This article is a follow-up to the article on blocking access to non-domain accounts within a Chrome Browser profile using AllowedDomainsForApps policy.
The main struggle that users face when switching to Google Workspace is working in a browser, especially if the users were signed into their personal Google accounts. In Chrome, when multiple accounts are signed in, opening a new tab or visiting Google applications will fall back to the default or first Google account that the user signed into browser with. (u/0)
Chrome 94 introduced a new policy called ManagedAccountsSigninRestriction which will help many admins by forcing the users to create a separate browser profile.
There are a few settings to consider, but the Admin console has the most clear wording regarding the three options available. Since we are interested in forcing creation of seprate profiles, we will take a look at the first two settings.
If this policy is set to ‘primary_account’ at the machine level, all managed accounts will be forced to be primary. If this policy is set to ‘primary_account’ on an account, that account will always be a primary account, but may have secondary accounts in its profile.
If this policy is set to ‘primary_account_strict’ at the machine level, all managed accounts will be forced to be primary. If this policy is set to ‘primary_account_strict’ on an account, that account will always be a primary account and will not have any secondary accounts in its profile.
Because Chrome policies can be applied to a user or a managed browser, there are a few differences to consider depending on whether a policy is applied as a machine or user level policy.
- Machine Level Policy
When a user tries to add a secondary managed account to any browser profile, Google will prompt the user to create a separate profile. This applies to both primary_account and primary_account_strict. - User Level Policy
When a user tries to add a secondary managed account to the managed profile, Google will prompt the user to create a separate profile. primary_account will allow other accounts to be added (personal and managed) primary_account_strict will not allow managed accounts to be added, but it will allow personal accounts to be added unless blocked by AllowedDomainsForApps policy.
In testing, there was no difference between primary_account or primary_account_strict at the time of writing when configured as a user-level policy.
Therefore, it is recommended that you configure a machine-level policy for ManagedAccountsSigninRestriction so that all managed accounts will have their own browser profile, regardless of domain, and configure AllowsDomainsforApps as a user-level policy to only allow signing into accounts on corporate domain within browser profiles created by your users’ accounts.
While there is no control to prevent users from signing into gmail.com accounts from browser user profiles managed by other organizations, using RestrictSigninToPattern as a device policy will limit proliferation of users signing into multiple accounts (managed or otherwise) inside a Chrome profile and hopefully reduce the number of browser-related tickets.
p.s. Google added Remote Commands as of Chrome 91, which allows admins to clear cache and cookie remotely.
