Set web capabilities policies for websites and Isolated Web Apps

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can control web capabilities permissions that apply when people access websites or Isolated Web Apps (IWAs) on a managed ChromeOS device, such as a Chromebook.

IWAs are web applications that run in a secure, isolated environment, separate from the rest of the user's browsing context. This isolation enhances security by preventing IWAs from accessing or interacting with other tabs or the user's browsing data. Due to the highly secure nature of IWAs, these apps can get unrestricted access to more sensitive APIs like screen recording or restricted USB devices. Additional benefits of IWAs include:

  • Increased Security—IWAs offer increased protection against cross-site scripting and server-side attacks that compromise server-side code and inject malicious content.
  • Improved Privacy—User data remains isolated within the IWAs, preventing data leakage to other browsing contexts.
  • Enhanced Capabilities—IWAs can access highly sensitive and powerful capabilities that regular web applications cannot because the isolated environment limits the potential impact of vulnerabilities or exploits.

Web capabilities give websites and IWAs additional access to hardware or OS-level functionality such as connecting to a device, accessing the file system, or creating windows.

By controlling web capabilities permissions in the Admin console, you can block access to apps that could be exploited and improve the managed user experience by removing the need to ask users for permissions.

There are two types of permissions you can control; default and per-origin.

  • Default—Global default values for permissions that are applicable to all accessed origins (URLs or web apps).
  • Per-origin—Permission values set for specific origins that you add. For details on valid origins, see Enterprise policy URL pattern format.

Note: The Web capabilities page in the Admin console is visible to all admins and includes both IWAs and regular web apps features. IWA-related features are only available to selected partners and customers participating in the IWA program. Currently, IWAs can be installed for managed users. Setting an IWA-exclusive permission does not impact regular web apps.

For more information, see FAQ for Isolated Web Apps.

Before you begin

To configure settings for a specific group of devices, put the devices in an organizational unit.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. In the Admin console, go to Menuand thenDevicesand thenChromeand thenWeb capabilities.
  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. To apply a setting for all sites, in the Default permissions for all origins section, click on and configure the settings you want. 
  5. To apply a setting for a specific origin, in the Origin-specific permissions section, do one of the following:
    1. To add a new origin and configure settings, do the following:
      1. Click Add origin.
      2. In Origin/Site pattern, enter the website, progressive web app (PWA), or isolated web app (IWA) you want to set permissions for.
      3. Click on and configure the settings you want.
      4. Click Save.
    2. To configure settings for an existing origin, do the following:
      1. Click on the origin.
      2. Click on and configure the settings you want.
  6. Learn about each setting.

    Tip: Quickly find a setting by entering text in the search box at the top.

    You see Inherited if a setting is inherited from a parent. Or, you see Locally applied if the setting is overridden for the child.

  7. Click Save.

    Settings typically take effect in minutes, but can take up to 24 hours to apply for everyone.

Learn about each setting

For managed ChromeOS devices.

If you see Device-specific setting Device-specific setting, the setting is only available with specific device types. Some settings aren’t available with single-app kiosks.

Most policies apply to both affiliated and unaffiliated users on ChromeOS. A user is affiliated if they are managed by the same domain that manages the ChromeOS device they are signed into. A user is unaffiliated if they are signed into their device as a managed user from a different domain, for example if [email protected] signs into a device managed by domainB.com or signs into an unmanaged device. The policies that apply only to either affiliated or unaffiliated users are clearly marked in the Admin console.

Content

Open all  |  Close all

Window management
Available on ChromeOS devices.

You can set the default window management permission for users. Window management controls the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

Choose from one of the following options:

  • Unset—The Ask users setting applies, but users can change this setting.
  • Block—Blocks the window management permission on all sites by default.
  • Ask users—Asks users every time a site wants to get the window management permission.
Local font management
Available on ChromeOS devices.

Sets the default local fonts management permission for users. Local fonts management controls the ability of sites to see information about local fonts.

Choose for one of the following options:

  • Unset—The Ask users setting applies, but users can change this setting.
  • Block—Blocks the local fonts permission on all sites by default.
  • Ask users—Asks users every time a site wants to get the local fonts permission.
Screen recording
Available on ChromeOS devices.

Allows the automatic screen capture of multiple screens for users. The API allows Isolated Web Apps (IWAs), identified by their origin, to capture multiple screens at once without additional user permission.

For more details on IWAs, see Getting started with Isolated Web Apps.

Due to the sensitivity of the permission, the following restrictions apply:

  • Only applies to IWAs—It does not apply to other web applications.
  • It is origin specific—Global default values can’t be defined and must be set at origin level.
  • It is blocked by default—You must allow screen recording at origin level for each app.

Choose for one of the following options:

  • Unset—Screen recording is blocked for the origin.
  • Allowed—Screen recording is allowed for the origin.

To improve privacy, if you change the setting during a user session, the change does not apply until the user has signed out and signed back in again.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Main menu
5102702034760123579
true
Search Help Center
true
true
true
true
true
410864
false
false
false
false