According to statistics, the most popular browser nowadays is Google Chrome, but its position in corporate networks is not so strong, and many administrators avoid using Google Chrome in the AD domain network because it is quite difficult to manage and update t from central location. In this article we’ll get acquainted with the administrative templates (admx) of group policies, provided by Google, that allow to manage Chrome settings from central location and make it easier to deploy and use this browser in corporate networks. Also, we will show several typical tasks of managing of the Google Chrome settings using GPO.
Importing Chrome Administrative Templates
The administrative templates of the GPO for Google Chrome are deployed as follows:
- Download and unpack an archive with ADM/ADMX templates of Group Policies for Google Chrome ( http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip the file size is about 13 MB).
- There are two types of group policy templates for Windows OS in the archive: ADM and ADMX (the latter is supported in the OS since Windows Vista / 2008 and above).
- Copy the files of an administrative template to the directory where they are to be stored. If you want group policy templates to be localized, don’t forget to copy the corresponding template file.Note. Local administrative GPO templates are stored in C:\Windows\PolicyDefinitions, but if you are going to use policy templates for Chrome in the Active Directory domain environment, you can save them to the folder of a certain policy (not the best option) or to PolicyDefinitions directory in SYSVOL on the domain controller.
- Suppose, we are going to use the ADMX format of the GPO template and centralized domain storage of policies. Copy chrome.admx file and localization directories to \\woshub.loc\SYSVOL\woshub.loc\Policies\PolicyDefinitions
- Open the Group Policy Management Console (gpmc.msc) and edit any existing policy (or create a new one). Make sure that a new Google folder containing two subsections: Google Chrome and Google Chrome – Default Settings (users can override) appeared both in User and Computer sections of Policies -> Administrative Templates.
Tip. If you are not using the centralized GPO storage, you can add the GPO template for Google Chrome manually. To do it, right-click Administrative Templates and select Add/Remove Templates. In the next window specify the path to chrome.adm file. It is better to specify the path in the UNC format, e. g., like this: \\woshub.loc\SYSVOL\woshub.loc\Policies\{60553A6F-2549-4C9E-B522-D3CF668E56B4}\Adm\chrome.adm
So, we have copied GPO templates for Google Chrome browser. As we mentioned before, the new GPO section contains two subsections: Google Chrome and Google Chrome – Default Settings (users can override). The difference between them is that the settings of the latter section of policies can be changed by users in the browser settings on their computers. The settings of the first section are fixed and even the local administrator won’t be able to change them in the browser.
These administrative templates contain about 260 of different manageable Google Chrome settings. You can explore them yourself and configure the browser settings that are needed in your environment.
It doesn’t make any sense to consider all of them, we’ll only demonstrate basic Chrome settings that are often to be configured in the AD domain environment.
Typical Chrome settings in GPO
Among the useful Chrome settings that you should configure first, you can pay attention to the following policies (note that the ${local_app_data} directory corresponds to the folder %username%\AppData\Local, and ${roaming_app_data} – to \%username%\AppData\Roaming.
- Set disk cache directory – path to the Chrome disk cache (as a rule it is “${local_app_data}\Google\Chrome\User Data”
- Set disk cache size – disk cache size (in bytes)
- Set Google Chrome Frame user data directory – Chrome directory with user settings“${local_app_data}\Google\Chrome\User Data”
- Managed Bookmarks
- Disable Chrome auto-update: Allow Installation: Disable, Update Policy Override: Enable and in the Policy field specify Updates Disable
- Add certain sites to trusted sites list – Policies HTTP Authentication -> Authentication server whitelist
Configuring Proxy Server and Home Page with Chrome GPO
Let’s configure a proxy server: we are interested in the following policy section Google Chrome -> Proxy Server
- proxy server address: ProxyServer – 192.168.123.123:3128
- an exception list for proxy: ProxyBypassList – http://www.woshub.local,192.168.*, *.corp.woshub.local
Locate a home page: Home page -> HomepageLocation – http://woshub.com/
Change the location of the download folder:
Set download directory: c:\temp\Downloads
It remains to link the policy to the desired container (OU) of Active Directory. Apply the group policy to a client by running the command
| gpupdate /force |
Run the browser on the client and make sure that the GPO settings have been applied to its settings (in this screenshot, a user can’t change the values that were set by the administrator).
To display all settings, set by the group policies directly in the Chrome, go to the address Chrome://policy.
In the event that you prevented users from changing these Chrome settings, a message will appear in the browser window: This setting is enforced by your administrator.
T
Automatic installation of Chrome extensions through GPO
With the help of these administrative templates, you can install certain Extensions of Google Chrome for all domain users. To do this, you need to know the ID of the extension and the URL from which the extension is updated.
The Google Chrome Extension ID can be found in the extension parameters in chrome://extensions (developer mode must be enabled).
By ID, you need to find the extension folder in the user profile C:\Users\%Username%\AppData\Local\ Google\Chrome\User Data\Default\Extensions\{id_here}.
In the extension folder find and open the manifest.json file and copy the value of the update_url. Most likely, you will see the following URL: https://clients2.google.com/service/update2/crx.
Now, in the GPO editor console, go to the Computer Configuration -> Policies -> Administrative Templates -> Google -> Google Chrome -> Extensions. Enable the policy Configure the list of force-installed extensions.
Click the Show button and add a line for each extension that you want to install. Use the following format:
{extension_id_here};https://clients2.google.com/service/update2/crx
After applying to the user’s computers, all specified Chrome extensions will be installed in silent mode without interaction with the user.