Skip to main content

Using Managed Browsers with Google Advanced Desktop Security

The Managed Browser feature in the Google Admin console allows you to apply Chrome policies to the Chrome browser on a variety of platforms - Windows, MacOS and Linux. The application of these policies is done via OU and apply without the user having to turn on "Sync".

I'll go through the specific steps to enrol browsers using Google Advanced Desktop Security as the Group Policy method is well documented elsewhere.

Deploy the Chrome ADMX template file

Down load the Chrome management files from here.

Unzip the package and open up the chrome.admx file with notepad.

Create a new custom OMA-URI Policy in the admin console and apply the following settings:



Type = String

Value = copy the entire content of the chrome.admx file into the value field. 

Apply to the root of your domain.

Set a policy to enrol a browser into a specific OU

Create a new custom OMA-URI Policy in the admin console and apply the following settings:



Type = String

Value = <enabled/> <data id="CloudManagementEnrollmentToken" value="yourtoken"/>

Apply to the OU you want the browser enrolled to after replacing yourtoken with your own token - see below.

The enrolment token can be generated for any OU by going into Managed Browsers in the admin console and navigating to the OU you want and clicking on the yellow + button. This will generate a token for that specific OU that you use in in place of "yourtoken" in the policy above.

Once enrolled any Chrome user policies you apply in the admin console to that OU will apply to the Chrome browser on that device. You can also move browsers from on OU to another.

Policy Precedence
The are multiple ways policy can be applied to the Chrome browser and there is an order of precedence on how they are applied. This order can be set at the OU level in the admin console:
Chrome Profile = policies applied to the user. These only apply if a user turns on "Sync"
Machine Cloud = polices applied to the managed browser using this method
Machine/OS User = policies applied via group policy to either computer or user

So in the setup I'm using on that OU, if a user turns on Sync they get their user policies. If they don't turn on sync they get the Cloud deployed policies and as the browser is in the same OU as the user - these are the same. So the end result is the user gets a managed browser experience whether they like it or not. Turning on Sync allows them to sync their bookmarks.

You could have a machine where you want all users to get the same Chrome policies.  In that case set the precedence on the browser OU to have the machine cloud above the chrome profile and then the machine cloud policies will apply to everyone.

The managed browser approach can also be used alongside Active directory. In this case you apply the token using group policy and then do all of you Chrome Browser settings via the Google Admin Console rather than group policy.



Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else! Steps in order (roughly) Add the new domain Verify the new domain Add MX records to hosting Add SPF record for Google to hosting Turn on email authentication Add DMARC record to hosting Setup custom Directory and restrict students OU to this. Create an admin quarantine for the domain. Configure SPAM setting for the domain. Turn on and off services as appropriate. Map a blank Google Site to the naked domain - if required. Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions. Deploy custom wallpapers. So the steps in a bit of detail: Add the new domain & Verify ownership Click on Domains in the admin console: Add/remove domains followed by "add a domain" At this

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv groups.csv gam course ~g