Allow private browsing

For administrators who manage Chrome browser or ChromeOS devices for a business or school.

As a Chrome administrator, you can let users browse the web in private. For example, multiple users can share the same device without being able to see other users’ browsing history and Chrome profile information.

Step 1: Compare private browsing options

Decide which type of private browsing is right for users in your organization.

  • Ephemeral—Users sign in to Chrome and have access to the full extent of a browser session. For example, they can use Chrome sync to synchronize and save their bookmarks, history, and other settings to their Google Account. When they sign out of Chrome or exit the browser, all local data is deleted. Ephemeral browsing is useful for shared devices with multiple users.
  • Guest—Users can browse the web without signing in to their Google Account or being affected by existing Chrome profiles on a device. Browser session data isn’t saved on the local disk. Guest sessions are useful for letting other users privately browse the web without signing in. For example, users can provision certificates or gather logs to help troubleshoot problems with Chrome.
  • Incognito—Users can browse the web using a separate Chrome window from the one that they’re signed in to. Users can switch between Incognito windows and their regular Chrome windows, but they only browse in private when they're using an Incognito window. Browser session data isn’t saved on the local disk. Incognito windows are useful when users want to temporarily browse the web without keeping history or using previous history. For example, if a user has signed in to their personal account and wants to temporarily sign in to the Google Admin console using a different account, Incognito mode creates separation and ephemerality.

Users can browse Chrome as a guest or in Incognito mode, unless you use policy to disable those browsing modes. Users can only browse Chrome in Ephemeral mode if you use policy to force them to. The following table compares commonly used features available for ephemeral, guest, and incognito private browsing options.

Feature Ephemeral Guest Incognito
Users can add bookmarks. Yes
Bookmarks are removed when the browser session ends.
No Yes
Bookmarks remain after the browser session ends.
Chrome sync is available. Yes No No
Data is written to disk during browser session. Yes
Data is removed when the browser session ends.
No No
Users can use extensions. Yes No Yes
Users need to individually enable extensions in Incognito mode.
Users can launch Chrome Browser in this mode. No

Yes

Yes
Users can reopen recently closed tabs. Yes No No
Browsing history is saved. Yes (only if Chrome sync is enabled) No No

Step 2: Review policies

Policy Description

BrowserGuestModeEnabled

Specifies whether users can use Chrome Browser as a guest. Guest users can browse the web without having to sign in to their Google Account.

Unset: Guest sessions are allowed.

BrowserGuestModeEnforced

Specifies whether Chrome Browser will enforce starting in guest sessions instead of existing profiles.

Unset: Chrome Browser will start in the last used profile.

DeviceEphemeralUsersEnabled

Specifies whether to wipe local user data when users sign out of Chrome.

Unset: ChromeOS devices keep local user data.

DeviceGuestModeEnabled

Specifies whether users can use a ChromeOS device as a guest. Guest users can browse the web without having to sign in to their Google Account.

Unset: Guest users can browse the web.

ForceEphemeralProfiles

Specifies whether to switch to ephemeral browsing when Chrome Browser starts.

If you use on-premise tools to enforce policies that control Chrome Browser, this policy applies to all users who sign in to Chrome, including personal Gmail accounts. If you use the Google Admin console to manage user-level policies from the cloud, this policy only applies when users sign in to Chrome with their managed Google Account.

Unset: Chrome Browser doesn’t switch to ephemeral browsing.

IncognitoModeAvailability

Specifies whether users can browse the web in an Incognito window in Chrome Browser and on ChromeOS devices.

Choose one of the options:

  • 0—Incognito mode available: Users can open webpages in an Incognito window.
  • 1—Incognito mode disabled: Users can't open webpages in an Incognito window.
  • 2—Incognito mode forced: Users can only open webpages in an Incognito window.

Unset: Users can browse the web in an Incognito window.

Step 3: Set the policies

Click below for the steps, based on how you want to manage these policies.

