Configure Desk sync

As an admin, you can allow users to switch seamlessly between ChromeOS devices, letting them pick up their work exactly where they left off on another device.

For example, in a healthcare organization, Desk sync is useful for healthcare professionals who use shared devices when they move between patient rooms.

With Desk sync, users can move from one device to another, immediately resuming their previous work environment when they sign in to the device. Arrangement of windows and tabs is preserved. In addition, you can allow users to remain signed in to apps and services across ChromeOS devices by synchronizing their cookies. That way, they don’t have to reauthenticate to individual apps and services each time they switch devices.

Note: Data is only synchronized between devices where the user signs in with their account.

What you need

• Managed users on managed ChromeOS devices with version 139 or later that are enrolled in your organization using Chrome Enterprise Upgrade or Chrome Education Upgrade.
• You use the Admin console to manage devices.
• Chrome sync is turned on for users. For details about using the Admin console to turn on Chrome sync, read about the Chrome Sync (ChromeOS) setting.

Example scenarios

To help configure Desk sync effectively and tailor the user experience within your organization, consider the following example scenarios and recommended environments.

(Recommended) Tabs and cookies are synchronized

When configuring the Desk sync setting, select Launch windows from previous session upon sign-in and Load cookies from the user’s previous session upon sign-in.

• User experience—All tabs are restored. All cookies are shared. No re-authentication is needed.
• Recommended environment—Suitable for all shared device environments with continuous workflows. For example:
  • Clinicians switching between different devices who want to keep a continuous experience. For example, switching from a workstation on wheels to a computer in the office.
  • Hotel reception desk where employees switch devices upon their return if their original device is currently being used by another staff member.

Only open tabs are synchronized

When configuring the Desk sync setting, select Launch windows from previous session upon sign-in and Do not load cookies from the user’s previous session upon sign-in.

• User experience—All tabs restored. However, re-authentication is required for services that are not using Google Identity and do not use the identity provider from the sign-in screen.
• Recommended environment—Suitable for shared device environments with continuous workflows, but reasons to not synchronize identity exist. For example:
  • Instances where users rely solely on Google services or when legal requirements do not allow storage of user authentication data.

Only cookies are synchronized

When configuring the Desk sync setting, select Do not launch windows from previous session upon sign-in and Load cookies from the user’s previous session upon sign-in..

• User experience: User is re-authenticated to the majority of services, especially services that are not authenticated / federated with either Google Identity or using the IdP from the sign-in screen.
• Recommended environment—Shared devices that are used where there is no continued workflow across devices. However, due to the lack of SSO, identity sharing is preferrable. For example
  • Instances where users use external services without an SSO integration where there is no need to reauthenticate after switching devices.

How to

Step 1: Configure Desk sync

Read about the Desk sync setting.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to  Menu  Devices > Chrome > Settings. The User & browser settings page opens by default.

   Requires having the Mobile Device Management administrator privilege.

3. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

   Group settings override organizational units. Learn more

4. Go to Startup.
5. Click Desk sync.
6. (Recommended) Select Launch windows from previous session upon sign-in.
7. (Recommended) Keep users signed in to windows across ChromeOS devices by synchronizing their cookies:
   1. Select Load cookies from the user’s previous session upon sign-in.
   2. (optional) For Blocked domains for cross-device sign-in, specify domain patterns that are blocked when moving cookies from one device to another.
   3. (optional) For Exceptions list for cross-device sign-in, specify domain patterns that are allowed when moving cookies from one device to another, even if they match a pattern specified for Blocked domains for cross-device sign-in.
8. Click Save. Or, you might click Override for an organizational unit.

   To later restore the inherited value, click Inherit (or Unset for a group).

Step 2: Prevent apps from restoring on startup

To avoid policy conflicts, use the Admin console to prevent app restoration on startup. This avoids unexpected behavior for users when Desk Sync restores windows from their previous session's running apps.

Read about the Restore apps on startup setting.

1. Go to Menu  Devices > Chrome > Apps & extensions > User app settings.
2. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

   Group settings override organizational units. Learn more

3. Go to Additional app settings.
4. Click Restore apps on startup.
5. Select Restore all apps and app windows.
6. For desired behavior, select Do not restore.
7. Click Save.

Step 3: (Recommended) Specify default search provider for users

To prevent a search selection dialog from repeatedly appearing at the top of the browser window each time users switch devices, specify the default search provider for users. Otherwise, the dialog continues to appear even if they’ve already selected their preferred search engine on another device.

Read about the Omnibox search provider setting.

1. Go to  Menu  Devices > Chrome > Settings. The User & browser settings page opens by default.

   Requires having the Mobile Device Management administrator privilege.

2. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

   Group settings override organizational units. Learn more

3. Go to Omnibox search provider.
4. Click Omnibox search provider.
5. Specify the default search provider that you want. For example, to use Google as your default search engine, set the following:
   • Omnibox search provider name—Google
   • Omnibox search provider keyword—google
   • Omnibox search provider search URL—{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}
   • Omnibox search provider suggest URL—{google:baseURL}complete/search?output=chrome&q={searchTerms}
6. Click Save. Or, you might click Override for an organizational unit.

   To later restore the inherited value, click Inherit (or Unset for a group).

Step 4: (Recommended) Manage users’ Chrome’s privacy settings for ads

To prevent the Privacy Sandbox prompt from repeatedly appearing in the browser window each time users switch devices, use the Admin console to deactivate the prompt.

Read about the Privacy Sandbox setting.

1. Go to  Menu  Devices > Chrome > Settings. The User & browser settings page opens by default.

   Requires having the Mobile Device Management administrator privilege.

2. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

   Group settings override organizational units. Learn more

3. Go to Security.
4. Click Privacy Sandbox.
5. Select Do not show the Privacy Sandbox prompt to users.
6. Click Save. Or, you might click Override for an organizational unit.

   To later restore the inherited value, click Inherit (or Unset for a group).

Limitations

• Users can maintain only 1 active session on a single device at any given time. If a user signs into a second device without signing out of the first, they will be automatically signed out of the initial device.
• Only a single user session is supported at any given time. Multiple concurrent users are not permitted.
• Multiple desks are not supported. For users who have added desks to organize multiple windows and multi-task, Desk sync restores only the last active desk on the next device that they sign in to.
• Secondary Google accounts are not supported. The secondary Google account itself does not sync. However, if a secondary Google account authenticates using single sign-on (SSO) to other services, then those derived identities might be synced via cookies. For details about blocking users from signing in to secondary accounts, read about the Sign-in to secondary accounts setting.

Privacy disclosure

What data is synchronized?

• (Recommended) Tabs and cookies are synchronized:
  • URLs of open tabs, tab order, tab pinning behavior, tab groups, assignment of tabs to windows, and window positions
  • Persistent cookies
  • Session cookies
• Only open tabs are synchronized:
  • URLs of open tabs, tab order, tab pinning behavior, tab groups, assignment of tabs to windows, window positions
• Only cookies are synchronized:
  • Persistent cookies

Session cookies last only for the browser session. They are typically deleted when users close the browser. Persistent cookies can remain on a user's device for a set time—depending on the website and specific cookie)—even after the browser is closed and reopened.

Note: Data is only synchronized between devices where the user signs in with their account.

How are users made aware?

Users can view privacy disclosures for Open tabs and cookies. Open tabs include URLs of open tabs, tab order, tab pinning behavior, tab groups, assignment of tabs to windows, and window positions.

ChromeOS management disclosure

Given that Desk sync requires admin opt-in, Google informs users about the feature in the Desk sync section and lets them know how they can opt out. For a holistic overview of privacy implying admin configurations, users can visit chrome://management:

1. On a managed ChromeOS device, at the bottom right, click the time.
2. Click the managed device icon .

Chrome browser sync disclosure

To view all their sync data, including Cookies from previous session users can visit chrome.google.com/sync:

1. On a managed ChromeOS device, open Chrome browser.
2. Click More Settings.
3. Click You and GoogleSync and Google services.
4. Under Sync, click Review your synced data.

Cookie and sync disclosure in browser omnibar

To view information about cookie synchronization, in the address bar, users can click View site information Cookies and site data. Users are informed that cookies for this site are synced across their ChromeOS devices. To manage what they sync, they can visit chrome://settings/syncSetup/advanced:

1. On a managed ChromeOS device, open Chrome browser.
2. Click More Settings.
3. Click You and GoogleSync and Google services.
4. Under Sync, click Manage what you sync.

What sync controls do users have?

Users can choose how they want to sync info in Chrome browser. These are per-device settings, meaning they apply only to the specific device where the user is signed in when they make the change.

1. On a managed ChromeOS device, open Chrome browser.
2. Click More Settings.
3. Click You and GoogleSync and Google services.
4. Under Sync, click Manage what you syncSync everything or Customize sync.
5. If you select Customize Sync, you can choose what to sync across all Chrome browsers that you’re logged into.
   1. Turn off Open Tabs to avoid open tabs being synced from this device.
      Note: When you’re signed in to Chrome on another device, under More HistoryYour devices, your history no longer shows pages you’ve visited on this device.
   2. Devices where cookie sync is activated via policy—Turn off Cookies to avoid synchronization of cookie settings from this device.

How long is user data kept?

To ensure privacy, limited retention periods are in place—Cookies are kept for 7 days, while URLs are kept for 30 days.