By Femi | September 24, 2018

As you might have heard, Chrome 69 automatically logs you into the browser when you log into any Google property. As much as I might like Chrome (and Google), I was quite displeased by this particular change: I assume it was in the release notes (that probably a vanishingly small number of Chrome users read), but the rationale that's been given for the change doesn't really make sense, and in any case I really prefer not to have anything synced anywhere. It definitely (for me at least) violated the principle of least astonishment: I can't speak for anyone else but I personally don't expect a routine software upgrade to suddenly start uploading passwords somewhere, or copying my passwords onto any random computer I happen to log into.

As noted in the first article above, the Sync enabled/disabled UI was singularly confusing to me as to what the state of things are, and a careful search (well, about 1 minute) through the Chrome settings pages didn't really shed much more light on exactly how I could guarantee no data gets inadvertently synced. I set out to figure out how I could keep using Chrome but still feel relatively comfortable that Chrome Sync wasn't helpfully distributing my data. After a couple of hours running around I finally got it together thanks to https://www.chromium.org/administrators/policy-list-3.

For OSX, open a terminal window and run:

defaults write com.google.Chrome SyncDisabled -bool true defaults write com.google.Chrome RestrictSigninToPattern -string ".*@example.com"

The first line will disable the Chrome Sync functionality, ensuring nothing gets uploaded to Chrome Sync. The second line will only allow users with example.com email addresses to sign into Chrome: since NO one has an example.com email address that will allow them to log into Google, no one can sign into the browser. Those 2 lines returned my browser bar to its original state: I can log into Gmail without the browser location bar showing my account icon.

To get it done on Windows (with or without an Active Domain computer login account), you can use a registry file.

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome] "SyncDisabled"=dword:00000001 "RestrictSigninToPattern"=".*@example.com"

Save the above text to a file disablesync.reg, and double click it (or run reg import disablesync.reg at a command line).

As of Chrome 69, this works. Given the way this transition occurred there is no guarantee that future versions of Chrome will continue to work the same way, but given that Chrome's Enterprise offering probably needs to support restrictions of this kind I'm assuming something similar will continue to be supported.