Google Chrome - Managed Browser Settings
A set of browser configurations which can be managed via the Google Workspace Admin Console (or Group Policy if you’re brave enough)
A quick heads up, I refer to things as “Shortcodes” in here, though their actual name is “Preference Names”.
Table of Contents
- Browser Reporting
- Content
- Chrome Updates
- Import Settings
- Remote Access
- Security
- Other Settings
- URL Blocking
Browser Reporting
If you’re managing a Google Workspace instance/tenancy, you’ll want this turned on as it sends logs to your audit and investigation log tool. 3 hours is the fastest frequency.
Policy | Setting | Shortcode | URL |
---|---|---|---|
Managed browser reporting | Enabled managed browser cloud reporting | CloudReportingEnabled | Link |
Managed browser reporting upload frequency | 3 hours | CloudReportingUploadFrequency | Link |
Content
Better user experience.
Policy | Setting | Shortcode | URL |
---|---|---|---|
Show “Always Open” checkbox in external protocol dialog | User may select “Always allow” to skip all future confirmation prompts | ExternalProtocolDialogShowAlwaysOpenCheckbox | Link |
Chrome Updates
The goals here are simply:
- Get browsers to update within 24 hours of a release.
- Have Chrome check every 60 mins to see if there’s an update.
- Use a friendly endpoint for checking (cacheable url).
- Don’t bother users prior to 9:30, so they can get their morning meets done.
Policy | Setting | Shortcode | URL |
---|---|---|---|
Configuration | Show notification recommending relaunch | Link | |
Time Period (hours) | 24 | RelaunchHeadsUpPeriod | Link |
Initial quiet period (hours) | 1 | RelaunchNotification | Link |
Relaunch window start time | 09:30 | RelaunchNotificationPeriod | Link |
Relaunch window duration (minutes) | 720 | RelaunchWindow | Link |
Auto-update check period (minutes) | 60 | Link | |
Cacheable URLs | Attempt to provide cache-friendly download URLs | Link |
Import Settings
Right now this pertains to password imports, the password manager isn’t working (if you follow the rule a few sections below this) but this is a good step to take anyway.
Policy | Setting | Shortcode | URL |
---|---|---|---|
Import saved passwords | Disable import of saved passwords | ImportSavedPasswords | Link |
Remote Access
This is in aid of restricting possible avenues for scammers to get into user workstations. I imagine every org has a desired and standard means of conducting remote support.
Policy | Setting | Shortcode | URL |
---|---|---|---|
Firewall Traversal | Disable firewall traversal | RemoteAccessHostFirewallTraversal | Link |
Remote support connections | Prevent remote support connections | RemoteAccessHostAllowRemoteSupportConnections | Link |
Enterprise remote support connections | Prevent remote support connections from enterprise admins | RemoteAccessHostAllowEnterpriseRemoteSupportConnections | Link |
Security
I believe that every org should have a centralised password solution (see: Bitwarden, 1Password, etc), hence it makes sense to reduce the chance of passwords stored in unknown locations.
Policy | Setting | Shortcode | URL |
---|---|---|---|
Password Manager | Never allow the use of password manager | PasswordManagerEnabled | Link |
Other Settings
The logs that are sent are entirely anonymized and are extremely useful for helping the chromium team resolve issues. I believe there is value in turning this on if you’re a workspace customer.
Policy | Setting | Shortcode | URL |
---|---|---|---|
Metrics Reporting | Send anonymous reports of usage and crash-related data to Google | MetricsReportingEnabled | Link |
URL Blocking
This can be configured here, or via shortcode URLBlocklist
.
This section is rather unique since it’ll be a list of URLs rather than a single configurable option.
URL | Reason |
---|---|
https://remotedesktop.google.com | Chromes Remote Desktop service (also needed to get chromeRemoteDesktopAppBlocked to equal true in the device trust connector) |
https://remotedesktop.corp.google.com | Google Internal(?) Chrome Remote Desktop service (also needed to get chromeRemoteDesktopAppBlocked to equal true in the device trust connector) |