Skip to main content

Using Managed Browsers with Google Advanced Desktop Security

The Managed Browser feature in the Google Admin console allows you to apply Chrome policies to the Chrome browser on a variety of platforms - Windows, MacOS and Linux. The application of these policies is done via OU and apply without the user having to turn on "Sync".

I'll go through the specific steps to enrol browsers using Google Advanced Desktop Security as the Group Policy method is well documented elsewhere.

Deploy the Chrome ADMX template file

Down load the Chrome management files from here.

Unzip the package and open up the chrome.admx file with notepad.

Create a new custom OMA-URI Policy in the admin console and apply the following settings:

OMA-URI 

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx

Type = String

Value = copy the entire content of the chrome.admx file into the value field. 

Apply to the root of your domain.

Set a policy to enrol a browser into a specific OU

Create a new custom OMA-URI Policy in the admin console and apply the following settings:

OMA-URI 

./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/CloudManagementEnrollmentToken

Type = String

Value = <enabled/> <data id="CloudManagementEnrollmentToken" value="yourtoken"/>

Apply to the OU you want the browser enrolled to after replacing yourtoken with your own token - see below.

The enrolment token can be generated for any OU by going into Managed Browsers in the admin console and navigating to the OU you want and clicking on the yellow + button. This will generate a token for that specific OU that you use in in place of "yourtoken" in the policy above.

Once enrolled any Chrome user policies you apply in the admin console to that OU will apply to the Chrome browser on that device. You can also move browsers from on OU to another.

Policy Precedence
The are multiple ways policy can be applied to the Chrome browser and there is an order of precedence on how they are applied. This order can be set at the OU level in the admin console:
Chrome Profile = policies applied to the user. These only apply if a user turns on "Sync"
Machine Cloud = polices applied to the managed browser using this method
Machine/OS User = policies applied via group policy to either computer or user

So in the setup I'm using on that OU, if a user turns on Sync they get their user policies. If they don't turn on sync they get the Cloud deployed policies and as the browser is in the same OU as the user - these are the same. So the end result is the user gets a managed browser experience whether they like it or not. Turning on Sync allows them to sync their bookmarks.

You could have a machine where you want all users to get the same Chrome policies.  In that case set the precedence on the browser OU to have the machine cloud above the chrome profile and then the machine cloud policies will apply to everyone.

The managed browser approach can also be used alongside Active directory. In this case you apply the token using group policy and then do all of you Chrome Browser settings via the Google Admin Console rather than group policy.

 

Comments

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher fred@mydomain.com todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv groups.csv gam course ~g

Google Login and Single Sign-on to Google Services in Chrome in an AD environment

I've previously posted about the ability to manage Windows PCs in the Google Admin Console. However, what if you are still managing your PCs via local active directory, but use Google Workspace for most things? Well you can have your cake and eat it - you just need to use  Google Credential Provider for Windows  and do a few configurations. Step 1 - update your users on the Google Admin Console You need to add a custom attribute to all of your users (at least those who use PCs) on the Google Admin console to link them with their local AD account. So you need to create a custom attribute in the Google admin console and populate this with the AD windows user details: The custom attribute you need is Enhanced_desktop_security and the field is AD_accounts. Detailed instructions can be found here . You can auto populate this field using GADS (Google Apps Directory Sync) if you use this to auto provision your accounts in Google from AD. Alternatively, you can populate them in bulk with a