Administering Brave at your Organization

As enterprises adopt the Brave browser at their workplace, they may require specific controls or configurations to ensure all the devices in their control are following company policy. Granular control for the Brave web browser can be achieved by using Policies.

Brave is built on Chromium and supports all of the policies that Chromium does.
Click here to view the Chromium policy documentation.

In addition to the standard Chromium policies, Brave has its own product specific policies.

This document will cover those Brave-specific policies and also aims to provide platform-specific guidance on how to administer Brave at your organization. 

Windows

Downloading and installing Brave policy templates

The latest Brave Policy Templates are always available for download here from our website here. Before installing the templates, you will need to verify which type of template you can use in your environment. This may depend on the tools and scripts you already have.

Start off by unzipping the policy_templates.zip that was downloaded. 

ADMX/ADML format (recommended)
This is the preferred template format on Windows and this is what you’d use with an MDM (mobile device management) solution. For example, Microsoft has a popular solution called InTune.

Assuming you unzip the policy_templates.zip file to C:\temp, you can find the files needed at:

C:\temp\windows\admx\

Brave.admx has the policy definition and you’d typically install on a device at

%systemroot%\PolicyDefinitions

<locale>\brave.adml has the locale specific part of the policy definition. For example, if your locale is en-US, this file would be en-US\brave.adml and you would install to:

%systemroot%\PolicyDefinitions\en-US

Legacy ADM format

This is an older style for supporting group policy and requires you to open the Windows Group Policy tool to import the policy (gpedit.msc).  You can then propagate this set of policies to other devices in your organization using Active Directory.

Assuming you unzip the policy_templates.zip file to C:\temp, you can find the files needed at

c:\temp\windows\adm\

When you have the Windows Local Group Policy Editor open, right click on Computer Configuration\Administrative Templates, click Add/Remove Templates and Add, and then select windows\adm\en-US\brave.adm from the Zip file. Once you have done this, Administrative Templates\Classic Administrative Templates (ADM) should show a new folder called “Brave”:

Navigate through this folder to see Brave’s various settings.

Registry (for Home Editions)

Group policy is not supported on the Home editions of the Windows operating system. It’s intended for the Professional editions.  However, you still can manage these devices using the registry.

The Zip file also contains an example file, windows\examples\brave.reg, for changing settings via the Windows registry.

Updater settings

Brave is configured to automatically update and (when installed) has an updater executable.

Unfortunately we do not yet have templates for Brave’s updater settings. However, you can customize them similarly to Chrome. Please see Chrome’s documentation. There, you need to edit any .reg, .adm and .admx files with a text editor to replace Software\Policies\Google\Chrome with Software\Policies\BraveSoftware\Brave.

macOS

There are two approaches you can use for administering devices on macOS.

Using an MDM (recommended)

Some popular examples of MDM (mobile device manager) software would be Apple’s business.apple.com solution, Jamf, and Iru (formerly Kandji).  A .mobileconfig file can be generated and then loaded into the MDM software, which then propagates this config to each client device.

Using plist files via the command line

This would require SSH access to each device on the network. We don’t anticipate this as being a popular way of administering machines at a company, but it’s provided for completeness.

If you are on macOS, the policy on your device for Brave is stored in 

 ~/Library/Preferences/com.brave.browser.plist/

You can make edits to this file by editing the file itself (note that this will require using software that allows you to edit these files, such as Xcode). You may also make edits to the .plist file from the macOS  Terminal using the following command:

 defaults write com.brave.Browser -[policy name] [value]

For example, if you want to disable Private browsing windows in Brave, you would run the following command:

defaults write com.brave.Browser IncognitoModeAvailability -integer 1

If the value has an array - like our new BraveShieldsDisabledForUrls value, it will be in the format shown below.

defaults write com.brave.Browser BraveShieldsEnabledForUrls -array "https://twitter.com" "https://www.example.com"

The bundle identifier for Release channel is com.brave.browser. If you’re using Beta or Nightly, this will be different (com.brave.Browser.beta or com.brave.Browser.nightly, respectively). For local builds use com.brave.Browser.development.

Some policies on macOS must be set in a managed environment. 

sudo /usr/libexec/PlistBuddy -c "Add :BraveWalletDisabled bool true" /Library/Managed\ Preferences/com.brave.Browser.plist

And to clear 

sudo /usr/libexec/PlistBuddy -c "Delete :BraveWalletDisabled" /Library/Managed\ Preferences/com.brave.Browser.plist

If your machine is not part of a managed environment, you simply need to create this directory first:

sudo mkdir -p "/Library/Managed Preferences"
sudo chown root:wheel "/Library/Managed Preferences"
sudo chmod 755 "/Library/Managed Preferences"

You like need to run this to see the effect after restarting the browser when using the managed PlistBuddy commands:

sudo killall cfprefsd

Linux

Linux policy for Brave is stored under

/etc/brave/policies/managed/

Note that this directory may not exist after installing Brave. However, you can create this directory using:

mkdir -p /etc/brave/policies/managed/

Once this directory is created, you can drop a file in JSON format into that directory which has the group policies in name/key format, which the browser will then read automatically. The format for policies in the JSON file will be:

{
    "[policy name]": [value]
}

For example, if you want to disable Private browsing windows in Brave, you could have the following in a JSON file called GroupPolicy.json:

{
    "IncognitoModeAvailability": 1
}

If the value has an array - like our new BraveShieldsDisabledForUrls value, it will be in the format shown below. In this example, we have edited our “GroupPolicy.json” file to disable Private window functionality, and disable Brave Shields for a specific list of sites (this is the “array”)

{
    "IncognitoModeAvailability": 1,
    "BraveShieldsDisabledForUrls": [
      "https://twitter.com",
      "https://www.example.com"
  ]
}

Mobile Platforms

Mobile platforms are controlled by an MDM (mobile device manager). 

