A perpetual license is tied to a particular Chrome OS device.

If a Chrome OS device fails, you can transfer its license to another Chrome OS device from the same manufacturer. Normally, the device needs to be the same model, but you can get a dispensation to transfer the license to a different model from that manufacturer.

Apart from in the case of the Chrome OS device failing (as explained in the previous bulleted paragraph), you cannot transfer a perpetual license to another device in the same domain. You also cannot transfer a perpetual license to a device in another domain.

Main menu: Click this button to display the Main menu on the left side of the screen (see Figure 5-4).

Location: This bar shows the location of the current page—in this case, Admin console. As you move from one page to another, the Location bar will change to show your current location, including a “breadcrumb bar” that enables you to navigate back. For example, when you click the Device management icon on the Home page, the Location bar will show Device management to indicate you are viewing the Device management page. If you then click the Chrome devices button on the Device management page, and then click the User Settings icon, the Location bar will show Device management ➤ Chrome ➤ User Settings. You can click the Chrome item to return to the Chrome page or click the Device management item to return to the Device management page.

Search: Click this box to search for users, groups, or settings by using keywords.

Tasks: Click this button to display a pop-up pane showing your ongoing tasks—or none, if you are lucky.

Help: Click this button to display a Help pane, in which you can browse help topics or search using keywords.

Google apps: Click this button to display a pop-up pane showing the leading Google apps, such as Mail, Drive, and Docs . Click the button for the app you want to launch. If the app you want does not appear at first, click the More button at the bottom of the pop-up pane to extend the pane, revealing other apps.

Google Account: Click this button to display the Account pop-up pane. Here, you can click the My Account button to manage your account, click another account to switch to it, click the Add account button to add another Google account, or click the Sign out button to sign out of your Google Admin console.

Admin notifications: Click this button to display a pop-up pane showing administrative notifications.

Activities: Click this button to display the Activities pane (see Figure 5-5), which shows your recent activities, gives you access to reports, and provides a Tools list of links and a Common tasks list of links.

Controls pane: This pane shows icons for the main controls in Google Admin, such as the Dashboard icon, the Users icon , the Groups icon, and the Device management icon.

More Controls: Click this bar to display any controls that are not currently displayed in the main pane.

Avatar: Click the Upload Avatar File to start uploading a JPEG image file to replace the default avatar. This file has a maximum size of 512 KB.

Wallpaper: Click the Upload Wallpaper File button to start uploading a JPEG file to use as wallpaper. For example, you might upload your school’s preferred wallpaper file. This file has a maximum size of 16 MB, but it is usually better to keep wallpaper files considerably smaller than this.

Smart Lock for Chrome: If you want to allow users to use their Android phones to unlock their Chromebooks, open the Allow Smart Lock on Chrome device pop-up menu and select the Allow Smart Lock for Chrome item. If you prefer to prevent the use of this feature, select the Do not allow Smart Lock for Chrome item. If you do not want to control this setting via policy, select the “No policy set (default = Do not allow Smart Lock for Chrome)” item.

Apply all user policies when users sign in to Chrome, and provide a managed Chrome experience

Do not apply any policies when users sign in to Chrome. Allow users access to use Chrome as an unmanaged user.

Device Enrollment: Open the Place Chrome device in user organization during manual enrollment pop-up menu and select the Place Chrome device in user organization item if you want to move the Chrome device to a user organization. If you want to leave the Chrome device where it is, select the Keep Chrome device in current location item.

Asset Identifier During Enrollment: Open the Populate Asset ID and Location fields during enrollment pop-up menu and select the Users in this organization can provide asset ID and location during enrollment item if you want each user to be able to enter an asset ID and a location when enrolling a Chromebook. When you do this, Chrome will display the Device Information screen with suggested data in the fields; the user can accept the suggestions or change them. To prevent users from adding this information, select the Do not allow for users in this organization item. If you do not want to control this setting via policy, select the “No policy set (default = Do not allow for users in this organization)” item.

App and Extension Install Sources: In this box, you can enter one or more URLs that are permitted to install apps, extensions, and themes on your school’s Chromebooks . When a Chromebook navigates to one of these URLs, Chrome OS will prompt the user to install the app, extension, or theme.

