For administrators who manage Chrome browser or ChromeOS devices for a business or school.
As a Chrome administrator, you can let users browse the web in private. For example, multiple users can share the same device without being able to see other users’ browsing history and Chrome profile information.
Step 1: Compare private browsing options
Decide which type of private browsing is right for users in your organization.
- Ephemeral—Users sign in to Chrome and have access to the full extent of a browser session. For example, they can use Chrome sync to synchronize and save their bookmarks, history, and other settings to their Google Account. When they sign out of Chrome or exit the browser, all local data is deleted. Ephemeral browsing is useful for shared devices with multiple users.
- Guest—Users can browse the web without signing in to their Google Account or being affected by existing Chrome profiles on a device. Browser session data isn’t saved on the local disk. Guest sessions are useful for letting other users privately browse the web without signing in. For example, users can provision certificates or gather logs to help troubleshoot problems with Chrome.
- Incognito—Users can browse the web using a separate Chrome window from the one that they’re signed in to. Users can switch between Incognito windows and their regular Chrome windows, but they only browse in private when they're using an Incognito window. Browser session data isn’t saved on the local disk. Incognito windows are useful when users want to temporarily browse the web without keeping history or using previous history. For example, if a user has signed in to their personal account and wants to temporarily sign in to the Google Admin console using a different account, Incognito mode creates separation and ephemerality.
Users can browse Chrome as a guest or in Incognito mode, unless you use policy to disable those browsing modes. Users can only browse Chrome in Ephemeral mode if you use policy to force them to. The following table compares commonly used features available for ephemeral, guest, and incognito private browsing options.
Feature | Ephemeral | Guest | Incognito |
---|---|---|---|
Users can add bookmarks. | Yes Bookmarks are removed when the browser session ends. |
No | Yes Bookmarks remain after the browser session ends. |
Chrome sync is available. | Yes | No | No |
Data is written to disk during browser session. | Yes Data is removed when the browser session ends. |
No | No |
Users can use extensions. | Yes | No | Yes Users need to individually enable extensions in Incognito mode. |
Users can launch Chrome Browser in this mode. | No |
Yes |
Yes |
Users can reopen recently closed tabs. | Yes | No | No |
Browsing history is saved. | Yes (only if Chrome sync is enabled) | No | No |
Step 2: Review policies
Policy | Description |
---|---|
Specifies whether users can use Chrome Browser as a guest. Guest users can browse the web without having to sign in to their Google Account. Unset: Guest sessions are allowed. |
|
Specifies whether Chrome Browser will enforce starting in guest sessions instead of existing profiles. Unset: Chrome Browser will start in the last used profile. |
|
Specifies whether to wipe local user data when users sign out of Chrome. Unset: ChromeOS devices keep local user data. |
|
Specifies whether users can use a ChromeOS device as a guest. Guest users can browse the web without having to sign in to their Google Account. Unset: Guest users can browse the web. |
|
Specifies whether to switch to ephemeral browsing when Chrome Browser starts. If you use on-premise tools to enforce policies that control Chrome Browser, this policy applies to all users who sign in to Chrome, including personal Gmail accounts. If you use the Google Admin console to manage user-level policies from the cloud, this policy only applies when users sign in to Chrome with their managed Google Account. Unset: Chrome Browser doesn’t switch to ephemeral browsing. |
|
Specifies whether users can browse the web in an Incognito window in Chrome Browser and on ChromeOS devices. Choose one of the options:
Unset: Users can browse the web in an Incognito window. |
Step 3: Set the policies
Click below for the steps, based on how you want to manage these policies.
Admin console-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- (Optional) To force users to browse the web in Ephemeral mode:
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
-
(Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- Go to Security.
- Click Force ephemeral mode.
- Select Erase all local user data.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
-
- (Optional) To allow guest browsing on devices using ChromeOS:
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
-
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Sign-in settings.
- Click Guest mode.
- Select Allow guest mode.
- Click Save.
-
- (Optional) To let users browse the web in Incognito mode:
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
-
To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Security.
- Click Incognito mode.
- Select Allow incognito mode.
- Click Save.
-
-
At the top, click Save.
Using Group Policy
- Go to PoliciesAdministrative TemplatesGoogleGoogle Chrome.
- To force users to browse the web in Ephemeral mode, enable Ephemeral profile.
Tip: If you don't see this policy, download the latest policy template.
Leaving this policy Not configured uses the Unset behavior described above. - To allow guest browsing in Chrome Browser, turn on Enable guest mode in browser.
Leaving this policy Not configured uses the Unset behavior described above. - To let users browse the web in Incognito mode:
- Enable Incognito mode availability.
Leaving this policy Not configured uses the Unset behavior described above. - Set an option:
- Incognito mode available—Users can open webpages in Incognito mode.
- Incognito mode disabled—Users can’t open webpages in Incognito mode.
- Incognito mode forced—Users can only open webpages in Incognito mode.
- Enable Incognito mode availability.
- Deploy the update to your users.
- In your Chrome configuration profile, add or update the following keys:
- To force users to browse the web in Ephemeral mode, set the ForceEphemeralProfiles key to true.
- To allow guest browsing in Chrome Browser, set the BrowserGuestModeEnabled key to true.
- To let users browse the web in Incognito mode, set the IncognitoModeAvailability key to <integer>value</integer>, where <value> is 0, 1, or 2.
- Deploy the change to your users.
- Go to your /etc/opt/chrome/policies/managed folder.
- Create or update a JSON file.
- Apply settings:
- To force users to browse the web in Ephemeral mode, set ForceEphemeralProfiles to 1.
- To allow guest browsing in Chrome Browser, set BrowserGuestModeEnabled to 1.
- To let users browse the web in Incognito mode, set IncognitoModeAvailability to 0, 1, or 2.
Verify policies are applied
After you apply any Chrome policies, users need to restart Chrome Browser for the settings to take effect. Check users’ devices to make sure the policy was applied correctly.
- On a managed device, go to chrome://policy.
- Click Reload policies.
- Check the Show policies with no value set box.
- For the policies that you set, make sure that Status is set to OK:
- DeviceEphemeralUsersEnabled
- ForceEphemeralProfiles
- IncognitoModeAvailability
- DeviceGuestModeEnabled
- BrowserGuestModeEnabled
- For the policies that you set, make sure that the policy values match what you set in the policy.
- DeviceEphemeralUsersEnabled—true or false
- ForceEphemeralProfiles—true or false
- IncognitoModeAvailability—0, 1, or 2
- DeviceGuestModeEnabled—true or false
- BrowserGuestModeEnabled—true or false