first user to sign in is the primary user. Subsequent users are secondary users. The data in each user account is kept separate.
- Most device-level settings that you set using the Google Admin console apply to all users on a device, even if they sign in as a guest or with a personal Google Account. However, certain settings do not apply to user sessions if they affect user privacy.
- Most user-level policies are individually applied to each account on a device. However, if a primary user signs in to a managed Google Account some of the Chromium policies that you set also apply to secondary accounts on the device. For a complete list of these policies go to the Chromium policy list and search for policies with Per Profile: No. See the Policy List.
-
On a ChromeOS device, the primary user’s password unlocks the screen. To prevent unmanaged users from unlocking a screen and accessing primary and secondary accounts, only allow users with a managed Google Account be primary users by setting the Add restrictions on a managed account's usage as a secondary account on ChromeOS policy.
- You can block managed accounts from becoming secondary accounts, even if multiple user sign-ins are allowed, by setting the Add restrictions on a managed account's usage as a secondary account on ChromeOS policy. You can also use this policy on unmanaged devices.
- Secondary users on a device might be able to access your network, even if they don’t have a managed Google Account. For example, apps and extensions that you do not allow users in your organization to install can be installed in secondary accounts. Those apps and extensions might access your network. To prevent unmanaged access to your network, do not let users sign in to more than one account at a time. For more details, see Sign-in to secondary accounts.
Let multiple users sign in to a device
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
-
(Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- Go to User experience.
- Click Multiple sign-in access.
- Choose an option:
- To let multiple users sign in at the same time but specify that the primary user must sign in to a managed Google Account, select Managed user must be the primary user (secondary users are allowed).
- To let multiple users sign in and allow the primary user to sign in to an unmanaged account, such as their personal Google Account, select Unrestricted user access (allow any user to be added to any other user’s session).
- To prevent managed users from signing in to more than one account at a time, select Block multiple sign-in access for users in this organization.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).