Google Apps

Set up the Chrome for Business browser in your organization using Group Policies

This is the first of a three part series discussing options available to deploy and/or administer Google Chrome in the organization.

I think it's safe to say that Google Chrome has been viewed for some time as a consumer browser. Many see it as something people install to use in place of Internet Explorer or Firefox, both of which have more of a corporate foothold and are "established" (or "made browsers" for those of you Mafia fans out there). Internet Explorer can be extensively customized by Active Directory shops using an array of Group Policies for Windows systems. Firefox also benefits from similar configuration options, though to a smaller extent.

You may not know it, but Chrome has actually been in the enterprise game for a while. Google provides a full Windows installation package for Chrome which can be deployed in an organization, and over 100 policies and preferences to go with it. Sample policies include setting the default Search engine to Google, disabling the default browser check or importing Internet Explorer favorites. You can decide what settings to apply (or enforce), which updates to allow and which extensions to include - all depending on your strategy. You can even configure features for Chromebook and Chromebox users.

Chrome for Business

You have a few choices to get started using Chrome for Business:

  1. You can push out a standard Chrome install file and implement the desired settings for Windows systems via Group Policy using custom ADM/ADMX templates. This is recommended for companies running Active Directory.
  2. You can push out a standard Chrome install file and implement the desired settings for Windows systems via a master preferences file copied to each computer. This is recommended for companies without Active Directory.
  3. You can configure Chrome user policies/extensions (known as cloud policies) for Google Apps users via your Admin Console. These will apply to any Chrome user who signs into their Google Apps account; no special install file will be needed. This will work whether you have Active Directory or not; the focus here is administration from the Google Apps side.

You don't have to be a Google Apps customer to use Chrome for Business, but if you are running Google Apps for Business or Education then the Chrome for Business option is already enabled for your domain(s).

Options

This article is the first of three and will focus on option #1 above: installing the Chrome browser and configuring options using Group Policies for Active Directory. The next two articles will cover options #2 and options #3, so please stay tuned for their release if you are interested in either scenario.

The first two articles are based upon the deployment of Chrome in a Windows environment, but Mac and Linux users aren't left out in the cold. Instructions for pushing Chrome settings to Macs using MCX can be found here. A similar page for Linux systems using JSON files is here. Disclosure: I have not tested either set of functions myself as I presently manage Windows systems, however further articles devoted to these topics, as well as customized predefined Chrome extensions for users, may also be forthcoming.

If you're thinking about options #1 or #2, you may be wondering "Do I need to roll out the new Chrome installation package to users who already have it installed?" Not necessarily. Any existing Chrome versions can be configured using the policies you set up, so long as these machines are on your Windows domain. Non-domain computers (e.g. home systems which employees connect to your organization with over a VPN) will not receive these settings, and so option #2 may work better for those computers.

However, if you go with option #2, any preferences you set up will not apply to existing Chrome installations, so I recommend a removal then official re-install of Chrome if you go that route.

As always, before you plan to implement Chrome for Business you must thoroughly test all aspects in a lab or development environment to be certain how these changes will impact users and systems.

Download the Chrome for Business installation file

Access the Chrome for Business page for administrators. (Figure A)

Figure A

a_smatteson_using_google_bus_1.png

Click "Download Chrome MSI." The following box will appear. (Figure B)

Figure B

b_smatteson_using_google_bus_1.png

You can uncheck "Set Google Chrome as my default browser" if you like then click "Accept and Install." This box is a bit misleading because it seems to indicate that Chrome will then automatically install on your system, but instead you will be provided the option to save the GoogleChromeStandaloneEnterprise.msi file to your hard drive or a network share.

Download the Google Chrome policy files and documentation

You can find the download link here. Grab the .zip file and extract it to a folder.

If you're interested in reviewing the full list of all policies supported by Chrome, access the folder to which you extracted the files (aka the policy extract folder) and open the \common\html\en-US\chrome_policy_list.html file. Clickable links can give you further details for each. (Figure C)

Figure C

c_smatteson_using_google_bus_1.png

(This screenshot is just the tip of the iceberg!) Add the Group Policy files into your AD environment

The policies are in ADM or ADMX format and which one you use will depend on what level of Windows your domain controllers run.

You will need to use the ADM files if your Active Directory environment is based on Windows 2003 or earlier (or if you will administer Group Policy from a Windows XP or earlier PC). These files are in the policy extract folder under \windows\adm. You'll need to select the subfolder for your language; en-US will work for United States English for instance. That subfolder will contain a chrome.adm file. (Figure D)

Figure D

d_smatteson_using_google_bus_1.png

Use the ADMX files if your Active Directory environment is based on Windows Server 2008 or later (ADM files can still be used, but ADMX offers more advantages so you are better off using this format). These files are in the policy extract folder under \windows\admx. You can find the chrome.admx file at the \windows\admx location. (Figure E)

Figure E

e_smatteson_using_google_bus_1.png

Another advantage to ADMX files is that you can load them into your Group Policy environment more quickly, as I will demonstrate below.

