Google Chrome - Managed Browser Settings

A set of browser configurations which can be managed via the Google Workspace Admin Console (or Group Policy if you’re brave enough)

A quick heads up, I refer to things as “Shortcodes” in here, though their actual name is “Preference Names”.

Browser Reporting
Content
Chrome Updates
Import Settings
Remote Access
Security
Other Settings
URL Blocking

Browser Reporting

If you’re managing a Google Workspace instance/tenancy, you’ll want this turned on as it sends logs to your audit and investigation log tool. 3 hours is the fastest frequency.

Policy	Setting	Shortcode	URL
Managed browser reporting	Enabled managed browser cloud reporting	CloudReportingEnabled	Link
Managed browser reporting upload frequency	3 hours	CloudReportingUploadFrequency	Link

Content

Better user experience.

Policy	Setting	Shortcode	URL
Show “Always Open” checkbox in external protocol dialog	User may select “Always allow” to skip all future confirmation prompts	ExternalProtocolDialogShowAlwaysOpenCheckbox	Link

Chrome Updates

The goals here are simply:

Get browsers to update within 24 hours of a release.
Have Chrome check every 60 mins to see if there’s an update.
Use a friendly endpoint for checking (cacheable url).
Don’t bother users prior to 9:30, so they can get their morning meets done.

Policy	Setting	Shortcode	URL
Configuration	Show notification recommending relaunch		Link
Time Period (hours)	24	RelaunchHeadsUpPeriod	Link
Initial quiet period (hours)	1	RelaunchNotification	Link
Relaunch window start time	09:30	RelaunchNotificationPeriod	Link
Relaunch window duration (minutes)	720	RelaunchWindow	Link
Auto-update check period (minutes)	60		Link
Cacheable URLs	Attempt to provide cache-friendly download URLs		Link

Import Settings

Right now this pertains to password imports, the password manager isn’t working (if you follow the rule a few sections below this) but this is a good step to take anyway.

Policy	Setting	Shortcode	URL
Import saved passwords	Disable import of saved passwords	ImportSavedPasswords	Link

Remote Access

This is in aid of restricting possible avenues for scammers to get into user workstations. I imagine every org has a desired and standard means of conducting remote support.

Policy	Setting	Shortcode	URL
Firewall Traversal	Disable firewall traversal	RemoteAccessHostFirewallTraversal	Link
Remote support connections	Prevent remote support connections	RemoteAccessHostAllowRemoteSupportConnections	Link
Enterprise remote support connections	Prevent remote support connections from enterprise admins	RemoteAccessHostAllowEnterpriseRemoteSupportConnections	Link

Security

I believe that every org should have a centralised password solution (see: Bitwarden, 1Password, etc), hence it makes sense to reduce the chance of passwords stored in unknown locations.

Policy	Setting	Shortcode	URL
Password Manager	Never allow the use of password manager	PasswordManagerEnabled	Link

Other Settings

The logs that are sent are entirely anonymized and are extremely useful for helping the chromium team resolve issues. I believe there is value in turning this on if you’re a workspace customer.

Policy	Setting	Shortcode	URL
Metrics Reporting	Send anonymous reports of usage and crash-related data to Google	MetricsReportingEnabled	Link

URL Blocking

This can be configured here, or via shortcode URLBlocklist.

This section is rather unique since it’ll be a list of URLs rather than a single configurable option.

URL	Reason
`https://remotedesktop.google.com`	Chromes Remote Desktop service (also needed to get `chromeRemoteDesktopAppBlocked` to equal `true` in the device trust connector)
`https://remotedesktop.corp.google.com`	Google Internal(?) Chrome Remote Desktop service (also needed to get `chromeRemoteDesktopAppBlocked` to equal `true` in the device trust connector)