App restrictions device policy

You use the App Restrictions device policy to specify allowed or blocked Chrome apps, Android apps running on Chrome OS, and Samsung KNOX apps. If you enable App Runtime for Chrome (ARC) in the Restrictions device policy, you configure Android app restrictions under Android apps in the App Restrictions device policy.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Samsung KNOX settings

Image of Device Policies configuration screen

For each app you want to add to the Allow/Deny list, click Add and then do the following:

  • Allow/Deny: Select whether users are allowed to install the app.
  • New app restriction: Type the app package ID; for example, com.kmdm.af.crackle.
  • Click Save to save the app to the Allow/Deny list or click Cancel to not save the app to the Allow/Deny list.

Chrome app settings

Chrome apps are both apps and extensions.

Image of Device Policies configuration screen

  • App install allowed: A global setting to allow or block the installation of all Chrome apps on Chrome OS devices. If you choose Allowed, you can create a list of specific blocked apps. If you choose Not allowed, you can create a list of specific allowed apps. To do that, click Add under Chrome apps. To use the settings specified in your Chrome account, select Unspecified. Default is Allowed.
  • Chrome apps: To add Chrome apps that are exceptions to your selection for the App install allowed setting, click Add and then specify these settings:

    • App name: A name used to identify an app in the Endpoint Management console.
    • App ID: The unique identifier for a Chrome app. Don’t include the prefix “app:”.

    To look up a Chrome app ID: Go to the Chrome store, https://chrome.google.com/webstore, and search for the app. Click the app to view the URL and app ID in the address bar. The last portion of the address is the app ID. For example, if the URL is https://chrome.google.com/webstore/detail/citrix-intranet/hjacpdaecmilhndcbllidcgaaicdlpff, the app id is “hjacpdaecmilhndcbllidcgaaicdlpff”.

    You can look up Chrome apps only from Chromebook. You can look up Chrome extensions from any platform.

    • App install allowed: Creates an exception to the global setting above. This setting allows or blocks the specified Chrome app.
    • Installed: If On, forces the Chrome app to install for enrolled Chrome OS device users. If Off and an app is installed, the app is uninstalled. If Off and the app is no longer configured by the policy, the app remains installed. Default is Off.
    • Pinned: If On, pins the app to the Chromebook task bar. Default is Off.
    • URL: Specifies the URL from which users can download an app that isn’t hosted in the Chrome Web Store.
    • Extension policy: Defines, in JSON format, the app-specific policy defined by this app. For information, see Manifest for storage areas.

Android app settings

To enable enrolled Chrome OS device users to run Android apps, configure the Restrictions device policy as noted in the next section “Enable enrolled Chrome OS device users to run Android apps.” To configure ARC app restrictions, click Add under Android apps and then specify these settings.

Image of Device Policies configuration screen

  • App ID: A unique app identifier for an Android app running on Chrome OS. For example: com.android.camera. Don’t include the prefix “app:”.

    To look up an Android app ID: Go to the Google Play store, https://play.google.com/store, and search for the app. Click the app to view the app ID in the address bar. The portion after id= is the app ID. For example, if the URL is https://play.google.com/store/apps/details?id=com.citrix.mail, the app id is id=com.citrix.mail.

  • Installed: Specifies whether to force the Android app to install for enrolled Chrome OS device users. If Off and an app is installed, the app is uninstalled. If Off and the app is no longer configured by the policy, the app remains installed. Default is Off.
  • Pinned: If On, pins the Android app to the Chromebook task bar. Default is Off.

Enable enrolled Chrome OS device users to run Android apps

To enable enrolled Chrome OS device users to run Android apps: Go to Configure > Device Policies and add a Restrictions device policy for Chrome OS with the setting Enable App Runtime for Chrome (ARC) enabled.

  • Enable App Runtime for Chrome (ARC): If On, allows enrolled Chrome OS device users to run Android apps. Specify ARC apps in the App Restrictions device policy. Requires G Suite Chrome configuration. ARC isn’t available if either Ephemeral mode or multiple sign-on is enabled in the current user session. If Off, enterprise Chrome OS device users can’t run Android apps. The default is On.

App restrictions device policy