Debugging user and device policies for Chrome OS

If you have used Chrome OS in a school or an enterprise network, you would have noticed how helpful the management piece can be. Using this tool you can quickly setup and deploy policies to make things easier for your users.

This is the authoritative source of all policies available on Chrome today. Pay special attention to the “Supported on” section. If it mentions “Google Chrome OS”, then the policy is supported on devices and most of them can be set using Admin console UI.

There are essentially two different types of policies one can set on Chrome OS.

User policies

The “user policies” are those policies which can be set for an individual, regardless of which machine they are using Chrome from. A good example of a user policy is the “Screen Lock”. An enterprise admin could enforce users to have an idle screen lock enabled automatically to protect internal company data. Similarly, there may be organizations which may want to disable “Browser History” across all users.

These “User policies”  will follow the user on all platforms, which means that in addition to working on Chrome OS these policies will also take effect on Chrome for Windows and Linux if the user signs into them with the organization’s credentials.

Device policies

The “device policies” are policies applied to the machine irrespective of the user on it. For Chrome OS the policies which can be applied on the device are clearly defined in the policy list.

Examples of these policies are shown on the right. If a device is used in a lab environment which doesn’t need data persistence, its simple to set “User Data” policy to “Erase all local user info, setting… after each sign-out”. Note that these policies take effect only on devices which are enrolled into the domain.

Debugging

One of the first things an admin should learn is how to debug if the policies are setup correctly. The quickest way to do this is by going to the “chrome://policy” page. If there are any policies on your device, it will show up there.

There are two boxes on the top. The first one is labeled as  “Device policies” and the second one is labeled as “User policies”. There are few different things you can quickly find out by looking at it:

  • The device is enrolled to “trialdevices.com”
    • If the “Device policies” box is missing, it probably means that the device is not enrolled.
  • The signed in user is rkt@blogofy.com
    • If the “User policies” box is missing, it probably means that the user is not part of a domain pushing policies.
  • Both policies were fetched in last 6 seconds (if this is too old, try to “Reload policies” to see if it can get a fresher version)
  • Status for both is “Policy cache OK”

If you notice stale policies, you should start investigating using a tool like this to see if there are firewalls in the way which could be impacting it. If that doesn’t help, ask help from local networking admins who may know more.