Force-installed Apps and Extensions: In this area, click the Manage force-installed apps link to display the Force-installed Apps and Extensions dialog box (see Figure 5-10). Select the apps and extensions you want to force-install, and then click the Save button.

Allow or Block All Apps and Extensions: Open the Choose which Chrome apps and extensions to allow pop-up menu and select the Allow all apps and extensions except the ones I block item or the Block all apps and extensions except the ones I allow item.

Allowed Apps and Extensions: In this area, click the Manage link to display the Allowed apps and extensions dialog box or the Blocked apps and extensions dialog box, depending on which Allow or Block All Apps and Extensions setting you chose. Both these dialog boxes look and work like the Force-installed Apps and Extensions dialog box shown in Figure 5-10. Select the apps and extensions you want to allow or block and then click the Save button .

Block Extensions by Permission: In this area, specify which extensions to block by the types of permissions they need. First, choose whether you will specify blocked permissions or allowed permissions; to do so, open the Block extensions by permissions and URLs pop-up menu and select the “If the extension uses one of the selected permissions, block users from installing or using it” item if you want to specify blocked permissions; select the “If the extension uses a permission that is not selected, block users from installing or using it” item if you want to specify allowed permissions. Then, go to the list of permissions and check the appropriate check boxes to specify which permissions to block or allow. In the Blocked URLs box, enter any URLs you want to block. Then, in the Allowed URLs box, enter any URLs you want to allow.

Task Manager: Open the Task Manager pop-up menu and select the “Allow users to end processes with the Chrome task manager” item if you want users to be able to use Task Manager. Select the “Block users from ending processes with the Chrome task manager” if you want to prevent users from using Task Manager. If you do not want to apply policy to Task Manager, select the “No policy set (default = Allow users to end processes with the Chrome task manager)” item.

Site isolation not enabled: Select this item to allow users to turn site isolation on or off.

Turn on site isolation for all websites (SitePerProcess): Select this item to enable site isolation for all websites. This is the most secure setting. In the text box below the Site Isolation Policy pop-up menu, you can also enter specific web pages you want to isolate from their own sites .

Turn on site isolation for specific websites, set below (IsolateOrigins): Select this item to turn on site isolation only for the websites you enter in the text box below the Site Isolation Policy pop-up menu.

Which private apps should be included in the collection?: In this pop-up menu, choose the I will choose which private apps and extensions to include item or the Include all private apps and extensions from my domain item, as needed.

What should the collection name be?: In this text field, type the description you want the Chrome Web Store to show for your school’s collection.

Recommended Apps and Extensions: In this area, click the Manage button. The Recommended apps and extensions dialog box will open. This dialog box is similar to the Force-installed Apps and Extensions dialog box (see Figure 5-10, earlier in this chapter) and works in a similar way. Select the apps you want to include and then click the Save button.

Chrome Web Store Permissions: In this area, check the “Allow users to publish private apps that are restricted to your domain on Chrome Web Store” check box if you want users to be able to publish apps. Normally, you would allow only your school’s developers to publish apps. If you check this check box, the “Allow users to skip verification for websites not owned” check box appears. You can check this check box to enable users to publish apps without having to prove that they own your school’s domain.

Password Manager: In this pop-up menu, select the Allow user to configure item, the Always allow use of password manager item, or the Never allow use of password manager item, as needed.

Lock Screen: In this pop-up menu, select the Allow locking screen item if you want the Chromebooks to display the locking screen; if not, select the Do not allow locking screen item. If you do not want to configure this setting via policy, select the “No policy set (default = Allow locking screen)” item.

Incognito Mode: In this pop-up menu, select the Allow incognito mode item if you want to allow users to use Incognito mode in the Chrome browser. Otherwise, select the Disallow incognito mode item.

Browser History: In this pop-up menu, select the Always save browser history item or the Never save browser history item, as needed.

Clear Browser History: In this pop-up menu, select the Allow clearing history in settings menu item if you want to allow the user to clear the browsing history, or the Do not allow clearing history in settings menu item if you do not. If you do not want to configure this setting via policy, select the “No policy set (default = Allow clearing history in settings menu)” item.

Force Ephemeral Mode: In the Erase local data when the browser is closed pop-up menu, select the Do not erase local user data item or the Erase all local user data item, as needed.

