Manage Chrome Browser with Intune

Today we need to accept that users need tools to be productive, some clients asked if they could manage their Chrome browser, and simple answer is Yes you can. Together with Conditional Access, you are also securing Chrome. In this blog post, I will cover:

  • Deploy Chrome Browser
  • Conditional Access (Windows 10 Accounts)
  • Chrome Management (Extensions(Blacklist & Whitelist), Set Homepage, Disable Developer Tool, Disable password manager)

Pre question check

  • Working Intune tenant
  • Test User and Group
  • Microsoft 365 E5 > M365 E3 > Enterprise Mobility + Security E5 > EMS E3 > Intune+Azure AD Premium Plan 1

To begin with, let’s download Chrome for Enterprise and wrap it with Microsoft Win32 Content Prep Tool so we can take advantage of Delivery Optimization and dependencies if necessary.

Download

Let’s start by creating, “.Intunewin” file with the Win32 Content Prep Tool

Unpack the zip file, so you end up with the IntuneWinAppUtil.exe + Created Intunewin & setup folders

From here you can either go straight on with parameters as decribed on GitHub or just double click the .exe file and let it guide us. Before you do that remember to move GoogleChromeStandaloneEnterprise64.msi into setup folder. Located here: GoogleChromeEnterpriseBundle64.zip\Installers

Next up open IntuneWinAppUtil.exe and input the following(remember to replace with your own path):


Please specify the source folder: C:\temp\Intune-Win32-App-Packaging-Tool-master\setup
Please specify the setup file: C:\temp\Intune-Win32-App-Packaging-Tool-master\setup\GoogleChromeStandaloneEnterprise64.msi
Please specify the output folder: C:\temp\Intune-Win32-App-Packaging-Tool-master\intunewin

Press enter and let it do its thing, now you should have GoogleChromeStandaloneEnterprise64.intunewin located in your “.intunewin” folder. Good job!

Next, up upload the “.intunewin” to Intune. Since its MSI we started with a lot of the required fields is already filled out.


https://devicemanagement.microsoft.com/ -> Client Apps -> Add app

Press Add!

When the upload is complete we can assign it to our Test group and set it as available. Next up let’s do some configuration profiles. (remember to test the installation)

Configuration Profile

Since we won’t find any UI based profiles for Google Chrome in Intune we will use custom profiles with OMA-URI, if you wish to learn OMA-URI then this won’t be the blog post for you, I’m gonna prove that we can make Google Chrome managed and use conditional access.

To make conditional access work with google chrome we will need the extension Windows 10 Accounts.

When Chrome for Enterprise has applied any Configuration Profiles it will know that it is managed and show the following:

First, you will have to ingest chrome.admx found in the zip file also included the MSI file, GoogleChromeEnterpriseBundle64.zip\Configuration\admx -> chrome.admx – open with notepad keep it open.

Next, let’s create a custom profile:

Name: ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data type: String
Value: Paste the chrome.admx you have open in notepad

Click OK, now let’s add our extensions – click Add so we get a new line and the “Edit Row” with empty fields

Name: ExtensionInstallForcelist
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
Data type: String
Value: <enabled/> <data id="ExtensionInstallForcelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx&#xF000;3&#xF000;cfhdojbkjhnklbpkdaibdccddilifddb;https://clients2.google.com/service/update2/crx&#xF000;4&#xF000;hdokiejnpimakedhajhdlcegeplioahd;https://clients2.google.com/service/update2/crx"/>

Click Ok -> Assign to test grp.

Following extensions will be installed on the device in your test grp.:

Since we are installing from the Chrome webshop we will use: https://clients2.google.com/service/update2/crx

Blacklist & Whitelist

Using “*” as our only line in our Blacklist will result in none extensions is allowed to be installed except the ones from our whitelist that is also in our Extensionforcelist above.

Name: ExtensionInstallBlacklist
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist
Data type: String
Value: <enabled/> <data id="ExtensionInstallBlacklistDesc" value="1&#xF000;*"/>
Name: ExtensionInstallWhitelist
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist
Data type: String
Value: <enabled/> <data id="ExtensionInstallWhitelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml&#xF000;3&#xF000;cfhdojbkjhnklbpkdaibdccddilifddb&#xF000;4&#xF000;hdokiejnpimakedhajhdlcegeplioahd"/>

Disable developer tools

Name: Disable Developer Tools
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DeveloperToolsAvailability
Data type: String
Value: <enabled/> <data id="DeveloperToolsAvailability" value="2"/>

Disable password manager

Name: Disable passsword manager
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
Data type: String
Value: <disabled/>

Homepage (open Homepage at startup and on Newtab)

We need to give Homepage a value, tell it that Homepage is not “Newtab” so it chooses our value.

Name: Homepage
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
Data type: String
Value: <enabled/> <data id="HomepageLocation" maxLength="1000000" value="nohuman.dk"/>
Name: HomepageIsNewTabPage
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage
Data type: String
Value: <disabled/>

Since we also want Chrome to open our “Homepage” at startup. We will use:
Open a specific page or set of pages

Name: RestoreOnStartupURLs
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs
Data type: String
Value: <enabled/> <data id="RestoreOnStartupURLsDesc" value="1&#xF000;nohuman.dk"/>

Go to chrome://policy/ to see all your applied policies

Looking for more OMA-URI policies then take a look at this GitHub from Per Larsen:
https://github.com/pelarsen/GoogleChromeNIST

Conditional Access

Since we installed “Windows 10 Accounts” CA will now be applied if we use the following CA policy.

NOTE important that you test any CA-policy before you go in prod.

  • Name = Grant access IF Compliant or MFA ON All Cloud apps, Browser
  • Assignment = Test-Group
  • Cloud apps or actions = All Cloud apps
  • Conditions = Device platforms > Any Device & Device State > All device state and exclude Device marked as compliant + Client apps > Configure > Yes > Select > Only “Browser”
  • Grant access = Require multi-factor authentication OR Require Device to be marked as compliant

Links

https://docs.google.com/spreadsheets/d/1d62txalah9kyEoJPK5hDS2Lo6cwHX7oPVQrm8ROfNHg/edit#gid=0

https://support.google.com/chrome/a/answer/9102677?hl=en

https://cloud.google.com/docs/chrome-enterprise/policies/

Share

You may also like...