AlwaysOnVpnPreConnectUrlAllowlist

This policy only applies to browser traffic; the Play Store, Android apps web navigation and other user traffic like Linux VM traffic or print jobs, still honor the restrictions imposed by the Always-on VPN. This policy is only enforced while the VPN is not connected and only for user browser traffic. While this policy is enforced, system traffic can also bypass the Always-on VPN to perform tasks like policy fetches and synchronizing the system clock. Use this policy to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at https://support.google.com/chrome/a?p=url_blocklist_filter_format. The most specific filter determines if a URL is blocked or allowed. If the AlwaysOnVpnPreConnectUrlAllowlist is set, an Always-on VPN is configured and the Always-on VPN is not connected, navigation to all hosts is blocked, except for those allowed by the AlwaysOnVpnPreConnectUrlAllowlist policy. In this device state, the URLBlocklist and URLAllowlist are ignored. When the Always-on VPN connects, the URLBlocklist and URLAllowlist policies are applied and the AlwaysOnVpnPreConnectUrlAllowlist policy is ignored. This policy is limited to 1,000 entries. Leaving the policy unset prevents any browser navigation while the Always-on VPN with strict mode is active and the VPN is not connected.