Applies to managed Chrome browsers and ChromeOS devices.
As a Chrome Enterprise admin you can block and allow URLs so that users can only visit certain websites. Restricting users’ internet access can increase productivity and protect your organization from viruses and malicious content found on some websites.
When to block and allow URLs
Use the blocklist and allowlist for basic URL management. If you need stronger filtering, use a content-filtering web-proxy server or extension.
Use the URL blocklist and allowlist to:
- Allow access to all URLs except the ones you block—Use the blocklist to prevent users from visiting certain websites, while allowing them access to the rest of the web.
- Block access to all URLs except the ones you allow—Use the blocklist to block access to all URLs. Then, use the allowlist to allow access to a limited list of URLs.
- Define exceptions to very restrictive blocklists—Use the blocklist to block access to all URLs. Then, use the allowlist to let users access certain schemes, subdomains of other domains, ports, or specific paths.
- Allow Chrome browser to open apps—Allow specific external protocol handlers so that Chrome browser can automatically open certain apps.
Sometimes, the blocklist and allowlist does not work as expected. For example, if you block an entire website and allow a specific webpage URL for that site, users might be able to access other content on that website.
When SAML or OpenID Connect single sign-on is used for user authentication, or when configuring network connections with Captive Portals outside of user sessions, you can block or allow URLs on user sign-in and lock screens using the DeviceAuthenticationURLBlocklist and DeviceAuthenticationURLAllowlist policies.
For more details, see Blocked URLs on the sign-in / lock screens and Blocked URL exceptions on the sign-in / lock screens.
URL blocking exceptions
It is best practice to not block some URLs. These include:
- chrome://settings
- chrome://os-settings
- chrome-untrusted://
The chrome://settings and chrome://os-settings URLs should be considered part of the operating system for ChromeOS and part of the browser for Chrome and should never be blocked.
Even if you do block some of them, some users might get around this policy by using JavaScript commands to navigate to these pages regardless. For example, if you block the Wi-Fi subpage chrome://os-settings/networks?type=WiFi, users can still go to the page by using the navigation code within settings from the JavaScript console.
ChromeOS system components use chrome-untrusted:// to process data from users or the web and blocking it is not recommended as it will break some system components. This special url scheme allows Google to make sure any data not included with ChromeOS is handled safely with all the safeguards that the Chrome browser provides and that this data can't access functionality reserved for system components. Whenever a system component can process user-supplied data or content from the web, chrome-untrusted://URLs are used.
If you want to block chrome://settings, chrome://os-settings or chrome-untrusted://, use the SystemFeaturesDisableList policy. This blocks all the settings, not just part of it. Do not use URLallowList or URLblockList policies to do this. For details, see Disabled system features.
If you have a specific page you want to block, you should isolate what exactly in the page that you want to block from users. You can then alert Chrome or ChromeOS support about what policies you want implemented. Developers can then add a policy for the specific functionality that should be blocked instead.
Step 1: Review policies
Policy | Description |
---|---|
Prevent users from accessing a list of blocked URLs. Users can access all URLs except those that you block. Unset: Users can access all website URLs without restriction. |
|
Use it with URLBlocklist to allow users to access specific URLs as exceptions to the URL blocklist. The allowlist takes precedence over the blocklist. To work, you need at least one entry in the blocklist. Unset: There are no exceptions to the URL blocklist. |
Step 2: Specify URLs Chrome users can visit
Click below for the steps, based on how you want to manage these policies.
Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, Linux, or Android. For details, see Understand when settings apply.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
-
(Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- Go to Content.
- Click URL Blocking and enter URLs as needed:
- Blocked URLs—URLs that you want to prevent users from accessing.
For syntax and examples, see Users & browsers > URL blocklist.
- Blocked URL exceptions—URLs that you want to allow users to access (allowlist). Access is allowed even if the URLs are also defined in Blocked URLs.
For syntax and examples, see Users & browsers > URL blocklist exceptions.
You can block and allow up to 1,000 URLs.
