Set up Chrome browser user-level management

Force users to sign in to Chrome browser (user policies only)

For administrators who manage user-level Chrome browser policies from the Google Admin console.

Applies to managed Chrome browsers on Windows and Mac (version 70 or later).

The BrowserSignin policy can only be set as a cloud policy for Chrome browsers enrolled in Chrome Enterprise Core using the Admin console not as a cloud-based user policy. It can also be set using a platform policies provider like Windows Group Policy. For details, see Understand Chrome policy management.

As a Chrome Enterprise admin, you can force users to sign in to their managed Google Account before they use Chrome browser on a managed computer. Forcing users to sign in ensures that your user-level Chrome policies and settings in the Google Admin console are applied on users’ computers. You can also control who can save and synchronize Chrome browser settings and data to their managed Google Account.

You can force everyone in your organization to sign in or just specific users.

Before you begin

  • Make sure browser management is turned on for your organization. For details, see Turn on Chrome browser management (user policies only).
  • If you have an existing Chrome deployment, notify users in advance. Tell them that they need to sign in to their managed Google Account on a specific date.

Step 1: Review policies

You can set one or more of the following policies:

Policy Description and settings
BrowserSignin

Specifies whether users can sign in to Chrome browser and sync browser information to their Google Account.

Choose one of these options:

  • 0—Disable browser sign-in: Users can’t sign in to Chrome browser or sync browser information to their Google Account.
  • 1—Enable browser sign-in: Users can sign in to Chrome browser and sync browser information to their Google Account. Chrome browser automatically signs in users when they sign in to a Google service, such as Gmail.
  • 2—Force users to sign-in to use the browser: Forces users to sign in to Chrome browser before they can use it. Chrome browser does not let secondary users sign in.

Unset: Users can sign in to Chrome browser. When users sign in to a Google service, such as Gmail, Chrome browser automatically signs them in. Users can change it.

RestrictSigninToPattern Restricts which Google Accounts can be signed in to as primary users in Chrome browser.

Use it with BrowserSignin to force users with multiple Chrome profiles to sign in to a specific profile before using Chrome. Users can only sign in with profiles that match the patterns you specify.

Unset: Users can sign in to any Google Account as a primary user in Chrome browser.

Step 2: Set the policies

Note: You don't have to set these policies to enforce browser-level policies.

Click below for steps, based on how you want to manage these policies.

Admin console

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  3. (Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  4. Go to Sign-in settings.
  5. Click Browser sign-in settings.
  6. Select Force users to sign-in to use the browser.
  7. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

Windows

Applies to Windows users who sign in to a managed account on Chrome browser.

Using Group policies

On your Windows computer:

  1. Open your Group Policy Management Console.
  2. Go to User Configuration and then Policies and then Administrative Templates and then Google and then Google Chrome.
  3. Enable Browser sign in settings.
  4. Select Force users to sign-in to use the browser and click OK.
  5. Enable Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome.
  6. Enter the pattern for the users you want to specify.
    • To specify all users in your domain, enter:
      ^.*@your-domain\.com$
    • To only allow one user to sign in, enter:
      ^user-id@your-domain\.com$
    • To allow users from both your-domain1.com and your-domain2.org domains to sign in, enter:
      ^.*@your-domain1\.com$|^.*@your-domain2\.org$
  7. Click OK.
Mac
Applies to Mac users who sign in to a managed account on Chrome browser.
In your Chrome configuration profile, add or update the following key. Then deploy the change to your users. 

Set the BrowserSignin key to 2:

<key>BrowserSignin</key>
<dict>
<integer>2</integer>
</dict>

Step 3: Have users sign in to Chrome

After you apply the policy, users are prompted to sign in to their profile the first time they open Chrome browser.

On user devices:

  1. Open Chrome browser.
  2. In the User Management window, click You.
  3. Sign in to a specific Chrome profile.

The next time users open Chrome, the browser automatically opens.

Step 4: Verify policies have been applied

After you apply any Chrome policies, users need to restart Chrome browser for the setting to take effect. You can check users’ devices to make sure the policy was applied correctly.

  1. On a managed ChromeOS device, browse to chrome://policy.
  2. Click Reload policies.
  3. Check the Show policies with no value set box.
  4. For RestrictSigninToPattern and BrowserSignin, make sure Status is set to OK.
  5. For RestrictSigninToPattern and BrowserSignin, click Show value and make sure that the value fields are the same as what you set in the policy.

Troubleshoot

Users can’t sign in to Chrome

Some users might already be using Chrome with existing Chrome profiles before you force them to sign in. If that happens, only users who are signed in when you turn on the policy can continue to use Chrome. All other Chrome profiles are locked. To let users sign in to their Chrome profile again, you’ll need to turn off the BrowserSignin policy. Then, make sure all users are signed in and follow the steps to enable the policy again.

Users are unexpectedly signed out of Chrome

Users are automatically signed out of Chrome if they signed in to a profile that doesn’t match the pattern you specify.

Guest mode is no longer available

When you turn on the BrowserSignin policy, users can no longer open Guest mode in Chrome. They must sign in to their Chrome profile.

Policies don't immediately affect offline users

When users sign in to their Chrome profile for the first time, they need an internet connection. After that, they can use Chrome offline. However, any policies you set are only updated when devices are connected to the internet.

Chrome might prompt users to sign in again

When you turn on the BrowserSignin policy, Chrome sometimes prompts existing users to sign in again because they need to reauthenticate their Chrome profile. For example, if a user just changed their Google Account password, they might be prompted to sign in again. Current policies continue to apply and are updated when the user signs in again.

Next step

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
9127348160477106788
true
Search Help Center
true
true
true
true
true
410864
false
false