Browser Customization allows administrators to tailor the browser environment to their specific needs. This includes settings for the home page and startup behavior, default browser configuration, content blocking, security maintenance, proxy settings, bookmark management, default browser selection, and legacy settings. This document will explain how to create the policy and about each configuration provided by Endpoint Central for each browsers.
Kindly follow the steps given below to successfully create and deploy Browser Customization policy:
The below are the configurations offered for Google Chrome and other Chromium-based browsers:
Policy | Configuration | Description |
Content restriction for URLs | Web Bluetooth Guard | By selecting restrict, websites will not be able to access WebBluetooth API. |
Display Image | By selecting restrict, websites will not be able to display images. | |
Javascript | By selecting restrict, Javascipt will be disabled on all websites. | |
Popups | By selecting restrict, websites will not be able to display popups. | |
Video Capture | By selecting restrict, websites will not record video. | |
Cookies | By selecting block, websites will not be able to store cookies. | |
Geolocation | By selecting block, websites will not be able to track users' location. | |
Notifications | By selecting block, websites will not be able to send browser notifications. | |
Plugins | By selecting block, plugins will be blocked on all websites. | |
Content Restrictions for URLs | Audio Capture | By selecting restrict, audio caption will be blocked for specific websites that are present in selected website groups. |
Video Capture | By selecting restrict, video caption will be blocked for specific websites that are present in selected website groups. | |
Display Image | By selecting restrict, selected websites will not display images. | |
Javascript | By selecting restrict, Javascipt will be disabled on selected websites. | |
Notifications | By selecting block, selected websites will not send browser notifications. | |
Popups | By selecting restrict, selected websites will not be able to display popups. | |
Cookies | By selecting block, selected websites will not be able to store cookies. | |
Security restrictions > browser functionality | Media Router | By selecting disable, users will not be able to cast tabs, websites or desktop from the browser. |
Show Cast Icon in Toolbar | By selecting restrict, users will not be able to pin or remove the icon via its contextual menu. | |
Autofill | By selecting disable, websites will not pre-fill fields. | |
Developer Tools | By selecting disable, developer tools and JavaScript console will be disabled. | |
Print from cloud storage | Selecting restrict will not allow users to print from cloud storage. | |
Cloud Print Proxy Enabled | By selecting allow, chrome can act as proxy for legacy printers connected to the machine. This enables printers to be shared with google cloud print. | |
Capture screenshots | By selecting restrict, users will not be able to capture screenshots. | |
Print webpage | By selecting restrict, users will not be able to print webpages. | |
File upload to webpages | By selecting restrict, users will not be able to upload files to webpages. | |
Allow user to install Chrome Beta | Selecting no will ensure that users can not install Chrome Beta version. | |
Allow user to install Chrome Dev | Selecting no will ensure that users can not install Chrome Dev version. | |
Allow user to install Chrome Canary | Selecting no will ensure that users can not install Chrome Canary version. | |
Chrome Update | This configuration will decide how Chrome updates are installed. | |
Security restrictions > Privacy and safety | Sync Disabled | By selecting restrict, users will not be able to sync apps, themes, bookmarks, passwords, settings etc. between browser accounts with cloud account. |
Over-ride certificate errors | By selecting restrict, users will not be able to proceed past certificate errors displayed by websites. | |
Malware filter | By enabling this, sites that contain malicious content in any from: ransomware, viruses, phishing campaigns etc., will be blocked. | |
Save browser history | By selecting restrict, browser history will not be remembered. | |
Block third-party cookies | Enabling this will block all third party cookies. | |
Disable Safe Browsing Proceed Anyway | By selecting allow, users will be able to proceed past malware warning screens. | |
Force Google Safe Search | SafeSearch is a feature that acts as an automated filter of pornography and potentially offensive and inappropriate content. Selecting restrict will turn off the feature. | |
End processes in Task Manager | Selecting restrict, will not allow users to end processes in task manager. | |
Restrict Youtube forcefully | Selecting high will restrict the usage of youtube completely and selecting low will not restrict usage. | |
Incognito mode | Selecting disable will restrict users from accessing incognito mode. Selecting Force, will allow open browsers in Incognito mode. | |
Security restrictions > GPU rendering | Hardware Acceleration Mode | Hardware acceleration mode is a feature which takes advantage of your computer’s GPU to speed up processes and free vital CPU time. Selecting restrict will disable the feature. |
3D APIs | Selecting disable, restricts webpages from accessing the GPU, WebGL and Pepper 3D APIs. | |
Security restrictions for URLs | Auto-select certificates | Selecting enable, allows you to specify a list of url patterns that specify sites for which Google Chrome should automatically select a client certificate, if the site requests a certificate. |
