About Google Chrome Enterprise Bundle
There is Google Chrome Bundle for Enterprise that you can download in order to help you with your organization deployment. On the official Google Chrome Enterprise Bundle page, you can find download links (Windows x64 / x86 / Mac OS X) and more information. The package contains ADM + ADMX files (Administration Templates for Group Policy Management), documentations and setup files.
Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.
Google Chrome silent install deployment
The deployment is easy with this one – it is MSI installer. We used the basic commands:
msiexec /i “GoogleChromeStandaloneEnterprise.msi” /qn
Off course, you can add everything you need to the MSI options using standard MSIEXEC switches.
Group Policy Management Tips and Examples
In our organization, we needed some hardening on the Google Chrome Browser on the client machines. We wanted to open only limited number of applications with this browser. Some of the policies were not self-explanatory:
Ephemeral Profiles: means that Google Chrome will open with temporary profile and the data (history, cookies, temporary files, etc.) will persist on the disk only for the length of the user session. When the user will close the browser, all the data will be gone.
More about it on Chromium Administrators page.
To enable it from the policy:
. Open “Group Policy Management” Console
. Goto:
Domains => your.domain.com => Group Policy Objects
Find here your Google Chrome policy object (GPO). If you don’t have one you can create it by Right Clicking the “Group Policy Objects” => New.
. RightClick your GPO => [Edit]
Group Policy Management Editor will open.
Goto => User Configuration => Policies => Administrative Templates: Policy definitions (ADMX files) => Google (the first one) => Google Chrome
RightClick "Ephemeral profile" => Edit
(*) Enabled
[OK]
Disable Developer Tools: these tools are dangerous for security in enterprise environment, as it can give anyone a lot of information and tools.
Group Policy Management Editor => User Configuration => Policies => Administrative Templates: Policy definitions (ADMX files) => Google (the first one) => Google Chrome
RightClick "Control where Developer Tools can be used" => Edit
(*) Enabled
On the left bottom pane choose: [Disallow usage of the Developer Tools]
[OK]
We wanted also to disable the “Preferences”, “Help” and all the other Google pages that their link start with “chrome://”. There is a setting for that you can block external sites and internal URLs. More about it on Chromium Administrators page.
On the time of writing there wasn’t ADMX available, only Registry change. Since the ADMX was presented for this setting the article was updated accordingly. First, we’ll cover GPO change and then the older method of changing the registry setting.
Changing the Blacklist URL setting from through GPO:
Group Policy Management Editor => User Configuration => Policies => Administrative Templates: Policy definitions (ADMX files) => Google (the first one) => Google Chrome
RightClick "Block access to a list of URLs" => Edit
(*) Enabled
On the left bottom pane: Block access to a list of URLs => [Show]
. In a new window in the first row input:
chrome://*
[OK]
[OK]
To change the Blocked URLs setting through Registry:
Open Group Policy Management Editor => User Configuration => Preferences => Windows Settings
RightClick "Registry" => New => Registry Item
[General]
Action: Update
Hive: HKEY_CURRENT_USER
Key Path: SOFTWARE\Policies\Google\Chrome\URLBlacklist
Value name: 1
Value type: REG_SZ
Value data: chrome://*
[OK]
This will block all the internal chrome links and settings. If you want to add more URLs to block, next time you add a registry “Value name” should be 2, then 3, etc.
If you don’t want to use Google Chrome browser synchronization with user’s Google account services (like Keep, Gmail, Calendar, etc.) if he’s signed in:
Google Chrome =>
Browser sign in settings
(*) Enabled
Browser sign in settings: [Disable browser sign-in]
[OK]
Configure Google Chrome Home page on startup
The homepage setting through the GPO is a bit complicated rather than standard homepage setting in most browsers. If you want Google Chrome to show the site: “site.org.com” (which is your organizational intranet site or something your organization related), after the user opened the browser:
Google Chrome => Startup, Home page and New Tab page =>
Action on startup
(*) Enabled
Action on startup: [Open New Tab Page]
[OK]
Now let’s configure the “New Tab” URL (off course in this case all the new tabs that will be opened will be “site.org.com”, which is your organizational site).
Google Chrome => Startup, Home page and New Tab page =>
Configure the New Tab page URL
(*) Enabled
New Tab page URL: site.org.com
[OK]
Another thing we should do is to set the action for “Homepage” button setting:
Google Chrome => Startup, Home page and New Tab page =>
Use New Tab Page as homepage
(*) Enabled
[OK]
GPO Settings location of Google Chrome and GPO Rollback
As you might already know Administrative Templates (ADMXs) are easier “presets” for changing (mostly) registry settings of the Windows operating systems. If you set the state to of the GPO to “Not configured”, it will not revert the settings that were already applied for the targeted machines. For this you will need to make “backward” changes to the policy for the targeted machines, like changing “Enabled” to “Disabled” and vice versa. Another option is to delete the registry keys that were created by the ADMXs. For “User Configuration” of Administrative Templates Google stores its settings in Registry in:
HKEY_CURRENT_USER\Software\Policies\Google
So you can revert all the settings in the Group Policy Object to “Not configured”, apply the policy on all the machines and then delete this path by creating new GPP and applying it to the same targeted machines.
. Create New Object in "Group Policy Objects"
. Call it something like "Google Chrome Enterprise – Rollback"
. RighClick the GPO => Edit
. In the "Group Policy Management Editor" that was opened, goto
User Configuration => Preferences => Windows Settings => RightClick the "Registry" => New => Registry Item
[General] Tab
Action: [Delete]
Hive: HKEY_CURRENT_USER
Key Path: Software\Policies\Google
[OK]
Running Google Chrome in Application Mode from Shorcut
Google Chrome running in Application mode hides all the toolbars and the address bar showing only the web page itself. Useful if you have a particular web application in your organization, that you don’t want the user to see the address. To use this feature you need to use the “—app” parameter of the “chrome.exe”. Full Syntax:
C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://application.org.com"
*** It is important noting that regular link opened through Google Chrome shortcut is:
C:\Program Files\Google\Chrome\Application\chrome.exe" "https://application.org.com"
Off course “https://application.org.com” is the address of your web application. You should add this into the “Target” section of your shortcut. If this web application is part of your organizational user desktop, you can add all these settings for this particular application to the GPP section of a GPO.
. Create New Object in "Group Policy Objects"
. Call it something like "Organization Web Application" with the exact name of your application
. RighClick the GPO => Edit
. In the "Group Policy Management Editor" that was opened, goto
User Configuration => Preferences => Windows Settings => RightClick the "Shortcuts" => New => Shortcut
[General] Tab
Action: [Update]
Name: NameOfYourWebApplication
*** This is the actual name of the web application that will be shown on the icon
Target type: File System Object
Location: Desktop
Target path: %programfiles%\Google\Chrome\Application\chrome.exe
*** %programfiles% is system variable for "C:\Program Files\"
Arguments: --app="https://application.org.com"
Start in: %programfiles%\Google\Chrome\Application
Shortcut key: None
Run: Maximized
*** We needed to start the app Maximized full screen, you may select whatever your application needs
Icon file path: C:\SomeIcon.ico
*** This is the path for the icon that will be shown in the shortcut
Icon index: 0
[OK]