How to Set Up Chrome Browser Cloud Management

Your staff use Chrome every day. They install extensions, store passwords, access cloud applications, and handle sensitive client data through it. If you have no central control over those browsers, you have a significant security gap — one that exists entirely outside your Google Workspace Admin Console until you close it.

Chrome Browser Cloud Management, or CBCM, is Google's answer to this problem. It lets you manage Chrome browsers on Windows, macOS, Linux, iOS, and Android from the same Admin Console you use for Workspace — without requiring those devices to be ChromeOS or joined to any enterprise directory. For Australian SMBs running a mix of devices across offices and remote locations, this is one of the most practical device management tools available, and it is free for any organisation with a Google account.

This guide walks you through CBCM from enrolment to active policy enforcement, including extension control and the best practices that separate a well-managed browser fleet from a security liability.

What this guide covers:
- What CBCM is and why it matters for Australian SMBs
- Prerequisites and licence requirements
- Step-by-step enrolment of browsers into CBCM
- Setting browser policies in the Admin Console
- Managing extensions and apps centrally
- Best practices for ongoing browser management

What Is Chrome Browser Cloud Management?

CBCM is a cloud-hosted management platform built into the Google Admin Console. Once a Chrome browser is enrolled, you can push policies to it, control which extensions users can install, enforce security settings like Safe Browsing and password manager behaviour, and view browser inventory reports — all from a central interface.

The key distinction to understand is what CBCM manages versus what ChromeOS management manages:

• ChromeOS device management (also called Chrome Enterprise Upgrade) manages the entire ChromeOS operating system. It is a paid licence tied to the device.
• Chrome Browser Cloud Management manages the Chrome browser application running on any supported OS. The core management tier is free. There is also a paid Chrome Enterprise Premium tier that unlocks additional reporting, threat protection, and context-aware access integration.

For most Australian SMBs, the free CBCM tier provides everything needed to enforce browser security baselines, block malicious extensions, and maintain visibility over browser inventory. The paid tier becomes relevant when you need deep URL filtering, browser threat intelligence, or integration with your SIEM.

Why This Matters for Australian SMBs

Browsers are the primary attack surface for most modern threats — phishing, credential harvesting, malicious extensions, and drive-by downloads all happen in the browser. The Australian Cyber Security Centre's Essential Eight framework explicitly calls out "patch applications" and "restrict administrative privileges" as top mitigations. CBCM operationalises both: you can enforce automatic updates, remove extension installation rights from standard users, and restrict access to non-approved web applications.

Under the Privacy Act 1988, demonstrating that you take reasonable steps to protect personal information is a legal requirement, not a best-practice suggestion. A documented, enforced browser management policy is concrete evidence of those reasonable steps.

Prerequisites

Before you start, confirm you have the following in place:

Google Account or Workspace domain: CBCM works with any Google account, including free Workspace accounts. However, to manage browsers alongside your Workspace users and apply user-level policies, you need a Google Workspace domain. Business Starter and above all support CBCM at no additional cost.

Super Admin access: You need a Super Admin account to enable CBCM and configure policies in the Admin Console. Delegated admin accounts with appropriate privileges can manage browsers after enrolment.

Chrome browser version 70 or later: Any Chrome browser on Windows, macOS, or Linux running version 70 or above can be enrolled. Most organisations running current Chrome (which auto-updates) will be on a recent release.

Device access for enrolment: Browsers must be enrolled on each device through a Group Policy Object (GPO) on Windows, a configuration profile on macOS, or a command-line flag on Linux. You do not need to touch each machine manually if you have a deployment tool like Microsoft Intune, Jamf, or PDQ Deploy.

Supported operating systems:
- Windows 7 and later (Windows 10/11 recommended)
- macOS 10.11 and later
- Linux (most common distributions)
- iOS 12 and later
- Android 5.0 and later

Step 1: Enable Chrome Browser Cloud Management

The first task is to switch on CBCM in your Admin Console and retrieve your enrolment token.

1. Sign in to the Google Admin Console at admin.google.com with a Super Admin account.
2. Navigate to Devices > Chrome > Managed browsers.
3. If this is your first time accessing CBCM, you will see a prompt to enable Chrome Browser Cloud Management. Click Enable.
4. Once enabled, click Enrolment token in the left panel (or find the token icon at the top of the Managed browsers screen).
5. Click Create token. Give it a descriptive name — for example, Windows-HQ-Desktops or macOS-Remote-Fleet. You can create multiple tokens scoped to different organisational units if you want different policies for different device groups.
6. Copy the token and store it securely. You will need it for the enrolment step on each device or deployment tool.

Important: Treat your enrolment token like a password. Anyone with the token can enrol browsers into your management environment. Rotate tokens if they are ever exposed.

Step 2: Enrol Browsers Into CBCM

Enrolment is the process of telling a Chrome browser on a specific machine to report to your Admin Console. The method depends on your operating system.

Windows (via Group Policy)

The most common method for Windows environments. You will need the Chrome ADMX templates installed in your Group Policy infrastructure.