Certificate Transparency Enforcement For URLs | Disables enforcing Certificate Transparency requirements to the listed URLs. | |
User accounts settings | Browser sign-in | By clicking on 'Deny', users will not be able to sign-in to the browser with their account and access user-account based services. By selecting 'Force sign-in" users will be able to access the browser only if they sign-in. |
Allow users to use guest mode | By clicking on 'No', users will not be able to log into the browser as a guest. | |
Force ephemeral mode | By clicking on 'Yes', users' browsing sessions will be ephemeral and user-data will be persisted only until the session is active. None of the data will be saved on closing the session. | |
Define accounts to access enterprise Google apps | Setting the policy turns on Chrome's restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains. | |
Define primary browser account | Defining the primary account determines which Google accounts can be set as browser primary accounts in Google Chrome. | |
Define download directory | Defining the default directory determines the directory that Google Chrome will use for downloading files. If users do not have the defined directory in their computers, they will be prompted to select their preferred directory during each download. | |
Bookmark manager | Bookmark Manager will allow you to save websites as favourites to users' bookmarks bar. | |
Homepage and startup | Make New Tab as Homepage | Selecting yes will make a new tab as the homepage. Selecting no will let you configure a specific website as the homepage |
Action on startup | Selecting 'Open new tab' will open a new tab on starting the browser. Selecting 'Restoring the last session' will restore the user's last browser session on starting the browser. Selecting 'Open a URL' will open the specified URL while starting the browser. | |
Default browser | Set Chrome as default browser | Selecting 'yes' will set chrome as the default browser on users' machines. |
The below are the configurations offered for Mozilla Firefox browser:
Policy | Configuration | Description |
Homepage URL | The URL entered will be be set as the homepage. | |
Security restrictions | About add-on page | Selecting restricts, blocks access to the Add-ons Manager. |
About configurations page | About configurations page allows users to change and manipulate the application settings on Firefox known as preferences. Selecting restrict will block access to the about configurations page. | |
About profiles page | A profile is the collection of settings, customizations, add-ons, and other personalizations that a user has made or installed on their Firefox browser. Selecting restrict will block access to the profiles page. | |
About support page | Selecting restrict will block access to Troubleshooting Information. | |
App update | Selecting disable will prevent automatic application update. | |
Developer tools | Selecting disable will block access to all developer tools. | |
Built in PDF viewer | Disabling the built in PDF viewer. PDF files will be downloaded and sent externally. | |
Screenshot button | Disabling the screenshot button will remove access to Firefox screenshots. | |
Accounts | Disabling accounts will disable Firefox integrations (sync). | |
Private browsing | Disabling private browsing will restrict users from accessing incognito mode. | |
Bookmarks toolbar | Disabling this setting will hide the bookmark toolbar on users' browsers. | |
Menu bar | Disabling this setting will hide the menu bar on users' browsers. |
Below are the configurations offered for Microsoft Edge browser:
Policy | Configuration | Description |
Content restriction for URLs | Web Bluetooth Guard | By selecting restrict, websites will not be able to access WebBluetooth API. |
Adobe Flash | Disabling this setting restricts usage of adobe flash. | |
Pop-ups | Disabling this setting restricts pop-ups. | |
Prompt user to run adobe flash | Disabling this setting does not provide a prompt window to allowing users an option to run or block Adobe flash. | |
Allow clearing browsing data on exit | Disabling this setting prevents clearing of browsing history on exiting the page. | |
Automatic search suggestion in the address bar | Disabling this setting ensures the suggestions in the address bar is turned off. | |
Display Image | By selecting restrict, websites will not be able to display images. | |
Javascript | By selecting restrict, Javascipt will be disabled on all websites. | |
Popups | By selecting restrict, websites will not be able to display popups. | |
Video Capture | By selecting restrict, websites will not record video. | |
Cookies | By selecting block, websites will not be able to store cookies. | |
Geolocation | By selecting block, websites will not be able to track users' location. | |
Notifications | By selecting block, websites will not be able to send browser notifications. | |
Plugins | By selecting block, plugins will be blocked on all websites. | |
Content Restrictions for URLs | Audio Capture | By selecting restrict, audio caption will be blocked for specific websites that are present in selected website groups. |
Video Capture | By selecting restrict, video caption will be blocked for specific websites that are present in selected website groups. | |
Display Image | By selecting restrict, selected websites will not display images. | |
Javascript | By selecting restrict, Javascipt will be disabled on selected websites. | |
Notifications | By selecting block, selected websites will not send browser notifications. | |
Popups | By selecting restrict, selected websites will not be able to display popups. | |
