After reading up on Chrome’s enterprise policies, I have identified the most important settings relevant to privacy. If you are building an MDM solution in Europe and want to incorporate privacy by default, these are the settings you want to consider.
MetricsReportingEnabled
Enable reporting of usage and crash-related data
Should be set to false, to prevent reporting of usage and crash-related data to Google.
SpellCheckServiceEnabled
Enable or disable spell checking web service
Should be set to false, to prevent the content of text boxes to be sent to Google. If disabled, one can still use Google’s offline dictionary, so there is no significant reduction in functionality.
SyncDisabled
Disable synchronization of data with Google
Should be set to true. Prevent users from synchronizing user data such as bookmarks and passwords with their private Google accounts. If such services are needed, it is recommended instead to lock Chrome to enterprise G Suite accounts. The synchronization of user data with private accounts can cause data leaks and security issues, and depending on what data the user stores in their browser, be in conflict with privacy regulations.
SafeBrowsingProtectionLevel
Safe Browsing Protection Level
Should be set to 1, which provides good browser security without sending additional browsing information to Google.
SafeBrowsingExtendedReportingEnabled
Enable Safe Browsing Extended Reporting
Should be set to disabled, to prevent system information and page content from being sent to Google.
BrowserSignin
Browser sign in settings
Should be set to 0, unless you are using enterprise G Suite accounts, in which case you should use the RestrictSigningToPattern setting to lock users to use your organization’s enterprise accounts.
UrlKeyedAnonymizedDataCollectionEnabled
Enable URL-keyed anonymized data collection
Should be set to disabled, to prevent URLs of pages the user visits from being sent to Google.
WebRtcEventLogCollectionAllowed
Allow collection of WebRTC event logs from Google services
Should be set to disabled, to prevent event logs from Google services such as Hangouts Meet from being sent to Google. Disabling this does not cause any issues with functionality.
Enable online OCSP/CRL checks
Should be set to false (which is the default behaviour) both for security and privacy reasons. By default, Chrome uses a regularly downloaded list of revoked certificates to check site authenticity. When enabled, certificates are checked with the certificate authority, but with additional security issues, and information about the sites users visit are continually transferred to certificate authorities, causing a potential privacy issue.
Even when Google states that the data being transferred is anonymous, leaving these settings enabled can carry a certain risk, as such data could theoretically be subject to a man-in-the-middle-attack or de-anonymized, depending on Google’s implementation and other factors.
SoundSnw 