1. Download the Chrome ADMX templates from Google's Chrome Enterprise download page.
2. Copy the chrome.admx and google.admx files to your Policy Definitions folder (typically C:\Windows\PolicyDefinitions or your central store).
3. Open the Group Policy Management Editor.
4. Navigate to Computer Configuration > Administrative Templates > Google > Google Chrome.
5. Find the setting Set the Chrome Browser Cloud Management enrolment token.
6. Enable the setting and paste your enrolment token into the value field.
7. Apply the GPO to the computers you want to manage.

Chrome will pick up the policy on the next browser launch or within the GPO refresh interval (typically 90 minutes). After the browser restarts, it will check in to the Admin Console and appear in your Managed browsers list.

macOS (via Configuration Profile)

1. In your Mobile Device Management (MDM) tool — Jamf, Kandji, Microsoft Intune, or similar — create a new configuration profile.
2. Add a Custom settings payload with the domain com.google.Chrome.
3. Add the key CloudManagementEnrollmentToken with the string value of your enrolment token.
4. Deploy the profile to your target Mac devices.

If you do not have an MDM, you can set the enrolment token via a defaults write command in Terminal, though MDM deployment is strongly preferred for repeatability.

Linux (via Command-Line Flag)

On Linux, you can pass the enrolment token at Chrome launch using the --cloud-management-enrollment-token flag, or set it persistently in a managed Chrome policy file:

1. Create the directory /etc/opt/chrome/policies/managed/ if it does not exist.
2. Create a JSON policy file in that directory, for example cbcm.json:
   json { "CloudManagementEnrollmentToken": "YOUR_TOKEN_HERE" }
3. Chrome will read this policy file automatically on the next launch.

Verifying Enrolment

After deploying the token, confirm enrolment by returning to Devices > Chrome > Managed browsers in the Admin Console. Enrolled browsers will appear in the list with their device name, OS, Chrome version, and last activity timestamp. Allow up to 15 minutes for a newly enrolled browser to appear.

Step 3: Organise Browsers With Organisational Units

Like users in Workspace, enrolled browsers can be placed into organisational units (OUs) to receive different policies.

1. In Devices > Chrome > Managed browsers, select one or more enrolled browsers using the checkboxes.
2. Click the Move option and select the destination OU.

A typical OU structure for an Australian SMB might look like this:

• Managed Browsers
• HQ-Desktops (stricter policies, fixed location)
• Remote-Workers (balanced policies for home office use)
• Kiosk-Reception (locked-down policies, single-site access)
• Executive (higher trust, fewer restrictions)

You can also auto-assign browsers to OUs based on the enrolment token used. Create a separate token per OU and deploy the correct token to each device group through your GPO or MDM targeting.

Step 4: Configure Browser Policies

Policies control Chrome's behaviour on enrolled browsers. They are configured at the OU level in the Admin Console and pushed to enrolled browsers automatically.

1. Navigate to Devices > Chrome > Settings > Browser (or Managed Browser Settings).
2. Select the OU you want to configure.
3. Work through the policy categories below.

Security Policies (Recommended Baseline)

These settings should be applied to all enrolled browsers as a minimum security baseline:

Safe Browsing: Set to Always on. Navigate to Security > Safe Browsing protection level and select Enhanced protection. This uses Google's real-time threat intelligence to block phishing and malware sites.

Password manager: Under Passwords > Password manager, consider setting Password manager to Allow but disable Allow users to save passwords to built-in browser password manager if you manage passwords through a dedicated tool like 1Password or Bitwarden. Unmanaged password saving in a shared browser is a data exposure risk.

Incognito mode: Under Privacy > Incognito mode, set to Disallow incognito mode for kiosk or shared devices. For standard workstations, leaving it available is generally acceptable — incognito removes the ability for your DLP tools to scan browsing activity, so weigh this based on your environment.

Force safe search: Under Content > Safe search and restricted YouTube mode, enable Force SafeSearch and Force Strict Restricted Mode for YouTube for any devices used by non-adult users or in public-facing areas.

Browser version enforcement: Under Updates > Update policy override, set to Always allow updates to ensure browsers stay current. Outdated Chrome versions are a top vulnerability vector. You can also set a minimum version policy to block browsers below your acceptable minimum from connecting to managed resources.

Productivity and UX Policies

Homepage and new tab page: Under Startup, home page, and new tab, set the homepage to your company intranet, your Workspace environment, or a standard new tab. This is especially useful for kiosk or reception devices.

Bookmarks: Under Bookmark bar, you can push a managed bookmarks list to all browsers. This ensures every employee has quick access to your key internal systems — HR portal, ticketing system, admin tools — without relying on each person to set their own bookmarks.

Proxy settings: If your organisation routes traffic through a corporate proxy, configure the Proxy settings here to enforce consistent routing across all managed browsers, including for remote workers using your VPN.

Step 5: Manage Extensions

Uncontrolled extension installation is one of the most overlooked security risks in browser environments. Malicious or compromised extensions can read every webpage a user visits, exfiltrate form data, redirect searches, and inject scripts. CBCM gives you granular control.

