Managing group-based policies

For administrators who manage ChromeOS users and Chrome browsers for a business or school.

As an admin, instead of assigning policies or extensions to just organizational units, you can use groups to configure features and services for different groups of users and Chrome browsers. This means users and browsers can be part of the same organizational group but assigned to various individual groups of users.

You can then turn on services for a group of users rather than an entire organizational unit. This lets you control access for specific users and browsers without changing your organizational structure. For example, even if you have employees and developers in the same organizational units, setting up separate groups for them will allow you to provide access to certain developer tools for developers but block it for employees.

Groups always take precedence over organizational units. If you have a user or browser that belongs to a group whose policy conflicts with its organizational unit, the policy set for the group it belongs to always applies.

To create a group, see Create a group in your organization .

Add a ChromeOS user to a group

You can add ChromeOS users to groups and then set policies for them with Group Based Policies (GBP).

To learn how to add users to a group, see Add or invite users to a group .

Add a ChromeOS device to a group

  1. Sign in to your Google Admin console .

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to  Menu  Devices Chrome Devices.
  3. On the Devicestab, click the device you want to add to a group.
  4. On the left, click Add to groups.
  5. In the group search box, enter one or more groups to add the device to.
  6. Click Add.

Add a browser to a group

As well as managing users, you can add Chrome browsers to groups and then set policies for them with Group Based Policies (GBP).

  1. Sign in to your Google Admin console .

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu  Devices Chrome Managed browsers .

    If you signed up for Chrome Enterprise Core, go to Menu  Chrome browser Managed browsers.

  3. Select the browsers you want to add to a group and click Add to group.
  4. Enter the name of the group or groups you want to add the browsers to and click Add.

Set user and browser policies for a group

Using groups you can assign user and browser policies to those groups instead of just organizational units.

Note:Not all user and browser policies can be assigned to groups. 

  1. Sign in to your Google Admin console .

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu  Devices Chrome Settings. The User & browser settingspage opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu  Chrome browser Settings.

  3. On the left click Groups.
  4. Select the group to which you want to apply the setting. Only the settings that can be applied to groups are displayed.
  5. Select the policy to apply to the group.
  6. Click Add group override.
  7. Set the policy.
  8. Click Save.

    Set extension policies for a group

    1. Sign in to your Google Admin console .

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu  Devices Chrome Apps & extensions Users & browsers .

      If you signed up for Chrome Browser Cloud Management, go to Menu  Chrome browser Apps & extensions Users & browsers .

    3. Select the group to which you want to apply the setting.
    4. At the bottom click.
    5. Select the extension source and follow the prompts to add the extension to the list.
    6. Configure the extension policy, including deployment and permissions.
    7. Click Save.

    Filter managed browsers by groups

    1. Sign in to your Google Admin console .

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu  Devices Chrome Managed browsers .

      If you signed up for Chrome Enterprise Core, go to Menu  Chrome browser Managed browsers.

    3. On the left, search for and select the group.
      All the browsers associated with that specific group are displayed

    Change the order of group assignments for extensions

    1. Sign in to your Google Admin console .

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu  Devices Chrome Apps & extensions. The Overviewpage opens by default.

      If you signed up for Chrome Browser Cloud Management, go to Menu  Chrome browser Apps & extensions.

    3. On the left, select the extension.
      If the extension has a group assignment, the groups are listed on the right.
    4. Select a group assignment.
      The specific group is displayed and filtered for that specific extension automatically.
    5. Select the extension again.
    6. On the left side of the extension settings page you will see the list of groups it is assigned to. Drag and drop groups to change the order, or change the number in the text box next to them.

    Groups take precedence over organizational units for policies of the same type, for example machine policies or user policies. Aside from group reordering, there are many options when it comes to policy precedence. For more details, see Understand Chrome policy management .

    Known Limitations

    • Currently, only Chrome Browser Cloud Managed browsers can be added to groups. We are actively working on adding support for ChromeOS devices in the coming months.

    FAQs

    Which takes priority, machines or user policies?

    • If you prefer groups of browsers to have the highest precedence, make sure that Cloud Machine policies take precedence as outlined in Understand Chrome policy management .
      1. Machine cloud2. Machine3. OS user4. Chrome profile
    • If you prefer groups of users to have the highest precedence, ensure that Cloud User policies take precedence.
      1. Chrome profile2. Machine cloud3. Machine4. OS user

    Can I sync Active Directory groups into the Admin console?

    You can sync Active Directory groups using the Google Cloud Directory Sync tool.

    Can I sync Microsoft Entra ID groups into Admin console?

    You can sync Microsoft Entra ID groups into the Admin console when Microsoft Entra ID provisioning is configured. For details, see this Microsoft tutorial .

    What permissions do you need in the Admin console role to create and manage groups and assign policies to groups?

    You need the Groups privilege enabled for your role. There is also a Groups Editor and Groups Reader privilege available.

    To assign policies to groups, the same permissions are required as with device-based policy assignment. Nothing has changed.

    What kinds of members can be added to groups?

    • Browsers
    • ChromeOS users
    • Groups (nesting)

    Can group members belong to multiple groups?

    Yes. A group member can belong to more than one group.

    Are nested groups supported with group-based policy?

    Yes. Indirect, nested (one group sitting inside another group) memberships are supported with group-based policy.

    Are dynamic groups supported for browsers?

    At the moment, dynamic groups do not support browsers.

    Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

    Was this helpful?

    How can we improve it?
    Search
    Clear search
    Close search
    Google apps
    Main menu
    17672632879556301787
    true
    Search Help Center
    true
    true
    true
    true
    true
    410864
    false
    false
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: