For administrators who manage Chrome browser or ChromeOS devices for a business or school.
As a Chrome Enterprise admin, you can control whether your Chrome users can install apps or extensions based on the information an app can access—also known as permissions. For example, you might want to prevent users from installing apps that want permission to see a device location.
See the steps
Click your platform below for steps on how to allow or block apps, based on permissions.
Set permissions for: CHROME OS DEVICES WINDOWS MAC LINUX
Review permissions
Here's the list of permissions you can allow or block.
| Admin console permission | API | What it does |
|---|---|---|
| 2-factor devices | u2fDevices | Allows app or extension to communicate with devices with 2-Factor Authentication that support U2F. |
| Alarms | alarms | Schedules code to run periodically or at a specified time. |
| Audio capture | audioCapture | Allows app or extension to capture audio directly from the microphone. |
| Block web requests | webRequestBlocking | Allows app or extension to block specific web requests. |
| Captive portal authenticator | networking.config | Allows app or extension to support captive portal authentication. |
| Certificate provider | certificateProvider | Exposes certificates to Chrome so they can be used for Transport Layer Security (TLS) authentication. |
| Clipboard read | clipboardRead | Allows app or extension to read the contents of the clipboard at any time. |
| Context menus | contextMenus | Allows app or extension developers to add items to the context menu in Chrome. To open the context menu, users right-click a webpage. |
| CPU metadata | system.cpu | Allows app or extension to query metadata about the system's CPU. |
| Desktop capture | desktopCapture | Allows app or extension to capture screen, window, or tab content. |
| Detect idle | idle | Allows app or extension to detect when the device's idle state changes. |
| Display metadata | system.display | Allows app or extension to query metadata about the system's display. |
| Document scan | documentScan | (ChromeOS only) Allows app or extension to get images from attached document scanners. |
| Enterprise device attributes | enterprise_deviceAttributes | (ChromeOS only) Allows app or extension installed by a policy to query the device's unique ID. |
| Experimental APIs | experimental | Allows app or extension to use experimental APIs. |
| File browser handler | fileBrowserHandler | (ChromeOS only) Extends Chrome. For example, apps or extensions can allow users to upload files to a website. |
| File system | fileSystem | Allows app or extension to create, read, navigate, and write to the user's local file system at a user-selected location. |
| File system provider | fileSystemProvider | (ChromeOS only) Allows app or extension to create file systems that can be accessible from the file manager on a ChromeOS device. |
| Fullscreen apps | app.window.fullscreen | Allows app to open in full screen. |
| Geo location | geolocation | Allows app or extension to get the user's current location. |
| Google Cloud Messaging | gcm | Allows app or extension to send and receive messages through the Google Cloud Messaging service. |
| HID | hid | Allows app or extension to interact with connected Human Interface Devices (HIDs). Apps can function as drivers for hardware devices. |
| Identity | identity | Allows app or extension to get OAuth 2.0 access tokens. |
| Media galleries | mediaGalleries | Allows app or extension to access media files from a user's device with the user's consent. Media files include audio, images, and video. |
| Memory metadata | system.memory | Allows app or extension to query metadata about the system's physical memory. |
| Native messaging | nativeMessaging | Allows app or extension to exchange messages with native apps on user's devices. Native apps must be registered as a native messaging host. |
| Network metadata | system.network | Allows app or extension to query metadata about the system's network. |
| Notifications | notifications | Allows app or extension to create notifications and display them in the user's system tray. |
| Override fullscreen escape | app.window.fullscreen.overrideEsc | Sets app to always be in full screen, even if a user presses the Escape key. |
| Platform keys | platformKeys | (ChromeOS only) Allows app or extension to access Chrome-managed client certificates for authentication. For example, authenticating to VPN. |
| Power | power | Allows app or extension to override the operating system's power-management features. |
| Printers | printerProvider | Allows app or extension to control printers, submit print jobs, and query the status of a print job. |
| Serial | serial | Allows app or extension to read from and write to a device connected to a serial port. |
| Set proxy | proxy | Allows app or extension developer to set or modify a proxy for specific URLs. |
| Storage | storage | Allows app or extension to store, retrieve, and track changes to a user's data. |
| Storage metadata | system.storage | Allows app or extension to query metadata about the system's storage. |
| Sync file system | syncFileSystem | Allows app or extension to save and synchronize data in Google Drive. |
| Text to speech | tts | Allows app or extension to play synthesized text-to-speech (TTS). |
| Unlimited storage | unlimitedStorage | Removes limit on how much data an extension or app can store on a user's computer. |
| USB | usb | Allows app or extension to communicate with USB devices so an app can function as a driver for hardware devices. |
| Video capture | videoCapture | Allows app or extension to capture video directly from a user's camera. |
| VPN provider | vpnProvider | (ChromeOS only) Allows app or extension to implement a VPN client. |
| Web requests | webRequest | Allows app or extension to observe and analyze web traffic. It also intercepts or modifies in-progress requests. |