Managed Browser Settings
A set of browser configurations which can be managed via the Google Workspace Admin Console (or Group Policy if you’re brave enough)
A quick heads up, I refer to things as “Shortcodes” in here, though their actual name is “Preference Names”.
Table of Contents
- Browser Reporting
- Chrome Enterprise Connectors
- Chrome Updates
- Content
- Enrollment controls
- Import Settings
- Remote Access
- Security
- Sign-In Settings
- Other Settings
- URL Blocking
Browser Reporting
If you’re managing a Google Workspace instance/tenancy, you’ll want this turned on as it sends logs to your audit and investigation log tool. 3 hours is the fastest frequency.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Managed browser reporting | Enabled managed browser cloud reporting | CloudReportingEnabled | Link |
| Managed browser reporting upload frequency | 3 hours | CloudReportingUploadFrequency | Link |
| Event Reporting | Enable event reporting | OnSecurityEventEnterpriseConnector | Link |
Chrome Enterprise Connectors
- Hashes are generated for uploaded/downloaded files
- Huge text pastes are analysed for potential PII exfiltration.
- Visits to malicious URLs (w/ the red advisory block screen) are logged + graded on severity.
- Bypasses of that advisory are logged and reported.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Upload content analysis | [More info to come] | OnFileAttachedEnterpriseConnector | Link |
| Download content analysis | [More info to come] | OnFileDownloadedEnterpriseConnector | Link |
| Bulk text content analysis | [More info to come] | OnBulkDataEntryEnterpriseConnector | Link |
| Print content analysis | [More info to come] | OnPrintEnterpriseConnector | Link |
| Real time URL check | Chrome Enterprise Premium | EnterpriseRealTimeUrlCheckMode | Link |
Chrome Updates
The goals here are simply:
- Get browsers to update within 48 hours of a release.
- Have Chrome check every 300 mins to see if there’s an update.
- Use a friendly endpoint for checking (cacheable url).
- Use the extended stable channel for stability and due to the amount of updates the chrome team tend to push a day on the latest channel in comparison (Sometimes several times a day on latest).
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Relaunch notificaiton: Configuration | Show notification recommending relaunch | ??? | Link |
| Relaunch notificaiton: Time Period (hours) | 48 | RelaunchHeadsUpPeriod | Link |
| Relaunch notificaiton: Initial quiet period (hours) | 4 | RelaunchNotification | Link |
| Relaunch notificaiton: Relaunch window start time | 00:00 | RelaunchNotificationPeriod | Link |
| Relaunch notificaiton: Relaunch window duration (minutes) | 1440 | RelaunchWindow | Link |
| Auto-update check period (minutes) | 300 | ??? | Link |
| Cacheable URLs | Attempt to provide cache-friendly download URLs | ??? | Link |
| Google updater policy precedence | Cloud Google Updater policy override platform policy | ??? | Link |
| Supress auto-update check: Start Time | 08:30 | ??? | Link |
| Supress auto-update check: Duration (minutes) | 120 | ??? | Link |
| Chrome browser updates: Configuration | Allow updates | ??? | Link |
| Chrome browser updates: Channel | Extended stable channel | ??? | Link |
Content
Better user experience.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Show “Always Open” checkbox in external protocol dialog | User may select “Always allow” to skip all future confirmation prompts | ExternalProtocolDialogShowAlwaysOpenCheckbox | Link |
Enrollment controls
Populating data about the devices joining your org.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Asset identifier during enrollment | Users in this organization can procide asset ID and location during enrollment | ??? | Link |
Import Settings
Right now this pertains to password imports, the password manager isn’t working (if you follow the rule a few sections below this) but this is a good step to take anyway.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Import saved passwords | Disable import of saved passwords | ImportSavedPasswords | Link |
Remote Access
This is in aid of restricting possible avenues for scammers to get into user workstations. I imagine every org has a desired and standard means of conducting remote support.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Firewall Traversal | Disable firewall traversal | RemoteAccessHostFirewallTraversal | Link |
| Remote support connections | Prevent remote support connections | RemoteAccessHostAllowRemoteSupportConnections | Link |
| Enterprise remote support connections | Prevent remote support connections from enterprise admins | RemoteAccessHostAllowEnterpriseRemoteSupportConnections | Link |
Security
I believe that every org should have a centralised password solution (see: Bitwarden, 1Password, etc), hence it makes sense to reduce the chance of passwords stored in unknown locations.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Password Manager | Never allow the use of password manager | PasswordManagerEnabled | Link |
Sign-In Settings
This is in aid of securing your data and ensuring that users are not syncing things like history or bookmarks or passwords to a personal gmail account.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Browser sign-in settings | Enable browser sign-in | BrowserSignin | Link |
| Separate profile for managed Google Identity | Force seperate profile and forbit secondary managed accounts | ManagedAccountsSigninRestriction | Link |
| Enterprise profile separation | Enforce profile seperation | ProfileSeparationSettings | Link |
| Profile seperation data migration | Suggest to users to bring their existing data in the managed profile and give them a choice not to | ProfileSeparationDataMigrationSettings | Link |
Other Settings
The logs that are sent are entirely anonymized and are extremely useful for helping the chromium team resolve issues. I believe there is value in turning this on if you’re a workspace customer. Policy fetching is set to 300 in the event you push a bad config and realise your mistake + want to rollback before anyone gets it. Backing up chrome data locally is a general no-no.
| Policy | Setting | Shortcode | URL |
|---|---|---|---|
| Metrics Reporting | Send anonymous reports of usage and crash-related data to Google | MetricsReportingEnabled | Link |
| Policy fetch delay | 300 seconds | MaxInvalidationFetchDelay | Link |
| Backup of Google Chrome data | Prevent Google Chrome data from being included in backups | AllowChromeDataInBackups | Link |
URL Blocking
This can be configured here, or via shortcode URLBlocklist.
This section is rather unique since it’ll be a list of URLs rather than a single configurable option.
| URL | Reason |
|---|---|
https://remotedesktop.google.com | Chromes Remote Desktop service (needed to get chromeRemoteDesktopAppBlocked to equal true in the device trust connector) |
https://remotedesktop.corp.google.com | Google Internal(?) Chrome Remote Desktop service (also needed to get chromeRemoteDesktopAppBlocked to equal true in the device trust connector) |