Many IT teams today have to balance keeping their organization secure and ensuring their employees can be productive. Chrome browser has hundreds of enterprise policies to choose from to support these two priorities. These policies are available across on-prem and cloud options, and can be configured at different levels for maximum flexibility for IT teams. The methods you use to apply these policies determines their level of precedence. So in the case of a conflicting policy, it is good to know which one will win. If there is not a conflicting policy, regardless of level, the policy will still apply as expected.
To help ensure policies are behaving the way admins intend, let’s break down the what, how and when these levels of precedence get set and how they affect each other.
Here they are in the order of precedence from highest to lowest:
- Machine policy—This level of precedence and is usually set via Group Policy on Windows or via managed preferences on a Mac. They can also be set for Linux. Policy that is set at this level will override any other policy if there is a conflict.
- Cloud Machine Policy—These policies are set within Chrome Browser Cloud Management, This means that as you roll out Chrome Browser Cloud Management, it will work side-by-side with your existing policies, but local machine policy will win if conflicts occur.
Note: there is a GPO policy that can be used to override this order of precedence in case you want Cloud Policy to win over any policy set including local machine policy.
- OS User policy—This applies when a user signs in to their account on a corporate-managed Windows or Mac computer.
- Cloud User Policy—These are also known as Chrome profile policies. If you are a Google Workspace customer, this policy is set within the Google Admin Console and applies when your users sign into Google and have a policy applied.
- Chrome Default/Users Settings—These are either the default settings that come standard with Chrome or settings that are manually set by the user. These policies hold the least precedence, and in many cases administrators may choose to limit a user’s ability to make setting changes in their corporate environments.
If you want to review the different levels and sources of the policies that are being applied to your devices, go to chrome://policies to see the policies that are currently in effect. Here is a link to more information on how to view policies and their sources via this method.
Another important consideration is that some settings also can be applied in different ways, for example, recommended or mandatory. Policies that are mandatory force the setting and do not allow the user to change them. Recommended settings allow the user to change the settings after they have been set by the administrator. You can set this by creating a primary_preferences file on your users’ machines. The method of doing this is detailed in Use primary preferences for Chrome Browser. Note that these settings are the lowest order of precedence (level 5 in the list above) and could be overridden by any other policy above it.
The number of configuration options available are ultimately meant to help IT teams customize Chrome to meet the unique needs of your environment and users. Hopefully this provides more clarity on the different methods and behaviors of Chrome Browser policies so you can make sure that the right policies get applied on your user’s machines. Understanding policy precedence is a great way to ensure that Chrome is behaving the way IT teams intend for your workforce.
By: Fletcher Oliver (Chrome Browser Customer Engineer)
Source: Google Cloud Blog