Sign-In Settings
  • 01 Oct 2024
  • 5 Minutes to read
  • PDF

Sign-In Settings

  • PDF

Article summary

IT Admins can secure device access by configuring sign-in options. By carefully configuring these sign-in options, you can significantly enhance the security of your ChromeOS devices and protect sensitive data. This document describes all the Sign-In policies you can configure and apply.

Configuring Enrollment & Sign-In policies

  1. On Scalefusion Dashboard, navigate to Device Profiles & Policies > Device Profiles.

  2. Create a new profile for ChromeOS or edit the existing profile.

  3. On the left panel, expand Enrollment & Sign-In by clicking on the down arrow next to it.

  4. There are three main sub-sections:

    1. Enrollment Settings

    2. Sign-In Settings

    3. Accessibility

  5. Click on Sign-In Settings

Sign-In Settings can be configured for Device level, User level, and Managed Guest Mode

Device Level

This section provides detailed information on the configuration options available under the Devices tab within the Sign-In Settings. These settings control various aspects of user sign-in experience on Chromebooks.

  1. Allow Guest Mode: Enable or disable guest access to the Chromebook.

  2. Allow Managed Guest session: From here you can allow or block guest sessions. Following are the options to choose from:

    • Allow: Allows managed guest sessions (default for migration purposes).

    • Don't Allow: Disables managed guest sessions.

    • Auto-Launch: Automatically launches a managed guest session when the device is idle.

    • Auto-Launch Delay (in minutes): Sets the delay in minutes before a managed guest session is automatically launched. Must be between 1 and 90 minutes. This setting is enabled only when "Auto-Launch" is selected.

    • Device Health Monitoring: Enables or disables device health monitoring for managed guest sessions.

    • Adjust Display Rotation (degrees): Configures the display rotation for managed guest sessions.

    • Display name (gets enabled only if auto-launch or allow is selected): Sets the display name for managed guest sessions. Allows maximum length of 40 characters.

  3. Configure Sign-In restrictions: Restrict which users can sign in to the device. Following are the options to choose from:

    1. Allow All: No restrictions, any user can sign in. (Default)

    2. Restrict All: Only authorized users can sign in.

    3. Allow Only Selected: Allows sign-in only for a specific list of users or a domain.

      1. Enter user email addresses or a domain name (e.g., acmeinc.com) to restrict access. Domain names will be automatically appended with *@ when sent to Google.

  4. Configure auto complete domain name: Set a default domain name that appears on the sign-in screen for user convenience. Please note this accepts a single string that matches a valid domain name format.

  5. Show user name and photos on sign-in screen: Enable or disable display of user names and photos on the sign-in screen.

  6. Erase all user data on sign-out: Enable erasing all locally stored user settings and data upon sign-out.

  7. System Info on sign-in screen: Control whether device information like ChromeOS version and/or serial number is shown on the sign-in screen. Choose one of the following options from the drop-down:

    1. User Control: Users can choose to display or hide system info.

    2. Enforce: System info is always displayed.

    3. Disable: System info is never displayed.

  8. Privacy screen settings on sign-in screen: Controls whether the privacy screen is always on during sign-in or left for user selection. Choose one of the following options from the drop-down:

    1. User Control: Users can choose to enable or disable the privacy screen.

    2. Enforce: Privacy screen is always enabled.

    3. Disable: Privacy screen is always disabled.

  9. Allow users to go directly to SAML SSO IdP Page: Enables skipping Google sign-in and taking users directly to the SAML SSO page.

  10. Allow SAML SSO Cookie transfer into user session on sign-in: Enables transferring the SAML SSO cookie to the user session for subsequent sign-ins.

  11. Configure URLs with access to camera during SAML SSO: List URLs that can access the camera directly during the SAML SSO flow. This accepts comma-separated valid URLs.

  12. Configure query parameter to auto fill username on SAML SSO Page: Configure a query parameter that automatically populates the username field on the SAML SSO page.

  13. Configure SAML SSO URLs with access to device attestation data: Configure URLs that receive a header with the response to device attestation challenge during SAML SSO.

  14. Show numeric keyboard for password entry by default: Enables displaying a numeric keyboard by default on the sign-in and lock screens.

  15. Manifest v2 extension availability on sign-in screen: Controls whether users can access Manifest v2 extensions on the sign-in screen. Choose one of the following options from the drop-down:

    1. Default: Users can access extensions based on individual permissions.

    2. Disable extensions: No extensions are available on the sign-in screen.

    3. Enable all extensions: All extensions are available on the sign-in screen.

    4. Enable only force-installed extensions: Only extensions forcefully installed on the device are available.

  16. Configure URL allow/block list on sign-in & lock screen: Configure URLs to be allowed or blocked on the sign-in and lock screens.

    1. Blocklist URLs: Provide list of URLs to block access to (comma-separated).

    2. Blocklist URL exceptions: URLs exempted from

  17. Sign-In Language: Select the language for sign-in screen

User Level

This section provides detailed information on the configuration options available under the User tab within the Sign-In Settings. These settings control various aspects of user sign-in experience and user account management.

  1. Allow Managed Account to be used as Secondary Account: Enable or disable managed accounts from being used as secondary accounts in a browser session. (Available for Chrome Enterprise only)

  2. Allow View password on login and lock screen: Enable or disable the Display password option on the login and lock screens.

  3. Show Touchpad scroll direction selection during Sign In: Displays or hides the option for users to configure touchpad scroll direction during sign-in.

  4. Show Display size selection during Sign In: Displays or hides the option for users to configure display size during sign-in.

  5. Allow Avatar customization from camera and/or local or Google profile image: Enables or disables users' ability to customize their avatar using the device camera, local files, or Google profile image.

  6. Allow Wallpaper selection from Google Photos: Enables or disables access to Google Photos from the personalization app to set a wallpaper.

  7. Display Sign-Out button in the tray: Enables or disables the display of the Sign-out button for quick access.

Managed Guest

This section provides detailed information on the configuration options available under the Managed Guest tab within the Sign-In Settings. These settings control various aspects of guest mode behavior.

  1. Display logout button in the tray: Enables or disables the display of the Sign-out button for quick access in guest mode.

  2. Display logout dialog on last window close: Enables or disables the display of a logout dialog when the last window is closed in guest mode. If disabled, users will be automatically logged out.


Was this article helpful?

What's Next