Skip to main content

Some frequently asked questions about locking down managed chromebooks

There a number of questions surrounding the management of ChromeOS devices in schools that crop up on a fairly frequent basis. So I thought I'd answer a few of the most common ones here that are not that obvious unless you are in the know.

To do the following, you must have device management licences. Some of these tricks can be achieved using other means through third party add ons - but this is all done with just device management.

Prevent non domain users logging on

In the admin console go to 'Device Management', 'Chrome', 'Device Settings'


Use the above policy to restrict who can sign-in to your devices. Wildcards are allowed as in the example above. This does not stop users signing into a non-domain account once signed into the device.

Prevent users from signing into private accounts or adding accounts once signed in.

In the admin console go to 'Device Management', 'Chrome', 'User Settings'


Use this policy to block two url's:
https://accounts.google.com/AccountChooser
https://accounts.google.com/AddSession

Prevent users from editing any settings at all

Use the same policy as above, but block chrome://settings-frame
This will prevent users from changing network settings, language or any other settings.
This won't prevent them from connecting to other networks - but it does stop them changing the network settings.

If you don't want to go that far and you want to prevent users from attempting to use alternative DNS servers (e.g. Google DNS), then block port 53 both UDP and TCP on your outbound firewall. Which will mean if they switch from your default DNS server (supplied by DHCP), they won't get anything. Just be aware, how this behaves, depends on how your network is configured.

There are policies in the offing to control language settings that will hopefully be available in the next few releases of ChromeOS.

These policies will need applying to appropriate sub-OU's only - typically students. Don't apply them to super-admin accounts!

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command.
Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message.
Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com
Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file.
Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv
Run:
gam csv mail.csv gam user ~mail delete messages query rfc822msgid:MESSAGEIDHERE doit

The alternative nuke option is:
gam all users delete messages query rfc822msgid:MESSAGEI…

How to push bookmarks to users in Chrome via the management console

With the release of Chrome and ChomeOS 37 an update to the management console has arrived that allows you to push bookmarks to users.

Under Device Management > Chrome > User Settings > User Experience you will now find the option to add managed bookmarks.


In the example above, the bookmarks are applied to the sub-OU of 'students' - so all our students will get these bookmarks. Simply add your url and the bookmark name, click the + and save. These will appear in a folder called 'yourdomain bookmarks' - see below:



Be aware that to get these bookmarks applied on a Windows/OS-X device the user must be signed into Chrome. Update: if you install the latest group policy template you can push the bookmarks via policy on PCs - details are given here.
Video Guide:

How to do vertical text in Google Spreadsheet

After many years of waiting, this is now a feature of sheets - so this little hack is no longer needed. Options now are:


One limitation of Google Spreadsheets is the lack of a vertical text option - handy if you have very wordy headings to columns. This is being worked on - but a little work around for now is the use of the following formula:

=ARRAYFORMULA(CONCATENATE((MID( "English Lit"; ROW(INDIRECT("YY1:YY"&LEN( "English Lit" ))); 1)&CHAR(10))))

Don't worry how it works - just copy and paste - change both english lit's to whatever you want.