Online Revocation Checks: In the Online OCSP/CRL Checks pop-up menu, select the Perform online OCSP/CRL checks item if you want Chrome OS to check that websites’ digital certificates are valid. If not, select the Do not perform online OCSP/CRL checks item.

Safe Browsing: In this pop-up menu, select the Always use Safe Browsing item if you want to enforce the use of Safe Browsing, a Chrome feature that provides some protection from websites that contain malware. Select the Always disable Safe Browsing item if you want to turn off Safe Browsing. Select the Allow user to decide whether to use Safe Browsing item if you want to let the user make the choice.

Malicious Sites: In this pop-up menu, choose the Allow user to proceed anyway to malicious sites item if you want to allow users to disregard warnings about potentially dangerous sites and go to them anyway. Select the Prevent user from proceeding anyway to malicious sites item if you want to prevent the user from going to such sites.

Single Sign-On Online Login Frequency: In the Force online login flow for SAML-based Single Sign-On accounts pop-up menu , select the frequency with which to force login. For example, you might select the Every two weeks item.

Single Sign-On: In the SAML-based Single Sign-On for Chrome Devices pop-up menu, select the Enable SAML-based Single Sign-On for Chrome item or the Disable SAML-based Single Sign-On for Chrome item, as needed.

Remote access clients: In the “Remote Access Host Client Domain” field, enter the domain name that remote access clients should enter.

Local Anchors Common Name Fallback: In this pop-up menu, select the Allow item to allow certificates issued by local trust anchors that are missing the subjectAlternativeName extension; select the Block item to block such certificates; or select the “No policy set (default = Block)” item to avoid configuring this feature via policy.

Symantec Corporation’s Legacy PKI Infrastructure: In this pop-up menu , select the Allow item if you want to trust certificates issued by Symantec Corporation’s Legacy PKI operations; select the Block item if you want to block such certificates: or select the “No policy set (default = Block)” item to avoid configuring this feature via policy.

SSL Record Splitting: Open this pop-up menu and select the Enable SSL record splitting item if you want to permit SSL record splitting (a workaround for a security issue in SSL 3.0 and TLS 1.0). Otherwise, select the Disable SSL record splitting item.

Data Compression Proxy: Open this pop-up menu and select the Always enable data compression proxy item if you want your school’s Chromebooks to use Google’s data compression proxy service, which is intended to reduce cellular data usage and speed up mobile browsing. Select the Always disable data compression proxy item if you want to turn off the use of the data compression proxy service . To leave the choice up to the user, select the Allow user to decide whether to use data compression proxy.

WebRTC UDP Ports: In the Specify the ports used by Chrome when creating WebRTC connections area, specify the port range that Chrome OS should use for real-time connections over the Web. Enter the minimum port in the Minimum port (1024–65535) box and the maximum port in the Maximum port (1024–65535) box.

QUIC Protocol: Open this pop-up menu and select the Enabled item if you want to allow Chrome OS to use the Quick UDP Internet Connections (QUIC) protocol. Select the Disabled item if you do not want Chrome OS to use QUIC. If you do not want to configure this feature via policy, select the “No policy set (default = Enabled)” item.

Home Button: Open this pop-up menu and select the Always show “Home” button item if you want the Chrome browser to display the Home button. If you prefer to suppress the Home button, select the Never show “Home” button item. To let the user decide, select the Allow user to configure item.

Pages to Load on Startup: In this box, enter a list of the web pages you want the Chrome browser to load on startup. Place each URL on a separate line.

Screenshot: In this pop-up menu, select the Enable screenshot item if you want to let users take screenshots, or select the Disable screenshot item if you do not.

Client certificates: In the Automatically Select Client Certificate for These Sites box, enter a JSON string containing a list of patterns specifying the websites for which Chrome OS should automatically select client certificates.

Security Key Attestation: In this box, you can enter a JSON string containing a list of URLs and domains for which you want to suppress prompts when attestation certificates from security keys are requested.

3D Content: Open the 3D Content pop-up menu and select the Always allow display of 3D content item or the Never allow display of 3D content item, as needed.

Third-Party Cookie Blocking: Open this pop-up menu and select the Allow third-party cookies item, the Disallow third-party cookies item, or the Allow user to decide whether to allow third-party cookies item, as needed.