Admin console
Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. (Optional) To force users to browse the web in Ephemeral mode:
    1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

      If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

    2. (Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

      Group settings override organizational units. Learn more

    3. Go to Security.
    4. Click Force ephemeral mode.
    5. Select Erase all local user data.
    6. Click Save. Or, you might click Override for an organizational unit.

      To later restore the inherited value, click Inherit (or Unset for a group).

  3. (Optional) To allow guest browsing on devices using ChromeOS:
    1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
       
    2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
    3. Go to Sign-in settings.
    4. Click Guest mode.
    5. Select Allow guest mode.
    6. Click Save.
  4. (Optional) To let users browse the web in Incognito mode:
    1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

      If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

    2. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
    3. Go to Security.
    4. Click Incognito mode.
    5. Select Allow incognito mode.
    6. Click Save.
  5. At the top, click Save.
Windows
Applies to Windows users who sign in to a managed account on Chrome browser.

Using Group Policy

In your Microsoft Windows Group Policy Management Editor (Computer or User Configuration folder):
  1. Go to Policiesand thenAdministrative Templatesand thenGoogleand thenGoogle Chrome.
  2. To force users to browse the web in Ephemeral mode, enable Ephemeral profile.
    Tip: If you don't see this policy, download the latest policy template.
    Leaving this policy Not configured uses the Unset behavior described above.
  3. To allow guest browsing in Chrome Browser, turn on Enable guest mode in browser.
    Leaving this policy Not configured uses the Unset behavior described above.
  4. To let users browse the web in Incognito mode:
    1. Enable Incognito mode availability.
      Leaving this policy Not configured uses the Unset behavior described above.
    2. Set an option:
      • Incognito mode available—Users can open webpages in Incognito mode.
      • Incognito mode disabled—Users can’t open webpages in Incognito mode.
      • Incognito mode forced—Users can only open webpages in Incognito mode.
  5. Deploy the update to your users.
Mac
Applies to Mac users who sign in to a managed account on Chrome browser.
  1. In your Chrome configuration profile, add or update the following keys:
    • To force users to browse the web in Ephemeral mode, set the ForceEphemeralProfiles key to true.
    • To allow guest browsing in Chrome Browser, set the BrowserGuestModeEnabled key to true.
    • To let users browse the web in Incognito mode, set the IncognitoModeAvailability key to <integer>value</integer>, where <value> is 0, 1, or 2.
  2. Deploy the change to your users.
Linux
Applies to Linux users who sign in to a managed account on Chrome browser.
Using your preferred JSON file editor:
  1. Go to your /etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file.
  3. Apply settings:
    • To force users to browse the web in Ephemeral mode, set ForceEphemeralProfiles to 1.
    • To allow guest browsing in Chrome Browser, set BrowserGuestModeEnabled to 1.
    • To let users browse the web in Incognito mode, set IncognitoModeAvailability to 0, 1, or 2.

Verify policies are applied

After you apply any Chrome policies, users need to restart Chrome Browser for the settings to take effect. Check users’ devices to make sure the policy was applied correctly.

  1. On a managed device, go to chrome://policy.
  2. Click Reload policies.
  3. Check the Show policies with no value set box.
  4. For the policies that you set, make sure that Status is set to OK:
    • DeviceEphemeralUsersEnabled
    • ForceEphemeralProfiles
    • IncognitoModeAvailability
    • DeviceGuestModeEnabled
    • BrowserGuestModeEnabled
  5. For the policies that you set, make sure that the policy values match what you set in the policy.
    • DeviceEphemeralUsersEnabled—true or false
    • ForceEphemeralProfiles—true or false
    • IncognitoModeAvailability—0, 1, or 2
    • DeviceGuestModeEnabled—true or false
    • BrowserGuestModeEnabled—true or false

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
8825399655290466129
true
Search Help Center
true
true
true
true
true
410864
false
false