- Blocked URLs—URLs that you want to prevent users from accessing.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
- Blocked URLs is not recognized by apps that use Android System WebView. To enforce a blocklist on these apps, define the blocked URLs in a text file and apply the blocklist to the Android apps on an app-by-app basis. For apps that don’t use Android System WebView, see the app documentation for information on how to restrict access in a similar way.
- Blocked URL exceptions is usually recognized by Android apps that use Android System WebView. However, other apps might not respect the blocklist. You can allow the apps that use Android System WebView and omit the ones that don’t. For information on allowing Android apps, see Allow the installation of approved apps.
Applies to Windows users who sign in to a managed account on Chrome browser.
Using Group Policy
In your Microsoft Windows Group Policy Editor (Computer or User Configuration folder):
- Go to PoliciesAdministrative TemplatesGoogleGoogle Chrome.
- Enable Block access to a list of URLs.
Tip: If you don't see this policy, download the latest policy template. - Add the URLs that you want to block.
Leaving this policy Not configured uses the Unset behavior described above. - Enable Allows access to a list of URLs.
- Add the URLs that you want users to access.
Leaving this policy Not configured uses the Unset behavior described above. - Deploy the update to your users.
You can block and allow up to 1,000 URLs. For URL syntax, see Allow or block websites—URL filter format.
Applies to Mac users who sign in to a managed account on Chrome browser.
In your Chrome policy configuration profile (.plist file):
- Add or update the following keys.
- Add the URLs that you want to block to the URLBlocklist key.
- Add the URLs that you want users to access to the URLAllowlist key.
- Deploy the changes to your users.
You can block and allow up to 1,000 URLs. For URL syntax, see Allow or block websites—URL filter format.
The example shows how to block all URLs except mail.example.com, wikipedia.org, and google.com.
<key>URLBlocklist</key>
<dict>
<array>
<string>*</string>
</array>
</dict>
<key>URLAllowlist</key>
<dict>
<array>
<string>mail.example.com</string>
<string>wikipedia.org</string>
<string>google.com</string>
</array>
</dict>
Applies to Linux users who sign in to a managed account on Chrome browser.
Using your preferred JSON file editor:
- Go to your /etc/opt/chrome/policies/managed folder.
- Create or update a JSON file and enter URLs as needed:
- In URLBlocklist, add the URLs that you want to block.
- In URLAllowlist, add the URLs that you want users to access.
- Deploy the update to your users.
You can block and allow up to 1,000 URLs. For URL syntax, see Allow or block websites—URL filter format.
The example shows how to block all URLs except mail.example.com, wikipedia.org, and google.com.
First, create a file that contains the blocked URLs.
{
"URLBlocklist": ["*"]
}
Then, create a file that contains the allowed URLs.
{
"URLAllowlist": ["mail.example.com", "wikipedia.org", "google.com"]
}
Applies to Android users who sign in to Chrome browser using a managed account.
If you've signed up for Chrome Enterprise Core, use your Admin console to manage Chrome browser on Android devices. Follow the steps in Admin console above.
Otherwise, we recommend that you ask your Mobile Device Management (MDM) vendor to configure URL blocking policies for Chrome on Android.
Applies to iPhone and iPad users who sign in to Chrome browser using a managed account.
If you've signed up for Chrome Enterprise Core, use your Admin console to manage Chrome browser on iPhones and iPads. Follow the steps in Admin console above.
Otherwise, we recommend that you ask your Mobile Device Management (MDM) vendor to configure URL blocking policies for Chrome on iOS and iPadOS.
Step 3: Verify policies are applied
After you apply any Chrome policies, users need to restart Chrome browser for the settings to take effect. You can check users’ devices to make sure the policy was applied correctly.
- On a managed device, go to chrome://policy.
- Click Reload policies.
- For URLBlocklist and URLAllowlist, make sure Status is set to OK.
- For URLBlocklist and URLAllowlist, click Show value and make sure that the value fields are the same as what you set in the policy.