For administrators who manage Chrome browser or ChromeOS devices for a business or school.
As a Chrome administrator, you can use the DownloadRestrictions policy to prevent users from downloading dangerous files, such as malware or infected files. You can prevent users from downloading all files or those that Google Safe Browsing identifies as dangerous. If users try downloading dangerous files, they get a security warning that they can’t bypass.
To understand what file types are impacted by this policy and what files are potentially blocked, see the Chromium code here.
Step 1: Review the policy
Policy: DownloadRestrictions
There are many types of download warnings within Chrome that can generally be categorized as follows:
- Malicious, as flagged by the Safe Browsing server.
- Uncommon or unwanted, as flagged by the Safe Browsing server.
- A dangerous file type. For example, all DLL downloads and many EXE downloads.
For more details on these categories, see Google Chrome blocks downloads.
Setting the DownloadRestrictions policy blocks different subsets of these, depending on it's value:
- 0—Default. No special restrictions.
- 1—Blocks the following files:
- files flagged by Safe Browsing as DANGEROUS_ACCOUNT_COMPROMISE or DANGEROUS
- download URLs flagged by Safe Browsing
- files that have a danger_level of DANGEROUS and ALLOW_ON_USER_GESTURE.
Note: We only recommend setting this policy for organization units, browsers, or users that do not regularly incorrectly identify an entity, such as a file or a process, as malicious.
- 2—Blocks the following files:
- files flagged by Safe Browsing as DANGEROUS, UNCOMMON, POTENTIALLY_UNWANTED, DANGEROUS_HOST, DANGEROUS_ACCOUNT_COMPROMISE
- download URLs flagged by Safe Browsing
- files that have a danger_level of DANGEROUS and ALLOW_ON_USER_GESTURE
Note: We only recommend setting this policy for organization units, browsers, or users that do not regularly incorrectly identify an entity, such as a file or a process, as malicious
- 3—Blocks all downloads. Not recommended, except for special use cases.
- 4—Recommended. Blocks files flagged as DANGEROUS, DANGEROUS_HOST, ACCOUNT_COMPROMISE, or if the URL is flagged by Safe Browsing
Unset: Defaults to No restrictions, as described above.
Danger levelsTo manage file downloads, we classify files by how potentially dangerous they are.
Note: The list of dangerous file types and safe browser warnings is often updated. We recommend you regularly check the code by entering danger_level in the search bar in the Chromium code search
The following are the dangers levels:
- NOT_DANGEROUS
- ALLOW_ON_USER_GESTURE
- DANGEROUS
Files without a danger_level use the default NOT_DANGEROUS. For these files, the ping_setting determines whether the file is checked with the Safe Browsing server or not.
- FULL_PING—Always contacts Safe Browsing
- SAMPLED_PING—Contacts Safe Browsing on 1% of downloads, but only if the user has opted-in to Enhanced Safe Browsing
- NO_PING—Never contacts Safe Browsing
Safe Browsing warning | Description |
---|---|
SAFE | The download is considered safe. |
DANGEROUS | The download is considered dangerous. Chrome displays a warning to the user. |
UNCOMMON | The download is uncommon. Chrome displays a less severe warning. |
POTENTIALLY_UNWANTED | The download is potentially unwanted. |
DANGEROUS_HOST | The download is from a dangerous host. |
UNKNOWN | Safe Browsing doesn’t have confidence in its verdict of this file. Chrome displays the default warning if configured for this file type. |
DANGEROUS_ACCOUNT_COMPROMISE | The download is associated with stealing cookies and account compromise. Chrome displays a severe warning. |
URL is Flagged | The URL is considered dangerous. Chrome displays a warning to the user. |
Use the ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy to create a dictionary of file type extensions with a corresponding list of domains that are exempted from file type extension-based download warnings.
Use ExemptDomainFileTypePairsFromFileTypeDownloadWarnings and DownloadRestrictions only when the download restriction is set to 4. If DownloadRestrictions is set to 1, 2, or 3, DownloadRestrictions takes precedence, and files deemed as dangerous are blocked.
These restrictions apply to downloads that are triggered on webpages when users click a download link on the page or right-click a file and choose Save link as.
The restrictions do not apply when users save a webpage by clicking File Save page as, or Print Save as PDF.
For more details, see What is Safe Browsing?
Step 2: Set the policy
Click below for steps, based on how you want to manage these policies.
Admin console-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
-
To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Chrome Safe Browsing.
- Click Download restrictions.
- Choose an option:
- No special restrictions
- Block all malicious downloads
- Block dangerous downloads
- Block potentially dangerous downloads
- Block all downloads
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
Using Group Policy
- Go to Policies Administrative Templates Google Google Chrome.
- Enable Allow Download Restrictions.
- Set an option:
- No special restrictions
- Block all malicious downloads
- Block dangerous downloads
- Block potentially dangerous downloads
- Block all downloads
- Deploy the policy to your users.
In your Chrome configuration profile, add or update the following key and then deploy the change to your users.
Set the DownloadRestrictions key to <integer>value</integer>, where <value> is 0, 1, 2, 3, or 4.
Example code:
<key>DownloadRestrictions</key>
<dict>
<integer>1</integer>
</dict>
In your preferred JSON file editor, add or update a JSON file and then deploy the change to your users.
- Go to your etc/opt/chrome/policies/managed folder.
- Set the DownloadRestrictions key to 0, 1, 2, 3, or 4.
Example code:
{
"DownloadRestrictions": "1"
}