Chrome Config

Posted on by



There are 2 ways to access Google Chrome settings. One is the manual method, which is. If set, the Chrome settings will not expose the option to enable crostini unless the enable-experimental-kernel-vm-support flag is set in chrome://flags ↪-kiosk ⊗: Enable kiosk mode. Please note this is not Chrome OS kiosk mode. ↪-kiosk-printing ⊗: Enable automatically pressing the. @Hitesh No, it is still unavailable. Although you will never get the amount of customization in Chrome that you will have with about:config in Firefox, Chrome://flags might be of use in Chrome.

From inthecloud247.com (Peter Klapwijk)

Config

Google Chrome can be managed using a custom configuration policy for Windows 10. The policy consists of two parts. The first part is used to deploy the Chrome ADMX file to the Intune managed device. The second part of the policy is used to manage the settings of choice.

Deploy the Chrome ADMX file

The Chrome ADMX file can be downloaded as part Chrome Enterprise bundle. After downloading the bundle, locate the ADMX file and open the file with a text editor.

Now open a browser to sign-in to the Microsoft Intune portal.

  • Sign-in to the Device Management Portal
  • Browse to Devices – Windows
  • On the Configuration Profiles tab click Create profile
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Choose Windows 10 as Platform
  • Choose Custom as Profile type
  • Click the Settings tab
  • Click Add

With this row we deploy the ADMX file to the Windows 10 device. As you can see the OMA-URI contains ADMXInstall.
More info on how the OMA-URI is build up and complementing information about ADMX-backed policies can be read in this article on Microsoft Docs.

Enter below information to the policy;
Name: Chrome ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field
Click OK twice and click Create.

The policy to deploy the ADMX file is ready. In the next steps we add the settings we manage with Intune to the same policy.

How to build up the OMA-URI

As with deploying the ADMX file, for the settings to manage we also need to know the OMA-URI which we need to use. But the OMA-URI for managing the settings consists of some information we need to collect ourselves from the Chrome ADMX file.

This is for example the OMA-URI to manage the Homepage Location
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
Let`s split up the OMA-URI in seperate parts.
This is default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/
The part that comes next is not always the same, we need to follow some rules:
/Chrome~Policy~googlechrome~Startup/
It start with Chrome (the ADMX file name), like in the ADMXInstall URI, followed by Policy. Between every part we have the ~ sign.
After Policy we see the name of two categories. These categories can be found in the Chrome ADMX file.
When we open the ADMX file in a text editor, we can see there are several categories. The first categorie we find in the ADMX file is the top category and as we can see that is googlechrome. We put this in the OMA-URI after Policy.

If we search for the actual policy we want to control, in this case HomepageLocation, we also find there is a category mentioned for that policy. It is the parentcategory of HomepageLocation, Startup.
So startup is the next part of our OMA-URI.

la

The last part of our OMA-URI is the actual policy displayname, in this case HomepageLocation. If we put al this information together, we have our OMA-URI.

Manage Startup, Home page and New Tab page settings

We start with managing the settings in the Startup, Home page en New Tab page section. These are things like controlling the Homepage Location and showing the Home Button.

We have already seen how to build the OMA-URI for the policy HomepageLocation, so let`s start with that one. The Data type for these settings is always String. Than we only need to know what our Value is.

The value starts with <enabled/> (or <disabled/> if you like to disable a setting).
If we have a setting which can only be set to enabled or disabled, than that`s the value.

But for Homepage Location, we need to set the actual homepage location. In this case <enabled/> is followed by a data id. The data id is found again in the ADMX file, in below example the text id, HomepageLocation.
And as last we need to set a value, the valuename. This is the homepagelocation (which needs to start with http/https, information which you can fine when running GPeditor).

Switch over to the Intune portal.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • Fill in the OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
  • Data type: String
  • Value:
  • Click OK

That`s it! We have managed our first Google Chrome setting using Microsoft Intune.

The next example is the Homepage Is New Tab Page policy. Open the Chrome ADMX file and search for HomepageIsNewTabPage. With the information found in the ADMX file we can create the OMA-URI. As you can see in the screenshot we only have the option to enable or disable the policy, no id or value. I set the policy to disabled.

Switch to the Intune portal and add a new row to the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage
  • Data type: String
  • Value: <disabled/>

I want to show the Home Button in the Chrome browser. In the ADMX file we can see again we have only the options to enable or disable the setting.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/ShowHomeButton
  • Data type: String
  • Value: <enabled/>

The next thing I want to control is the startup behavior. I want a website to open when Chrome is started. This can be achieved by setting the Restore On Startup to load a website (or multiple) and specifying a URL. But the solution consists of two policies.
The first one is RestoreOnStartup.

If we take a look at the ADMX file we see there are multiple options to configure, which are corresponding to numbers. If we want to show a website on startup, we need to set the value to 4.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartup
  • Data type: String
  • Value:

The next setting is to specify one or multiple URLs to show on startup, which is done with the policy RestoreOnStartupURLs.
Have a look at list id, this time the id is not similar to the policy name.

The value for this policy is not just a URL, like it was the case with HomepageLocation. Because you can specify multiple URLs in the policy, the URLs need to be separated with the (encoded) unicode character &#xF000, like it is also the case with managing some setting for Internet Explorer. The URLs also need to be numbered, 1,2,3 etc even if you only specify one URL.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs
  • Data type: String
  • Value:

Manage the Password Manager

We have seen some examples in the Startup, Home Page and New Page Tab settings category, let`s move to another catagorie; PasswordManager.

Chrome Config

By reading the article this far, you probably now know to get the required information from the Chrome ADMX file. But for those of you who just found the article to manage the Password Manager in Chrome, just have another look at the information in the ADMX file.
The policyname is PassWordManagerEnabled. The parent category, which we also need in the OMA-URI, is PasswordManager. As we can see, we can only enable or disable the Password Manager.

