For administrators who manage ChromeOS devices for a business or school.
As an admin, you can use the Google Admin console to configure device policies to restrict network connectivity. For example:
- You can restrict devices enrolled in an organizational unit to connect only to Ethernet.
- You can prevent employees from connecting to a Wi-Fi hotspot running off their personal phones.
- You can allow users to connect to unmanaged networks when managed networks are not in range of the device. Devices automatically switch from an unmanaged network if a managed one becomes available. This means they must connect to a managed network if they at work or school but can connect to an unmanaged network at home or in a public setting.
- If you have a productive and a guest network in your organization, you might want to block devices from accessing the guest network but allow users to use their personal devices at home. In that case, you can block access to certain Wi-Fi SSIDs.
Considerations
- The policies are applied device-wide to managed and unmanaged users. Policies that you set are also applied to managed guest sessions and kiosks.
- The Auto-connect setting only applies to Wi-Fi or Ethernet on ChromeOS devices.
- The following applies to the SIM lock setting:
- If you select the restriction and the user's SIM already has the SIM Lock setting turned on, the user sees a notification that asks them to turn off the SIM Lock setting. If the SIM is PUK-blocked, you must manually enter the PUK code of the SIM, which unblocks the SIM and turns off the SIM Lock setting. The new default PIN is then automatically set to 1111.
- If a user enters the PIN code incorrectly three times, the SIM card is PUK-blocked. If the user enters the correct PUK code, the SIM is unblocked. Typically, you should always provide a new PIN in addition to the correct PUK code to PUK-unblock a SIM. In the case of PUK-unblocking a SIM, when PIN unlocking a SIM is not allowed, the new PIN is automatically set to 1111. Only the correct PUK code is required, not a new PIN.
- The policies will have some implications on your Chromebook deployment as outlined below.
If you misconfigure policies, devices might not be able to connect to the web and receive policy updates. For example, if you restrict devices to connect only to a specific set of Wi-Fi configurations, and then switch the SSID of your network hardware, your users won’t be able to connect to the new SSID. You won’t be able to push new network policies to them because their devices are no longer connected to the web.
To minimize deployment issues, network restrictions are only applied to devices after users sign in. The sign-in screen does not enforce the restrictions that you set. So, if you misconfigure the policy, users can sign out, connect to a network from the sign-in screen, and then sign back in to their session while connected to a valid network that allows them to download the amended policy.
We recommend that you configure a valid device-wide network that devices can automatically connect to on the sign-in screen. That way, if there’s a deployment error, users can sign out of their accounts and their devices will automatically connect to that network.
We recommend that you roll out these settings in a staged approach per organizational unit. That way, if policies are misconfigured, only a small number of users are affected.
These policies are applied device-wide. Users might not be able to use their corporate devices at home as they might not comply with policy restrictions outside the workplace. For example, users will not have the same Wi-Fi configurations at home as at work. Or they might not have an Ethernet connection available if they want to use the device to work from a coffee shop.
If network restrictions are applied to your managed accounts, users might not be able to use their personal devices at work. Policies apply to devices and not to users, so users can still sign in with their managed accounts to their personal devices. But the network restrictions that you set are not applied to the device.
When moving devices to another organizational unit, be aware of the following:
- To retain existing eSIMs on devices in the new organizational unit, first make sure that a cellular network configuration with the same SDMP+URL exists in the new organizational unit.
- To clear existing eSIMs from devices, before you move them use Reset eSIM to permanently remove eSIM profiles from devices. For details, see View Chrome OS device details.
- Moving devices to an organizational unit without matching network configurations causes managed eSIMs on devices to become unmanaged. No policy settings are applied to the network.
Restrict network connectivity
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesNetworks.
- Click General settings (Chromebook only).
-
(Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- (Optional) Automatically connect to managed networks only:
- Click Auto-connect.
- Check the Restrict users to only auto-connect to managed networks box.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
- (Optional) Allow users to connect only to the Wi-Fi networks configured for the selected organizational unit:
- Click Wi-Fi networks.
- From the Restrict users to connecting only to the Wi-Fi networks configured for this organizational unit list, choose an option:
- Restrict—Blocks access to all unmanaged networks regardless of whether or not a managed network is available.
- Restrict only if a managed Wi-Fi network is in range—Allows connection to unmanaged networks if there is no managed network available. For example, outside of work or school.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
- (Optional) Allow users to connect only to the cellular networks configured for the selected organizational unit:
- Click Cellular networks.
- Check the Restrict users to only connect to the cellular networks configured for this organizational unit (Chrome version 100 or later) box.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
- (Optional) Restrict users from from applying a PIN lock on their device's SIM:
- Click SIM lock.
- Check the Restrict users from PIN locking SIM(s) on the device (Chrome version 108 or later) box.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
- Click Allowed network interfaces.
- Check the network interface boxes that you want to allow. Choose one or more: Wi-Fi, Ethernet, Cellular, VPN.
Note: The VPN checkbox applies only to integrated Chrome OS VPNs. For VPN app solutions, use app restriction policies to allow or block VPN access. -
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
- (Optional) Block users from connecting to specific WI-FI networks:
- Click Blocked WI-FI networks.
- Enter the SSIDs that you want to block. Enter one SSID per line.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
- (Optional) Restrict SIM text message notifications for cellular networks on users’ devices:
- Click SIM text messages.
- For Allow devices to show text messages, choose an option:
- Allow the user to decide—This is the default. Lets users configure the Show text messages setting on their device. Users can specify whether text message notifications are displayed per network.
- Do not restrict—Users receive text message notifications for all cellular networks on their device. Users can’t change the Show text messages setting on their device.
- Restrict—Suppress and block all text message notifications on all cellular networks on the device. Users can’t change the Show text messages setting on their device.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.