www.it-connect.fr
Group Policy : Configure Google Chrome Settings with GPO
Table of Contents
I. Introduction
This article describes how to configure Google Chrome using Group Policy (ADMX), in order to standardize the browser's configuration across a company's workstations. This is what Google calls Chrome Enterprise.
There are several ways to configure Google Chrome centrally, including Active Directory group policies and Chrome Enterprise Core. This is a free Cloud management solution that makes it easy to configure registered Google Chrome browsers (token system).
II. How do I download ADMX files from Google Chrome?
Downloading the Google Chrome Administration Templates (ADMX) is not a complicated operation. However, it's not always easy to find where they're hidden... You need to access the Google Chrome Enterprise site (https://chromeenterprise.google) to download them. In principle, if you click on the link below, you should go straight to the download window.
Following this download, you'll get a file named "policy_templates.zip".
If you want to define a Google Chrome update policy via GPO, you'll also need to download the "Update management templates" (right-hand section of the download window), using the ADMX version (not ADM).
III: Integrating Google Chrome ADMX with Active Directory
Chrome's ADMX and ADML files are integrated in the classic way via the central store (PolicyDefinitions) in your infrastructure's SYSVOL folder. Remember to take the English and French language files as well, as some ADMX files are not translated, so if you don't take the English files, there will be an error when loading the GPO editor.
The files to be copied are located under "windows\admx" in the ZIP archive. You need to copy the 2 ADMX files, as well as the two directories named "fr-FR" and "en-US".
These files are then copied to the "C:\Windows\SYSVOL\sysvol\it-connect.local\Policies\PolicyDefinitions" directory, on a domain controller. With the administration files integrated, all that remains is to create a GPO to use them.
Note : if you have downloaded the templates for update management, you need to repeat this operation with the contents of the ZIP archive named"googleupdateadmx.zip".
IV. Configuring Chrome via GPO
My aim is not to explain each and every one of these settings, because there are so many of them... There are computer settings for Chrome, which are designed to enable in-depth configuration of the browser. These include proxy management and Google Update. There are also settings for users, and in both cases, forced settings and others that the user can modify.
The parameters are divided into several categories located here:
- Computer or user configuration > Administration templates > Google
I'd like to point out that under"Google", there are two folders (or three if you've set up the settings for updates):
- Google Chrome
- Google Chrome - Default settings (users can override them)
For example, if you force a home page, the user may very well indicate that his home page corresponds to "New tab" and not to the URL defined in the GPO for the home page, thus enabling him to bypass your configuration. Remember to test your GPO carefully after creating it, to set any additional locks in Chrome.
➡ User configuration > Strategies > Administration templates > Google > Google Chrome > Startup, home page and New Tab page > Configure home page URL
For example:
On the screenshot, you'll notice the icon that appears to the right of the IT-Connect URL. It indicates that this setting is deployed by the company.
✅ Block sites
Although this is no substitute for a network-level filtering system, you can block certain sites (up to 1000 URLs) with a Google Chrome GPO. The setting in question can be found here :
- Computer configuration > Policies > Administrative templates > Google > Google Chrome > Block access to a list of URLs
✅ Extension management
You can define a blacklist and whitelist of prohibited and authorized extensions, using the settings in the following location.
- Computer configuration > Strategies > Administrative templates > Google > Google Chrome > Extensions
✅ Compatibility mode
These settings also give control over the Legacy Browser Support feature, so that obsolete sites can be opened with another browser, notably Internet Explorer. This is similar to the enterprise mode offered by Microsoft with Microsoft Edge. Of course, you can declare a list of sites to be opened via this mode. All these settings can be found here :
- Computer configuration > Strategies > Administrative templates > Google > Google Chrome > Legacy Browser Support
✅ Disable Password Manager
You can also disable Google Chrome's built-in Password Manager, to prevent your users from saving information in it. This is recommended if you're using another solution.
✅ Deploy favorites
Quite often, when we try to configure a web browser via GPO, it's to set up bookmarks. In particular, it's an opportunity to push the link to your intranet, a partner portal, etc. to your users.
V. Conclusion
Now it's up to you to explore the settings offered by Google and configure the ones that suit your needs. There are several hundred of them, so take your time to explore them. I encourage you to disable features that are unnecessary or that you don't want your users to be able to use.