Cookies | By selecting block, selected websites will not be able to store cookies. | |
Security restrictions > browser functionality | Media Router | By selecting disable, users will not be able to cast tabs, websites or desktop from the browser. |
Show Cast Icon in Toolbar | By selecting restrict, users will not be able to pin or remove the icon via its contextual menu. | |
Autofill | By selecting disable, websites will not pre-fill fields. | |
Developer Tools | By selecting disable, developer tools and JavaScript console will be disabled. | |
Print from cloud storage | Selecting restrict will not allow users to print from cloud storage. | |
Cloud Print Proxy Enabled | By selecting allow, chrome can act as proxy for legacy printers connected to the machine. This enables printers to be shared with google cloud print. | |
Capture screenshots | By selecting restrict, users will not be able to capture screenshots. | |
Print webpage | By selecting restrict, users will not be able to print webpages. | |
File upload to webpages | By selecting restrict, users will not be able to upload files to webpages. | |
Allow user to install Chrome Beta | Selecting no will ensure that users can not install Chrome Beta version. | |
Allow user to install Chrome Dev | Selecting no will ensure that users can not install Chrome Dev version. | |
Allow user to install Chrome Canary | Selecting no will ensure that users can not install Chrome Canary version. | |
Chrome Update | This configuration will decide how Chrome updates are installed. | |
Security restrictions > Privacy and safety | Sync Disabled | By selecting restrict, users will not be able to sync apps, themes, bookmarks, passwords, settings etc. between browser accounts with cloud account. |
Over-ride certificate errors | By selecting restrict, users will not be able to proceed past certificate errors displayed by websites. | |
Malware filter | By enabling this, sites that contain malicious content in any from: ransomware, viruses, phishing campaigns etc., will be blocked. | |
Save browser history | By selecting restrict, browser history will not be remembered. | |
Block third-party cookies | Enabling this will block all third party cookies. | |
Disable Safe Browsing Proceed Anyway | By selecting allow, users will be able to proceed past malware warning screens. | |
Force Google Safe Search | SafeSearch is a feature that acts as an automated filter of pornography and potentially offensive and inappropriate content. Selecting restrict will turn off the feature. | |
End processes in Task Manager | Selecting restrict, will not allow users to end processes in task manager. | |
Restrict Youtube forcefully | Selecting high will restrict the usage of youtube completely and selecting low will not restrict usage. | |
Incognito mode | Selecting disable will restrict users from accessing incognito mode. Selecting Force, will allow open browsers in Incognito mode. | |
Security restrictions > GPU rendering | Hardware Acceleration Mode | Hardware acceleration mode is a feature which takes advantage of your computer’s GPU to speed up processes and free vital CPU time. Selecting restrict will disable the feature. |
3D APIs | Selecting disable, restricts webpages from accessing the GPU, WebGL and Pepper 3D APIs. | |
Security restrictions for URLs | Auto-select certificates | Selecting enable, allows you to specify a list of url patterns that specify sites for which Google Chrome should automatically select a client certificate, if the site requests a certificate. |
Certificate Transparency Enforcement For URLs | Disables enforcing Certificate Transparency requirements to the listed URLs. | |
User accounts settings | Browser sign-in | By clicking on 'Deny', users will not be able to sign-in to the browser with their account and access user-account based services. By selecting 'Force sign-in" users will be able to access the browser only if they sign-in. |
Allow users to use guest mode | By clicking on 'No', users will not be able to log into the browser as a guest. | |
Define accounts to access enterprise Google apps | Setting the policy turns on Chrome's restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains. | |
Force ephemeral mode | By clicking on 'Yes', users' browsing sessions will be ephemeral and user-data will be persisted only until the session is active. None of the data will be saved on closing the session. | |
Define primary browser account | Defining the primary account determines which Google accounts can be set as browser primary accounts in Google Chrome. | |
Define download directory | Defining the default directory determines the directory that Google Chrome will use for downloading files. If users do not have the defined directory in their computers, they will be prompted to select their preferred directory during each download. | |
Bookmark manager | Bookmark Manager will allow you to save websites as favourites to users' bookmarks bar. | |
Homepage and startup | Make New Tab as Homepage | Selecting yes will make a new tab as the homepage. Selecting no will let you configure a specific website as the homepage |
Action on startup | Selecting 'Open new tab' will open a new tab on starting the browser. Selecting 'Restoring the last session' will restore the user's last browser session on starting the browser. Selecting 'Open a URL' will open the specified URL while starting the browser. | |
Default browser | Set Chrome as default browser | Selecting 'yes' will set chrome as the default browser on users' machines. |
Below are the configurations offered for Microsoft Internet Explorer:
Policy | Configuration | Description |