Android

Click here for information about MDM on Android devices.

All of the policies supported by Chromium are supported in Brave also. Brave has its own policies defined also.

We don’t currently have templates for administering these inside of an MDM.

iOS

Click here for information about MDM on iOS devices.

Devices should be able to make use of the .mobileconfig solution outlined under macOS. However, support is limited.

The following admin policies are supported:
Support the Playlist admin policy on iOS

• Support the Brave VPN admin policy on iOS
• Support the Brave News admin policy on iOS
• Support the Brave Talk admin policy on iOS
• Support the Rewards admin policy on iOS
• Support the AI Chat admin policy on iOS

Is my device managed?

If you were curious if your device is being controlled by your organization, there are a few ways you can check.

1. Check the Main Menu:
   

   A managed device will display Managed by your organization at the bottom of the menu:

2. Visit brave://management to find out. It will tell you if you are managed (yes or no):
   
3. In Brave, you can open the page brave://policy. This will show policies that are in effect.

Brave Specific Policy Settings

In addition to the Windows Group Policy editor, you can set these values via the registry:

Policy descriptions

Here is a breakdown of what each policy controls, categorized by function.

Web3, Crypto, & Rewards

These policies control the cryptocurrency and blockchain features unique to Brave.

BraveRewardsDisabled

Function: Controls the Brave Rewards program (where users earn BAT tokens for viewing privacy-preserving ads).

Effect: If set to true, the Rewards icon is hidden, and users cannot opt into ads or earn cryptocurrency.

BraveWalletDisabled

Function: Controls access to the built-in Brave Crypto Wallet.

Effect: If set to true, the wallet functionality is removed from the UI, preventing users from setting up or accessing the native crypto wallet.

Privacy & Security (Shields & VPN)

These policies manage the browser's defensive capabilities.

BraveShieldsDisabledForUrls

Function: Creates a "Whitelist."

Effect: You provide a list of URLs (websites). Brave Shields (ad and tracker blocking) will be automatically turned off for these specific sites. Useful for internal company tools that might break when trackers are blocked.

BraveShieldsEnabledForUrls

Function: Creates a "Blacklist" enforcement.

Effect: Ensures Shields are always turned on for the listed URLs, preventing the user from disabling them.

BraveVPNDisabled

Function: Controls the integration of the paid Brave VPN service.

Effect: If set to true, the VPN button and subscription options are removed from the browser interface.

AI & Content Features

These policies manage the extra tools and content feeds integrated into the browser.

BraveAIChatEnabled

Function: Controls "Leo," Brave's built-in AI assistant.

Effect: If set to false, the AI chat button in the sidebar and the address bar integration are disabled.

BraveNewsDisabled

Function: Controls the Brave News feed that appears on the New Tab Page.

Effect: If set to true, the Brave News feed is completely removed, usually resulting in a cleaner, faster-loading New Tab Page.

BravePlaylistEnabled

Function: Controls the Brave Playlist feature (which allows users to save video/audio from the web for offline playback).

Effect: Setting this to false disables the feature.

BraveSpeedreaderEnabled

Function: Controls Speedreader mode (which strips clutter/CSS from articles).

Effect: Enables or disables the automatic suggestion to switch to reader mode on compatible article pages.

BraveTalkDisabled

Function: Controls Brave Talk (the browser's private video conferencing tool).

Effect: If set to true, the widget and option to start a Brave Talk call are removed.

BraveWaybackMachineEnabled

Function: Controls the Internet Archive integration.

Effect: When enabled, if you encounter a "404 Page Not Found" error, Brave will ask if you want to view a saved version of the page from the Wayback Machine. Disable this to not be asked.

Telemetry, Analytics, & Sync

These policies control what data the browser sends back to Brave Software.

BraveP3AEnabled

Function: Stands for Privacy-Preserving Product Analytics.

Effect: Controls whether the browser sends anonymous usage data to Brave to help them improve the product. Enterprise environments often disable this.

BraveStatsPingEnabled

Function: Controls the basic "heartbeat" ping.

Effect: This is a very lightweight signal used to count active daily/monthly users. Disabling this stops the browser from announcing its presence to Brave's update servers.

BraveWebDiscoveryEnabled

Function: Controls the Web Discovery Project.

Effect: If enabled, the browser anonymously contributes data to help build the Brave Search index (helping Brave Search become independent of Google/Bing).

BraveSyncUrl

Function: Configures the Sync server location.

Effect: By default, Brave syncs to Brave's public servers. This policy allows an enterprise to force the browser to sync to a custom, self-hosted sync server instead, keeping data entirely within a private network.