Today we need to accept that users need tools to be productive, some clients asked if they could manage their Chrome browser, and simple answer is Yes you can. Together with Conditional Access, you are also securing Chrome. In this blog post, I will cover:
- Deploy Chrome Browser
- Conditional Access (Windows 10 Accounts)
- Chrome Management (Extensions(Blacklist & Whitelist), Set Homepage, Disable Developer Tool, Disable password manager)
Pre question check
- Working Intune tenant
- Test User and Group
- Microsoft 365 E5 > M365 E3 > Enterprise Mobility + Security E5 > EMS E3 > Intune+Azure AD Premium Plan 1
To begin with, let’s download Chrome for Enterprise and wrap it with Microsoft Win32 Content Prep Tool so we can take advantage of Delivery Optimization and dependencies if necessary.
- Microsoft Win32 Content Prep Tool –
- Chrome bundle for Windows 64‑bit –
Let’s start by creating, “.Intunewin” file with the Win32 Content Prep Tool
From here you can either go straight on with parameters as decribed on GitHub or just double click the .exe file and let it guide us. Before you do that remember to move GoogleChromeStandaloneEnterprise64.msi into setup folder. Located here: GoogleChromeEnterpriseBundle64.zip\Installers
Next up open IntuneWinAppUtil.exe and input the following(remember to replace with your own path):
Press enter and let it do its thing, now you should have GoogleChromeStandaloneEnterprise64.intunewin located in your “.intunewin” folder. Good job!
Next, up upload the “.intunewin” to Intune. Since its MSI we started with a lot of the required fields is already filled out.
When the upload is complete we can assign it to our Test group and set it as available. Next up let’s do some configuration profiles. (remember to test the installation)
Since we won’t find any UI based profiles for Google Chrome in Intune we will use custom profiles with OMA-URI, if you wish to learn OMA-URI then this won’t be the blog post for you, I’m gonna prove that we can make Google Chrome managed and use conditional access.
To make conditional access work with google chrome we will need the extension Windows 10 Accounts.
When Chrome for Enterprise has applied any Configuration Profiles it will know that it is managed and show the following:
First, you will have to ingest chrome.admx found in the zip file also included the MSI file, GoogleChromeEnterpriseBundle64.zip\Configuration\admx -> chrome.admx – open with notepad keep it open.
Next, let’s create a custom profile:
Name: ADMX Ingestion OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx Data type: String Value: Paste the chrome.admx you have open in notepad
Click OK, now let’s add our extensions – click Add so we get a new line and the “Edit Row” with empty fields
Name: ExtensionInstallForcelist OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist Data type: String Value: <enabled/> <data id="ExtensionInstallForcelistDesc" value="1ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx2bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx3cfhdojbkjhnklbpkdaibdccddilifddb;https://clients2.google.com/service/update2/crx4hdokiejnpimakedhajhdlcegeplioahd;https://clients2.google.com/service/update2/crx"/>
Click Ok -> Assign to test grp.
Following extensions will be installed on the device in your test grp.:
- https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji = Windows 10 Accounts
- https://chrome.google.com/webstore/detail/windows-defender-browser/bkbeeeffjjeopflfhgeknacdieedcoml = Windows Defender Browser Protection
- https://chrome.google.com/webstore/detail/adblock-plus-free-ad-bloc/cfhdojbkjhnklbpkdaibdccddilifddb = Adblock Plus
- https://chrome.google.com/webstore/detail/lastpass-free-password-ma/hdokiejnpimakedhajhdlcegeplioahd = LastPass: Free Password Manager
Since we are installing from the Chrome webshop we will use: https://clients2.google.com/service/update2/crx
Blacklist & Whitelist
Using “*” as our only line in our Blacklist will result in none extensions is allowed to be installed except the ones from our whitelist that is also in our Extensionforcelist above.
Name: ExtensionInstallBlacklist OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist Data type: String Value: <enabled/> <data id="ExtensionInstallBlacklistDesc" value="1*"/>
Name: ExtensionInstallWhitelist OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist Data type: String Value: <enabled/> <data id="ExtensionInstallWhitelistDesc" value="1ppnbnpeolgkicgegkbkbjmhlideopiji2bkbeeeffjjeopflfhgeknacdieedcoml3cfhdojbkjhnklbpkdaibdccddilifddb4hdokiejnpimakedhajhdlcegeplioahd"/>
Disable developer tools
Name: Disable Developer Tools OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DeveloperToolsAvailability Data type: String Value: <enabled/> <data id="DeveloperToolsAvailability" value="2"/>
Disable password manager
Name: Disable passsword manager OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled Data type: String Value: <disabled/>
Homepage (open Homepage at startup and on Newtab)
We need to give Homepage a value, tell it that Homepage is not “Newtab” so it chooses our value.
Name: Homepage OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation Data type: String Value: <enabled/> <data id="HomepageLocation" maxLength="1000000" value="nohuman.dk"/>
Name: HomepageIsNewTabPage OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage Data type: String Value: <disabled/>
Since we also want Chrome to open our “Homepage” at startup. We will use:
Open a specific page or set of pages
Name: RestoreOnStartupURLs OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs Data type: String Value: <enabled/> <data id="RestoreOnStartupURLsDesc" value="1nohuman.dk"/>
Looking for more OMA-URI policies then take a look at this GitHub from Per Larsen:
Since we installed “Windows 10 Accounts” CA will now be applied if we use the following CA policy.
NOTE important that you test any CA-policy before you go in prod.
- Name = Grant access IF Compliant or MFA ON All Cloud apps, Browser
- Assignment = Test-Group
- Cloud apps or actions = All Cloud apps
- Conditions = Device platforms > Any Device & Device State > All device state and exclude Device marked as compliant + Client apps > Configure > Yes > Select > Only “Browser”
- Grant access = Require multi-factor authentication OR Require Device to be marked as compliant