File

Now switch back to the Intune portal to add a new row for the Password Manager policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
  • Data type: String
  • Value: <disabled/>

This is the only setting I want to manage in the Password Manager category, let`s move to another interesting category; Extensions.

Manage Google Chrome Extensions

The last category I want to discuss here is extensions. In Google Chrome we can add several extensions to the browser with several functions like the Windows Defender Browser Protection and Windows 10 Accounts extensions.

I want the two mentioned extension to be installed automatically, which can be achieved by using the policy Configure the list of force-installed apps and extensions (ExtensionInstallForcelist).
Let`s skip the info from the ADMX file this time, but let`s have a look at the policy via Gpedit. Here we find info how this is done with the GPO, using the custom policy we do something similar.
In the GPO we need to specify the extension id followed by the Chrome webstore update URL https://clients2.google.com/service/update2/crx. using Intune we also need the extension id and use the webstore url.

The extension id can be found by looking up the extension in the Chrome webstore. The extension id can be found in the url.

The extension id followed by the URL is ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx for the Windows 10 Accounts extension. Every extension needs to be separated again with the (encoded) unicode character &#xF000 and because we need to number the extensions, the unicode character is also used between the number and the extension string. For two extensions the value is like below example.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
  • Data type: String
  • Value:

As I want to be in full control which extensions are used, I want to block all extensions besides the extensions I force to install. This can be achieved by using an extension blacklist. To block all extensions we need to add * to the blacklist, like we would do by using the GPO. The * needs to be specified in the value section of the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist
  • Data type: String
  • Value:

And last I will whitelist the two extension which I force to install using the force install policy setting.
In the value of this setting we need to specify the extension id, number the extension ids and separated them by the unicode character.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist
  • Data type: String
  • Value:

The extensions are in control by these policies.

End-user experience

Let`s have a look at the end-user experience.
When we logon to an Intune managed Windows 10 device, open the Chrome browser and click on the three dots in te right top, the menu is shown. At the bottom a message is shown Managed by your organization.

When we open the settings of the browser, we can see the deployed policies are indeed applied. For example the Show home button setting is enabled and marked with a building icon.

Enter chrome://policy in the address bar of the Chrome browser to see a complete list of applied settings.

And if we open the extensions section, we can see the two forced extensions are installed en we cannot switch them off.

That`s it for this time. I hope you find the post informative and helps you to manage the Chrome web browser using Microsoft Intune.

A related post about managing Google Update setting with Intune can be found here.

-->

You can use an Intune app configuration policy to configure Google Chrome for Android devices. The settings for the app can be automatically applied. For example, you can specifically set the bookmarks and the URLs that you would like to block or allow.

Prerequisites

  • The user's Android Enterprise device must be enrolled in Intune. For more information, see Set up enrollment of Android Enterprise personally-owned work profile devices.
  • Google Chrome is added as a Managed Google Play app. For more information about Managed Google Play, see Connect your Intune account to your Managed Google Play account.

Add the Google Chrome app to Intune

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Apps > All apps > Add then add the Managed Google Play app.

  3. Go to Managed Google Play, search with Google Chrome and approve.

  4. Assign Google Chrome to a user group as a required app type. Google Chrome will be deployed automatically when the device is enrolled into Intune.

For additional details about adding a Managed Google Play app to Intune, see Managed Google Play store apps.

Add app configuration for managed AE devices

  1. From the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed devices.

  2. Set the following details:

    • Name - The name of the profile that appears in the portal.
    • Description - The description of the profile that appears in the portal.
    • Device enrollment type - This setting is set to Managed devices.
    • Platform - Select Android.

  3. Click Associated app to display the Associated app pane. Find and select Google Chrome. This list contains Managed Google Play apps that you've approved and synchronized with Intune.

  4. Click Configuration settings, select Use configuration designer, and then click Add to select the configuration keys.

    Below is the example of the common settings:

    • Block access to a list of URLs: ['*']
    • Allow access to a list of URLs: ['baidu.com', 'youtube.com', 'chromium.org', 'chrome://*']
    • Managed Bookmarks: [{'toplevel_name': 'My managed bookmarks folder' }, {'url': 'baidu.com', 'name': 'Baidu'}, {'url': 'youtube.com', 'name': 'Youtube'}, {'name': 'Chrome links', 'children': [{'url': 'chromium.org', 'name': 'Chromium'}, {'url': 'dev.chromium.org', 'name': 'Chromium Developers'}]}]
    • Incognito mode availability: Incognito mode disabled

    Once the configuration settings are added using the configuration designer, they will be listed in a table.

    The above settings create bookmarks and block access to all URLs except baidu.com, yahoo.com, chromium.org, and chrome://.

  5. Click OK and Add to add your configuration policy to Intune.

  6. Assign this configuration policy to a user group. For more information, see Assign apps to groups with Microsoft Intune.

Verify the device settings

Once the Android device is enrolled with Android Enterprise, the managed Google Chrome app with the portfolio icon will be deployed automatically.

Chrome Config Page

Launch Google Chrome and you will find the settings applied.

Chrome Configuracion

Bookmarks:

Blocked URL:

Chrome Configure

Allow URL:

Chrome Config Url

Incognito tab:

Troubleshooting

Chrome Config

  1. Check Intune to monitor the policy deployment status.

  2. Launch Google Chrome and visit chrome://policy. We can confirm if the settings are applied successfully.

Chrome Configure Proxy

Additional information

Chrome Configure New Tab Page

Next steps

  • For more information about Android Enterprise fully managed devices, see Set up Intune enrollment of Android Enterprise fully manage devices.