Images: Open this pop-up menu and select the Show images item, the Do not show images item, or the Allow user to configure item, as needed. In the Show Images on These Sites box, enter a list of URL patterns specifying sites that are allowed to show images. In the Block Images on These Sites box, enter a list of URL patterns specifying sites to block from showing images.

JavaScript: Open this pop-up menu and select the Allow sites to run JavaScript item, the Do not allow sites to run JavaScript item, or the Allow user to configure item, as needed. In the Allow These Sites to Run JavaScript box, enter a list of URL patterns specifying sites allowed to run JavaScript. In the Block JavaScript on These Sites box, enter a list of URL patterns specifying sites to block from running JavaScript.

Notifications: Open this pop-up menu and select the Allow sites to show desktop notifications item, the Do not allow sites to show desktop notifications item, the Always ask the user if a site can show desktop notifications item, or the Allow user to configure item, as needed. In the Allow These Sites to Show Desktop Notifications box, enter a list of URL patterns specifying sites allowed to show desktop notifications. In the Block Desktop Notifications on These Sites box, enter a list of URL patterns specifying sites to block from displaying desktop notifications.

Plug-ins: Open this pop-up menu and select the Run plug-ins automatically item, the Block all plug-ins item, or the Allow user to configure item, as needed. In the Allow Plug-ins on These Sites box, enter a list of URL patterns specifying sites allowed to run plugins. In the Block Plug-ins on These Sites box, enter a list of URL patterns specifying sites to block from running plugins.

Enabled and Disabled Plug-ins: In the Enabled Plug-ins box, enter a list containing the names of plugins to always enable. These names are case sensitive. You can use wildcards (such as *). In the Disabled Plug-ins box, enter a list containing the names of plugins to always disable. In the Exceptions to Disabled Plug-ins box, enter a list of plugins that users can enable or disable even if those plugins appear in the Disabled Plug-ins box.

Plug-in Finder: Open this pop-up menu and select the Enable automatic search and installation of missing plug-ins item or the Disable automatic search and installation of missing plug-ins item, as needed.

Plug-in Authorization: Open this pop-up menu and select the Ask for user permission before running plug-ins that require authorization item or the Always run plug-ins that require authorization item, as needed.

Outdated plug-ins: Open this pop-up menu and select the Allow outdated plug-ins to be used as normal plug-ins item, the Ask user for permission to run outdated plug-ins item, or the Disallow outdated plug-ins item, as needed.

Pop-ups: Open this pop-up menu and select the Allow all pop-ups item, the Block all pop-ups item, or the Allow user to configure item, as needed. In the Allow Pop-ups on These Sites box, enter a list of URL patterns specifying sites allowed to display pop-ups. In the Block Pop-ups on These Sites box, enter a list of URL patterns specifying sites to block from displaying pop-ups.

URL Blocking: In the URL Blacklist box, enter a list of URLs to block. In the URL Blacklist Exception list, enter a list of URLs to allow even if they appear in the URL blacklist.

Google Drive Syncing: Open the Syncing Data with Google Drive pop-up menu and select the Enable Google Drive syncing item, the Disable Google Drive syncing item, or the Allow user to decide whether to use Google Drive syncing item, as needed.

Google Drive Syncing over Cellular: Open the Syncing Data with Google Drive over Cellular Connections pop-up menu and select the Enable Google Drive syncing over cellular connections item or the Disable Google Drive syncing over cellular connections item, as appropriate.

Cast: Open the Allow users to Cast from Chrome pop-up menu and select the Allow users to Cast item, the Do not allow users to Cast item, or the “No policy set (default = Allow users to Cast)” item, as needed. Open the Show Cast Icon in the toolbar pop-up menu and select the Always show the Cast icon in the toolbar item, the Do not show the Cast icon in the toolbar item, or the “No policy set (default = Do not show the Cast icon in the toolbar)” item, as required.

Printing: Open this pop-up menu and select the Enable printing item or the Disable printing item, as appropriate.

Print Preview: Open the Allow Print Preview pop-up menu and select the Allow using print preview item or the Always use the system print dialog instead of print preview item, as needed.

Google Cloud Print Submission: Open the Allow Submission to Google Cloud Print pop-up menu and select the Allow submission of documents to Google Cloud Print item or the Disallow submission of documents to Google Cloud Print item, as needed.