Zone settings | Local intranet, Trusted websites, Restricted websites, Internet Security | Internet explorer provides a security level slider which you can use to define security boundaries for the four zones. The available security levels are |
Lockdown | Tabs | Selecting hide, will not display the corresponding tab on users' browsers. |
Tools | Full screen mode | Enabling this configuration will always display the users' browsers as a full screen. |
Developer Tools | This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer. If you disable this policy setting, the user cannot access Developer Tools. | |
Hide The Command Bar | This policy setting allows you to show or hide the Command bar. If you enable this policy setting, the Command bar is hidden and the user cannot choose to show it. | |
Hide The Status Bar | This policy setting allows you to show or hide the status bar. If you enable this policy setting, the status bar is hidden and the user cannot choose to show it. | |
Lock All Tool Bars | If you enable this policy setting, the toolbars are locked and the user cannot move them. If you disable this policy setting, the toolbars are unlocked and the user can move them. | |
Inprivate Tools | If you enable this policy setting, InPrivate Filtering data is preserved when the user clicks Delete. | |
Print Webpage | This policy setting allows you to manage whether users can access the Print menu. | |
Reset IE settings | Reset Internet Explorer Settings allows the user to reset all settings changed since installation, delete browsing history, and disable add-ons that are not pre-approved. If you enable this policy setting, the user cannot use Reset Internet Explorer Settings. | |
Change proxy settings | If you enable this policy setting, the user will not be able to configure proxy settings. | |
Disable Changing Automatic Configuration Settings | If you enable this policy setting, the user will not be able to do automatic configuration. You can only import connection settings. | |
Disable changing connection settings | Prevents users from changing dial-up settings. If you enable this policy, the Settings button on the Connections tab in the Internet Options dialog box appears dimmed. | |
Security restrictions | Prevent ignoring certificate errors | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. |
Turn on certificate address mismatch warning | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. | |
Allow software to run or install even if the signature is invalid | If you enable this policy setting, users will be prompted to install or run files(such as ActiveX controls) with an invalid signature. | |
Check for signatures on downloaded programs | If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. | |
Install new versions of Internet Explorer automatically | This policy setting configures Internet Explorer to automatically install new versions of Internet Explorer when they are available. If you enable this policy setting, automatic upgrade of Internet Explorer will be turned on. | |
Use HTTP 1.1 | This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1. If you enable this policy setting, Internet Explorer uses HTTP 1.1. | |
Use HTTP 1.1 through proxy connections | This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections. | |
Do not save encrypted pages to disk | If you enable this policy setting, Internet Explorer will not save encrypted pages containing secure (HTTPS) information to the cache. | |
Consistent Mime Handling for Internet Explorer Processes | If you enable this configuration, MIME data will be used to determine file handling procedures for files that are received through a Web server. | |
Empty Temporary Internet Files folder when browser is closed | If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser windows are closed. | |
Check for server certificate revocation | This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. | |
Turn off the Security Settings Check feature | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the feature is turned off. | |
Protection From Zone Elevation for Internet Explorer Processes | Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation disables JavaScript navigation if there is no security context. | |
Restrict File Download for Internet Explorer Processes | Enables applications hosting the Web Browser Control to block automatic prompting of file downloads that were not user initiated. | |
Turn off encryption support | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select. | |
Add-on Management | Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts | This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default during an InPrivate Browsing session. |
Third-party browser extensions | This policy setting allows you to manage whether Internet Explorer will launch browser helper objects. | |
Automatically activate newly installed add-ons | If you enable this policy setting, newly installed add-ons are automatically activated in the browser. | |
Restrict ActiveX Install for Internet Explorer Processes | Enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation. | |
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. | |
Turn off blocking of outdated ActiveX controls for Internet Explorer | If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. | |
Content Restriction | Auto-complete for web addresses | Clicking on disable will not pre-fill users' web addresses. |
Autofill for forms | Clicking on disable will not pre-fill forms. | |
Autofill for username and password | Clicking on disable will not pre-fill users' username and passwords. | |
Default browser | Set Chrome as default browser | Selecting 'yes' will set chrome as the default browser on users' machines. |