Using browser enterprise policies
Enterprise policies allow you to control browser behavior using the
Chromium enterprise policy
Overview
Chromium enterprise policies can be applied at two enforcement levels:
-
Managed – Required and mandated by an administrator. These cannot be overridden. Managed policies are written to
/etc/chromium/policies/managed/. -
Recommended – Set at user level and take lower precedence to managed policies in the event of a conflict. Recommended policies are written to
/etc/chromium/policies/recommended/.
For more details about Chrome policy types and precedence, see the
Chromium
Linux Quick Start
Managed policies can be set using the CreateBrowser API and apply to all
sessions created with that custom browser. Recommended policies are set at session level
using the StartBrowserSession API and apply only to that specific session.
They need to be re-applied to every new session.
You create JSON policy files following the
Chrome Enterprise Policy List
Prerequisites
Before using enterprise policies, ensure you have:
-
Completed the general Browser Prerequisites
-
An Amazon S3 bucket in the same region as your browser to store policy JSON files
-
IAM permissions to access the Amazon S3 bucket containing your policy files. Add the following permissions to your IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnterprisePolicyS3Access", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<S3Bucket>/<path_to_policies>/*" ] } ] } -
Policy JSON files following the Chromium enterprise policy format. Each file must contain valid policy keys from the Chrome Enterprise Policy List
.
Preparing policy files
Create JSON files containing the policies you want to apply. Each file should contain a flat JSON object with policy keys and values.
Example managed policy file
This file disables autofill and password saving:
{ "AutofillAddressEnabled": false, "AutofillCreditCardEnabled": false, "PasswordManagerEnabled": false }
Example recommended policy file
This file is used to set policies at session level:
{ "BookmarkBarEnabled": true, "SpellCheckServiceEnabled": false, "TranslateEnabled": false }
Upload the policy files to your Amazon S3 bucket:
aws s3 cp managed-policies.json s3://my-policy-bucket/policies/managed-policies.json aws s3 cp recommended-policies.json s3://my-policy-bucket/policies/recommended-policies.json
Note
You can specify up to 10 enterprise policy files. The Amazon S3 bucket must be in the same region as the browser.
Creating a custom browser with managed policies
To enforce enterprise policies that cannot be overridden, create a custom browser with managed policies. Managed policies are applied to every session created with this browser.
Starting a session with recommended policies
Recommended policies can be applied to sessions using the default browser
(aws.browser.v1) as well as custom browsers that may already include
managed policies.
Tip
For the default browser, set browserIdentifier to
aws.browser.v1.
Considerations
-
You can specify up to 10 enterprise policy files.
-
Each policy file must have a
.jsonextension and cannot exceed 5 MB in size. -
The Amazon S3 bucket must be in the same region as the browser.
-
Policy files are read from Amazon S3 at the time of the API call. Changes to policy files in Amazon S3 after calling
CreateBrowserorStartBrowserSessionare not reflected. -
Policy JSON files must contain valid keys from the Chrome Enterprise Policy List
.