Google Cloud Print Proxy: Open the Using Chrome as a Proxy for Google Cloud Print pop-up menu and select the Allow using Chrome as a proxy for Google Cloud Print item or the Disallow using Chrome as a proxy for Google Cloud Print item, as appropriate.

Print Preview Default: Open the Default printer selection pop-up menu and select the Use default print behavior item or the Define the default printer item. If you select the Define the default printer item, open the Printer Types pop-up menu and select the appropriate printer type: Cloud & Local printers, Cloud only, or Local only. Open the Printer Matching pop-up menu and select the Match by Name item or the Match by ID item, as needed. Then, click in the Default Printer box and type a regular expression that identifies the printer you want to use as the default.

Native Chrome OS Printing: In this area, click the Manage link to display the Native Chrome OS Printers dialog box (shown on the left in Figure 5-16). Click the Add a Printer button to display the Add a native printer dialog box (shown on the right in Figure 5-16), enter the printer’s details, and then click the Save button. The printer will then appear in the Native Chrome OS Printers dialog box. When you have added all the printers, click the Save button to close the dialog box.

Managed Bookmarks: In the “Managed Bookmarks Folder Name” field, type the name that the Chromebooks should display for the managed bookmarks you provide. For example, you might call the folder School Links. Add each managed bookmark by typing its name in the URL column, typing a descriptive name in the Name column, and then clicking the Add (+) button.

Bookmark Bar: Open this pop-up menu and select the Enable bookmark bar item, the Disable bookmark bar item, or the Allow user to decide whether to enable bookmark bar item, as needed.

Bookmark Editing: Open this pop-up menu and select the Enable bookmark editing item or the Disable bookmark editing item, as needed.

Spell Check Service: Open this pop-up menu and select the Enable the spell checking web service item, the Disable the spell checking web service item, or the Allow user to decide whether to use the spell checking web service item, as needed.

Google Translate: Open this pop-up menu and select the Always offer translation item, the Never offer translation item, or the Allow user to configure item, as needed.

Alternate Error Pages: Open this pop-up menu and select the Always use alternate error pages item, the Never use alternate error pages item, or the Allow user to configure item, as needed. Alternate error pages contain the suggestions that the Chrome browser shows when it is unable to connect to a particular web address.

Developer Tools: Open this pop-up menu and select the Always allow use of built-in developer tools item, the Never allow use of built-in developer tools item, or the “No policy set (default = Always allow use of built-in developer tools)” item. Normally, you would restrict developer tools to developers and those learning programming.

Form Auto-fill: Open this pop-up menu and select the Never auto-fill forms item or the Allow user to configure item, as appropriate.

DNS Pre-fetching: Open this pop-up menu and select the Always pre-fetch DNS item, the Never pre-fetch DNS item, or the Allow user to configure item, as needed.

Network Prediction: Open this pop-up menu and select the Predict network actions item, the Do not predict network actions item, or the Allow user to configure item, as needed. See the nearby sidebar “Understanding DNS Pre-Fetching and Network Prediction.”

Unified Desktop: To use the Unified Desktop feature, which enables an app to span multiple displays and is in beta as of this writing, open the Unified Desktop pop-up menu and select the Make Unified Desktop mode available to user item. To prevent the use of Unified Desktop, select the Do not make Unified Desktop mode available to user item. If you do not want to manage this feature via policy, select the “No policy set (default = Do not make Unified Desktop mode available to user)” item.

Search Suggest: To control whether the Chrome browser uses a prediction service to suggest completions for web addresses or search terms, open the Search Suggest pop-up menu and select the Always allow users to use Search Suggest item, the Never allow users to use Search Suggest item, or the Allow user to configure item.

Omnibox Search Provider: Open the Omnibox Search Provider pop-up menu and choose the Allow user to select the Omnibox Search Provider item if you want to allow the user to choose the search provider. The alternative is to select the Lock the Omnibox Search Provider settings to the values below item and then enter the details in the boxes that appear.

External Storage Devices: Open the Secure Digital (SD) Cards, USB Flash Drive Devices, and MTP devices pop-up menu and select the Allow external storage devices item, the Allow external storage devices (read only) item, or the Disallow external storage devices item.

Audio Input: Open the Microphone and Audio Input pop-up menu and select the Disable audio input item or the Prompt user to allow each time item, as needed.

