Chrome Policy API

✓ Official Vendor SpecSecurityComplianceoauth214 EndpointsREST

For Agents

Apply, modify, and resolve Chrome and ChromeOS policies across org units, groups, and printers in a Google Workspace customer.

Quickstart

Get started with Chrome Policy API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"apply a Chrome policy to an org unit"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Chrome Policy API API.

Resolve the effective Chrome policy for a given org unit, group, or printer

Batch-modify policies on multiple org units in a single call to reduce drift windows

Apply group-targeted policies and reorder them when multiple groups affect the same user

Define managed Wi-Fi networks and pin certificates that ChromeOS devices must trust

GET STARTED

Start building with Chrome Policy API API

Explore with Jentic

View OpenAPI Document

Use for: Resolve the effective Chrome policy for an org unit, Apply a Chrome policy to multiple org units at once, Update group priority ordering for conflicting Chrome policies, Define a managed Wi-Fi network for ChromeOS devices

Not supported: Does not read fleet telemetry, manage Workspace users, or push files to devices — use for Chrome and ChromeOS policy resolution and modification only.

The Chrome Policy API lets Workspace administrators read, modify, and orchestrate Chrome and ChromeOS policies across organisational units, groups, and printers programmatically. It supports batch policy modification, group priority ordering for conflicting policies, network and certificate definitions for managed Wi-Fi, and resolution queries that return the effective policy for a given org unit. It is the write counterpart to the Chrome Management API.

Use Cases

Patterns agents use Chrome Policy API API for, with concrete tasks.

★ Bulk Policy Rollout

Workspace admins push a policy change — for example, disabling a specific extension or enforcing a new homepage — across many org units at once via batchModify. The single batched call avoids drift windows where some org units have the new policy and others still hold the old value. The API also supports batchInherit to revert a unit to its parent's policy.

POST /v1/{customer}/policies/orgunits:batchModify with a policy disabling the chrome.urlBlocklist override across three org units.

Managed Wi-Fi Provisioning

IT teams define corporate Wi-Fi networks and trust certificates centrally and the API rolls them out to ChromeOS devices in scope. defineNetwork and defineCertificate handle creation, removeNetwork and removeCertificate handle removal. This eliminates manual provisioning on each device.

POST /v1/{customer}/policies/networks:defineNetwork with a WPA2-Enterprise profile for the corporate SSID and target the engineering org unit.

Group Priority Conflict Resolution

When users belong to multiple Workspace groups whose Chrome policies conflict, admins use updateGroupPriorityOrdering to set the precedence order. listGroupPriorityOrdering returns the current order so changes can be reviewed before commit. This is the recommended way to handle policy fan-out in large organisations.

POST /v1/{customer}/policies/groups:updateGroupPriorityOrdering with the desired ordered list of group ids for the chrome.users.bookmarkBarEnabled policy.

AI Agent Workspace Policy Operator via Jentic

An AI agent through Jentic acts as a junior IT operator — resolving the effective policy for an org unit, applying a policy change after admin confirmation, and verifying the new effective policy. Jentic isolates the Workspace OAuth credentials so the agent never holds the admin refresh token directly.

Through Jentic, search chromepolicy_resolve, load schema, and execute it for org unit /Engineering returning all schemas under chrome.users.*.

Key Endpoints

14 endpoints — the chrome policy api lets workspace administrators read, modify, and orchestrate chrome and chromeos policies across organisational units, groups, and printers programmatically.

METHOD

PATH

DESCRIPTION

POST

/v1/{+customer}/policies:resolve

Resolve the effective policy for a target

POST

/v1/{+customer}/policies/orgunits:batchModify

Modify policies on multiple org units

POST

/v1/{+customer}/policies/orgunits:batchInherit

Inherit policies from parent on multiple org units

POST

/v1/{+customer}/policies/groups:batchModify

Modify policies for multiple groups

POST

/v1/{+customer}/policies/groups:updateGroupPriorityOrdering

Set group priority ordering for a policy

POST

/v1/{+customer}/policies/networks:defineNetwork

Define a managed Wi-Fi network

POST

/v1/{+customer}/policies:resolve

Resolve the effective policy for a target

POST

/v1/{+customer}/policies/orgunits:batchModify

Modify policies on multiple org units

POST

/v1/{+customer}/policies/orgunits:batchInherit

Inherit policies from parent on multiple org units

POST

/v1/{+customer}/policies/groups:batchModify

Modify policies for multiple groups

POST

/v1/{+customer}/policies/groups:updateGroupPriorityOrdering

Set group priority ordering for a policy

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google Workspace OAuth credentials with chrome.management.policy scopes are stored encrypted in the Jentic vault (MAXsystem). Agents receive short-lived access tokens — refresh tokens never enter the agent context.

Intent-based discovery

Agents search Jentic by intent (e.g. 'apply a Chrome policy to an org unit') and Jentic returns the orgunits.batchModify operation with its parameter schema.

Time to first call

Direct integration: 2-4 days for OAuth setup, scope review, schema understanding, and policy targeting. Through Jentic: under 1 hour — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Chrome Management API

Read managed-browser and ChromeOS telemetry that informs which policies to change.

Use Chrome Management to read; use Chrome Policy to write changes back to the fleet.

Complementary

Admin SDK

Manage the org units and groups that Chrome Policy targets.

Use Admin SDK to manage directory structure; use Chrome Policy to apply policies to those org units and groups.

Alternative

Android Management API

Applies device policies to Android rather than Chrome browsers and ChromeOS.

Choose Android Management for Android fleets; choose Chrome Policy for Chrome and ChromeOS fleets.

FAQs

Specific to using Chrome Policy API API through Jentic.

What authentication does the Chrome Policy API use?

It requires OAuth 2.0 with the chrome.management.policy or chrome.management.policy.readonly scope on a Workspace super admin or delegated admin. Through Jentic, the credential is stored encrypted in the Jentic vault and the agent receives only short-lived scoped access tokens.

Can I apply a policy to multiple org units at once?

Yes. POST /v1/{customer}/policies/orgunits:batchModify with a list of policy modifications, each targeting a different org unit. The API processes the batch atomically per request and returns per-modification status.

What are the rate limits for the Chrome Policy API?

Google enforces a per-project per-minute quota of around 240 write requests and higher read quotas. Use the batch endpoints (batchModify, batchInherit) to make bulk changes within quota rather than one-policy-at-a-time updates.

How do I resolve the effective policy for an org unit through Jentic?

Use the Jentic search query "resolve Chrome policy for an org unit" to discover the customers.policies.resolve operation, load its schema, and execute it with the customer id, policySchemaFilter, and the target org unit. Run pip install jentic to get started.

Can the Chrome Policy API target individual users?

It targets org units, groups, and printers — not individual users directly. To apply a policy to a single user, place the user in an org unit or group whose policy is configured accordingly.

Is the Chrome Policy API free?

It is included with Chrome Enterprise Upgrade and ChromeOS Enterprise licences. There is no per-call charge from Google for policy resolution and modification.