Category filter
Restrict primary accounts in Google Chrome for Mac
The following document helps IT administrators restrict primary accounts on Google Chrome for Mac by specifying which Google accounts can be set as the browser’s primary accounts.
Primary accounts in Chrome are the Google Accounts chosen during the Sync opt-in flow. The primary account syncs browsing data, such as bookmarks, browsing history, settings, open tabs, passwords, payment information, saved addresses, phone numbers, and more. When a user logs into their Google Account in Chrome, their browser data is synced with any device where they are logged in with the same Google Account, providing a unified user experience. To protect browsing data on organizational devices, Chrome browsers on macOS devices can limit data synchronization to specific domains using a configuration profile. This means only Google Accounts associated with the specified domain can sync their browsing data, ensuring a controlled synchronization experience within the browser ecosystem.
With the help of Hexnode UEM, you can remotely restrict primary accounts on Chrome browsers to the specified domains for multiple macOS devices by deploying a configuration profile.
The sample configuration profiles provided below are created using various profile creator applications.
Restrict primary accounts to allowed domains
To restrict primary accounts on Google’s Chrome browser to a set of specified domains using the following configuration profile, the Chrome browser on the user’s devices must be managed by the organization. Refer enroll cloud-managed Chrome browsers for more info.
Sample configuration profile
The following sample configuration profile can restrict synchronization of browsing data on managed Chrome browsers for all the accounts with usernames matching the pattern “maxiclouddb.com” domain.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>com.google.Chrome</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>RestrictSigninToPattern</key> <string>*@maxiclouddb.com</string> </dict> </dict> </array> </dict> </dict> <key>PayloadDisplayName</key> <string>Restrict Sign-in patterns</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.Chrome.75AD74EC-C4A4-428D-893E-E4877F0D8804</string> <key>PayloadType</key> <string>com.apple.ManagedClient.preferences</string> <key>PayloadUUID</key> <string>75AD74EC-C4A4-428D-893E-E4877F0D8804</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>Setting up Google Chrome's primary account to sync</string> <key>PayloadDisplayName</key> <string>Google Chrome primary account setup</string> <key>PayloadIdentifier</key> <string>macOS.A837FD2C-9088-4957-B6E9-9C5575007337</string> <key>PayloadOrganization</key> <string>CompanyName Inc.</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>5D542BFF-21AC-4E7F-A05C-AAED3B4E9E19</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> |
The above configuration profile uses the RestrictSigninToPattern key to set “maxiclouddb.com” as an authorized domain for the primary accounts in the managed Chrome browser.
The input format for the RestrictSigninToPattern key follows a specific structure. For instance, if the domain name is itletters24.com, the input for the key should be provided as *@itletters24.com. This configuration ensures that only Google Accounts associated with the specified domain can sync data to the browser on the device.
What happens at the device end?
Once the custom configuration profile is installed on the macOS device, the option to sync data will be turned off for all currently signed-in accounts in the managed Chrome browser. The option to turn on sync data will only be available for accounts associated with the specified domain. If an unauthorized account attempts to sync data, an error message stating that the organization does not allow that account to synchronize data on the device will be displayed, as shown in the image below.
- To create and customize configuration profiles, you can use tools like Apple Configurator, Profile Manager or manually create them using text editors.
- Use non-encrypted .mobileconfig, .xml, or plist files to deploy profiles across devices.
- Ensure that you do not associate conflicting configurations with the devices.
- It is recommended to manually validate the configuration profile on a system before executing it in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the configuration profile.