Audio Output: Open the Speakers and Audio Output pop-up menu and select the Enable audio output item or the Disable audio output item, as needed.

Video Input: Open the Video Input pop-up menu and select the Enable video input item or the Disable video input item, as needed.

Service accounts which are allowed to receive device ID: In this box, you can list the email addresses of service accounts that you want to give full access to the Google Verified Access application programming interface (API).

Service accounts which can verify devices but do not receive device ID: In this box, you can list the email addresses of service accounts that you want to give limited access to the Google Verified Access API.

Forced Re-enrollment: In this pop-up menu, choose the Force device to re-enroll in this domain after wiping item if you want the device to re-enroll itself automatically. Select the Device is not forced to re-enroll after wiping item if you want to free the device from Forced Re-enrollment.

Verified Access: In the upper pop-up menu, select the Enable for Enterprise Extensions item if you want to enable the Verified Access feature, which allows Chrome extensions to interact with the Trusted Platform Module (TPM) on the Chromebook; if not, select the Disable for Enterprise Extensions item. In the lower pop-up menu, select the Enable for Content Protection item if you want to have the Chromebooks verify their identity to content providers using the TPM; if not, select the Disable for Content Protection item instead.

Verified Mode: In this pop-up menu, select the Require verified boot mode for Verified Access if you want the Chromebooks to boot with verified boot mode in order to use the Verified Access feature. This is normally a good idea. If you need to allow some Chromebooks to boot into Developer mode (which is not verified) but still use Verified Access, select the Skip boot mode check for Verified Access item instead.

Service accounts which are allowed to receive device ID: In this box, you can list the email addresses of service accounts that you want to give full access to the Google Verified Access application programming interface (API).

Service accounts which can verify devices but do not receive device ID: In this box, you can list the email addresses of service accounts that you want to give limited access to the Google Verified Access API.

Disabled device return instructions: In this box, you can type the information you want to display on disabled Chromebooks to encourage whoever has them to return them to the school. The screen receives the automatic heading “This device was locked by the [your school’s domain name] administrator.” Normally, you would include contact information, such as the school’s email address, phone number, and address.

Guest Mode: In the Allow Guest Mode pop-up menu, select the Allow guest mode item if you want to allow guest usage. If not, select the Do not allow guest mode item.

Sign-in Screen: In the Show user names and photos on the sign-in screen pop-up menu, select the Always show user names and photos item or the Never show user names and photos item, as needed.

Off Hours: If you need to apply sign-in restrictions only during some hours, use the five pop-up menus to specify the time zone, the starting day, the starting time, the ending day, and the ending time. After specifying the first set of hours in the first row, you can click the Copy icon at the end of that row to copy the settings to a second row of controls; you can then make minor adjustments to that row as needed. You can also click the Add another set of hours link to add another row of boxes without copying existing data into them.

Wallpaper: To upload a JPEG graphic for use as wallpaper, click the Upload Wallpaper File button, select the file in the unnamed dialog box that opens, and then click the Open button. For example, you might upload a wallpaper graphic that identifies your school, provides inspiring quotes, or both.

User Data: In the Erase all local user info, settings, and state after each sign-out pop-up menu, choose the Do not erase all local user data item or the Erase all local user data item, as needed. On a shared Chromebook, erasing local user data can help avoid the storage getting filled with user files, but it means that when a user signs in again on a Chromebook she has used before, the Chromebook will need to sync all her user data from the cloud instead of only those parts that have changed since her last use.

Single Sign-On IdP Redirection: In this pop-up menu, choose the “Default. Take users to the default Google login page” item if you want users to log in at the regular Google login page. Choose the Allow users to go directly to SAML SSO IdP page item if you have configured Security Assertion Markup Language (SAML) Single Sign-On (SSO) for your school’s domain and want users to go straight to your SAML Identity Provider (IdP) page instead.

Single Sign-On Cookie Behavior: If you have configured SAML SSO, you can open the Transfer of SAML SSO Cookies into user session during login pop-up menu and choose the Enable transfer of SAML SSO Cookies into user session during login item to enable Single Sign-On users to log in to your school’s internal websites by using the SAML SSO cookies. If you have configured SAML SSO but do not want to use this feature, choose the Disable transfer of SAML SSO Cookies into user session during login item instead. If you have not configured SAML SSO, make sure the “No policy set (default = Disable transfer of SAML SSO Cookies into user session during login)” item is selected in this pop-up menu.