Set an Extension Installation Policy

1. Navigate to Devices > Chrome > Apps & extensions > Users & browsers.
2. Select the OU you want to configure.
3. In the Extension and app settings panel on the right, set the default installation policy:
4. Block all apps, admin manages allowlist: Strictest option. Users cannot install anything not on your approved list. Recommended for high-security or kiosk environments.
5. Allow all apps, admin manages blocklist: Permissive option. Users can install anything except explicitly blocked extensions. Better for general staff where productivity tools vary.
6. Allow all apps, no blocklist: No control. Not recommended for any managed environment.

Force-Install Extensions

Force-installed extensions deploy automatically to all browsers in the OU without user action and cannot be removed by the user.

1. Click Add > From Chrome Web Store.
2. Search for the extension by name or paste its Chrome Web Store URL.
3. Set the installation policy to Force install.
4. Click Save.

Common extensions to force-install across your organisation:
- Google Drive for Desktop (if not managed via separate deployment)
- Your password manager extension (1Password, Bitwarden, etc.)
- Endpoint Verification (required for context-aware access in Workspace)
- Your VPN client extension (if applicable)

Block Specific Extensions

If you use an allowlist approach but need to block a specific known-bad extension:

1. Find the extension in the Apps & Extensions console or add it manually using its Chrome Web Store extension ID.
2. Set the installation policy to Block.

You can also block entire categories of extensions by going to Extension and app settings and toggling categories like Developer Tools, File managers, or Accessibility based on your risk tolerance.

Approve on Request

If you use a blocklist (allow-by-default) approach, consider enabling Users can request extensions. This creates a workflow where users submit a request, an admin reviews it, and approved extensions are pushed out centrally. It balances control with flexibility.

Best Practices for Ongoing CBCM Management

Use the Browser Inventory for Patching Visibility

The Managed browsers list in the Admin Console shows the Chrome version running on every enrolled browser. Use this as a quick patching audit: sort by Chrome version and identify any browsers that are significantly behind the current release. Old Chrome versions are a known attack vector — if a browser has not updated in three months, something is preventing auto-update and it needs investigation.

Separate Tokens per Environment

Create distinct enrolment tokens for different environments (office desktops, remote workers, development machines, kiosks). This gives you the flexibility to retire a token if it is compromised without affecting other device groups, and it makes your CBCM inventory easier to navigate.

Align Extension Policies With Your Data Classification

Not all extensions need the same access. Extensions that read all page content (which most productivity extensions do, by necessity) should face higher scrutiny for users who access sensitive client data or financial records. Consider a stricter allowlist for your finance and HR OUs compared to general staff.

Review Extension Permissions Regularly

Quarterly, review the extensions in your allowlist. Extensions change ownership, get acquired by third parties, or have their update permissions changed. An extension that was safe six months ago may have received a malicious update since. Google's Chrome Web Store flags extensions with policy violations, but it is not infallible. Actively reviewing what you have approved is better than passive reliance on Google's moderation.

Combine CBCM With Context-Aware Access

CBCM's Endpoint Verification extension, when force-installed, reports device security signals to Google Workspace. This enables you to enforce context-aware access policies that require a managed, compliant browser — not just a managed device — to access Workspace services. This is particularly powerful for BYOD environments where you manage the browser on a personal device rather than the device itself.

Keep a Change Log

Whenever you modify a browser policy or extension allowlist, record the change, the reason, and who made it. Browser policies affect your entire workforce and can cause disruption if misconfigured. A change log helps you diagnose issues quickly ("we pushed a new proxy policy yesterday and now remote users can't reach Drive") and demonstrates change management discipline for compliance purposes.

Affiliate & Partner Programs

If you are setting up Chrome Browser Cloud Management as part of a broader Google Workspace deployment or are advising clients on the right Workspace plan for their device management needs, the following may be useful:

• Google Workspace Referral Program: https://referworkspace.app.goo.gl/ -- earn rewards for referring businesses to Google Workspace. Plans from Business Starter and above include CBCM at no additional cost, making it an easy value-add to highlight when recommending Workspace to Australian SMBs.

Wrapping Up

Chrome Browser Cloud Management gives Australian IT admins a free, practical way to secure the most-used application in their organisation. Without it, every Chrome browser in your fleet is a self-managed endpoint making its own decisions about extensions, updates, and Safe Browsing settings. With it, you set the baseline once, push it everywhere, and have the inventory visibility to know when something falls out of compliance.

The setup is straightforward: enable CBCM in the Admin Console, generate an enrolment token, deploy it via GPO or MDM, and start configuring policies. Start with the security baseline — Safe Browsing, forced updates, and extension control — and build from there as your understanding of your browser fleet grows.

If you take one action from this guide today, make it this: navigate to Devices > Chrome > Managed browsers in your Admin Console and check how many browsers are already enrolled. If the answer is zero, you have a complete blind spot on one of your organisation's most active attack surfaces. Enabling CBCM does not change how your users experience Chrome — but it gives you the control and visibility you need to keep that experience secure.

Your browsers are running right now. The question is whether you are managing them or hoping for the best.

Need help with your cloud migration? Contact our team for a free consultation.