Single Sign-On Camera Permissions: If you have configured SAML SSO , you can click in the Whitelist of single sign-on camera permissions box (see Figure 5-20) and enter a whitelist of third-party apps or services that can directly access the camera on the user’s Chromebook. Enter the URL for each app or service on a separate line in the box.

Single Sign-On Client Certificates: If you have configured SAML SSO , you can go to the Automatically Select Client Certificate for these Single Sign-On Sites box and enter a JSON string that contains a list of URL patterns identifying those certificates to use automatically when accessing particular sites that require credentials.

Accessibility Control: Check the “Turn off accessibility settings on sign-in screen upon logout” check box if you want to disable the accessibility settings on the sign-in screen when a user logs out of the Chromebook. You might use this setting on shared Chromebooks if your school prefers to have teachers manually enable accessibility options only for those students who actually need them. For Chromebooks issued to individual students, make sure this check box is unchecked so that the Chromebooks will automatically use the accessibility settings from one session to the next.

Sign-in Language: In this pop-up menu, either choose the specific language—such as English (United States)—you want the Sign-in screen to use or select the Allow user to configure item if you want the Chromebook’s user to be able to select the language.

Sign-in Keyboard: In the Create an ordered list of keyboards to use on the sign-in screen box, go to the left box and check the check box for each keyboard needed on the Sign-in screen. You can filter the keyboards shown by clicking in the Filter keyboard layouts box and starting to type a keyword (for example, French). Those keyboards you check will appear in the right box, the Selected layouts box, where you can drag them into the order you need.

App-controlled updates: This setting applies only to kiosk apps.

Release channel: This pop-up menu enables you to choose which Chrome OS release channel to use. Your school’s top-level organization must use the Move to Stable Channel item, but for organizational units, you can choose the Move to Beta Channel item, the Move to Development Channel item, or the Allow user to configure item.

Anonymous Metric Reporting: Open this pop-up menu and select the Always send metrics to Google item or the Never send metrics to Google item, as needed.

Power Management: Open the Power management on sign-in screen pop-up menu and select the Allow device to sleep/shut down when idle on the sign-in screen item or the Do not allow device to sleep/shut down when idle on the sign-in screen item, as needed. Normally, you would want to allow Chromebooks to go to sleep on the sign-in screen; keeping a Chrome device awake is more useful in a kiosk setting.

Scheduled reboot: In the “Number of days before reboot; leave empty for unset” box, you can in theory type the number of days to wait before automatically rebooting a Chrome OS device. As of this writing, this setting works only for devices configured as Public Session kiosks.

Shut down: Open the Allow shut down pop-up menu and select the “Allow users to turn off the device via the Shut down icon on the screen, or the physical power button” item if you want to allow users to shut down the Chromebooks via the keyboard, trackpad, screen, or power button. If you prefer to let users shut down Chromebooks only using the power button, select the “Only allow users to turn off the device using the physical power button” item instead. If you do not want to control shutdown via policy, select the “No policy set (default = Allow users to turn off the device via the Shut down icon on the screen, or the physical power button)” item.

Cloud Print: In this area, click the Manage link to start the process of enabling Cloud printers.

Mobile Data Roaming: In this pop-up menu, select the Allow mobile data roaming item if you want to allow cellular Chromebooks to use mobile data roaming. Otherwise, select the Do not allow mobile data roaming item. If your school’s Chromebooks are Wi-Fi–only, this setting does not apply.

USB Detachable Whitelist: In this box, you can enter a list of USB devices that are directly accessible to apps. You enter each USB device on a separate line, putting the USB vector identifier (VID) first, a colon next, and then the product identifier (PID)—for example, if a device’s VID is 541E and the PID is 8114, you would enter 541E:8114 to add the device to the whitelist. Both the VID and PID are hexadecimal values.

Throttle Device Bandwidth: Open the Throttle network bandwidth consumption at the device level pop-up menu and then select the Enable network throttling item or the Disable network throttling item, as needed. If you select the Enable network throttling item, enter the maximum download speed in the Download speed in Kbps box and the maximum upload speed in the Upload speed in Kbps box.