Start your Group Policy Management console and go to the "Group Policy Objects" folder. (Figure F)

Figure F

f_smatteson_using_google_bus_1.png

I highly recommend creating a brand new Group Policy for Chrome settings, rather than integrating the Chrome ADM/ADMX templates into an existing policy. You can then apply that new Group Policy as needed and easily deactivate it if necessary (such as if unexpected problems occur).

To create the new policy, right-click the Group Policy Objects folder, choose New, specify the name (Chrome Settings), and then click OK. (Figure G)

Figure G

g_smatteson_using_google_bus_1.png

Now you will need to load the appropriate Group Policy template file.

If you are using the ADM file

Right-click the Chrome Settings policy object and choose Edit. (Figure H)

Figure H

h_smatteson_using_google_bus_1.png

Remember, Chrome settings are system-specific, so you will be working in the "Computer Configuration" section. Expand "Policies" under that. (Figure I)

Figure I

i_smatteson_using_google_bus_1.png

Right-click Administrative Templates and choose Add/Remove Templates. (Figure J)

Figure J

j_smatteson_using_google_bus_1.png

Click Add, then browse to the location of the chrome.adm file you will need. Double-click it to install. (Figure K)

Figure K

k_smatteson_using_google_bus_1.png

Now click Close. You will return to the previous screen. Expand "Administrative Templates" then skip down to the "Configuring the Google Chrome policies" section below in this article.

If you are using the ADMX file

Copy the chrome.admx file to \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (where "FQDN" represents your fully qualified domain name in Active Directory, for instance \\company.com\SYSVOL\company.com\policies\PolicyDefinitions).

Copy the chrome.adml file from the appropriate language subfolder (e.g en-US) to the corresponding subfolder location under \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (if using en-US then you would place the file in the \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US directory).

Right-click the Chrome Settings policy object and choose Edit. Navigate to Computer Configuration \ Policies \ Administrative Templates: Policy definitions (ADMX files) retrieved from the central store.

Configuring the Google Chrome policies

Now the Google policies will be available for you to use and you can expand them to see more details. (Figure L)

Figure L

l_smatteson_using_google_bus_1.png

If you used the ADMX file, note the "Google" section under "Administrative Templates: Policy definitions (ADMX files) retrieved from the central store."

If you used the ADM file, the same "Google" section appears under "Classic Administrative Templates."

You will only see one set of Google options; I loaded both sets of files for the purpose of researching this article which explains why there are two shown in the screenshot above.

You've probably noticed there are two subsections under "Google":

  1. Google Chrome
  2. Google Chrome – Default Settings (users can override)

The "Google Chrome" group represents mandated settings. The "Google Chrome – Default Settings (users can override)" group represents initial Chrome settings which your users can change if they like. For instance, you could set their startup page to the company intranet, but provide some leeway if they want to change it to www.redsox.com.

This second group has the same items found in the first so it's completely optional; there is nothing you can set up here which you can't already configure in the "Google Chrome" group.

Now the fun starts! If you expand the "Google Chrome" section you will see the following subfolders. (Figure M)

Figure M

m_smatteson_using_google_bus_1.png

At first glance you might be disappointed by the small amount of subfolders. However, click the main "Google Chrome" folder and you will see a long list of available settings underneath. (Figure N)

Figure N

n_smatteson_using_google_bus_1.png

The "Google Chrome - Default Settings (users can override)" folder also has more items. (Figure O)

Figure O

o_smatteson_using_google_bus_1.png

I advise checking all the available settings then deciding which ones are right for you, or which your security policies might mandate. Some sample elements you might want to implement. (Table A)

Table A

FunctionLocation
Cookie handlingGoogle Chrome/Content Settings
Default Search ProviderGoogle Chrome/Default Search Provider
Disable Saving Browser HistoryGoogle Chrome
Download DiretoryGoogle Chrome
Enable Safe BrowsingGoogle Chrome
Import BookmarksGoogle Chrome
Proxy Server SettingGoogle Chrome/Proxy Server
URLs to open on start upGoogle Chrome/Start up Pages

One caveat: configuring a home page for users is a little trickier than it should be. It's not enough to simply establish a home page; if you want Chrome to load that page on startup you'll have to add a separate option.

If you access "Home page" folder you will see an option to "Configure the home page URL." (Figure P)

Figure P

p_smatteson_using_google_bus_1.png

You can enable this option and set the URL (such as to www.techrepublic.com). (Figure Q)

Figure Q

q_smatteson_using_google_bus_1.png

On its own this just means that when users click the Home button they'll go to www.techrepublic.com. To have a specific site load on startup go to the Startup pages folder. (Figure R)

Figure R

r_smatteson_using_google_bus_1.png

Enable "Action on startup" and then access the "Open a List of URLs" option. (Figure S)

Figure S

s_smatteson_using_google_bus_1.png

Enable this function, click the "Show" button and enter your desired URL. (Figure T)

Figure T

t_smatteson_using_google_bus_1.png

Click OK twice to save and exit the dialogue box.

(You can skip the Home Page configuration entirely if you just want this site to load when the browser opens, but it may be useful to designate the default Home location to help users get back to a certain site easily).

Configuring Chrome updates

I generally recommend allowing Chrome to update itself as per the default schedule. I have seen few issues with unwanted Chrome updates causing problems and there may be important security benefits with each new release. However, you can find more information here on how to customize auto-updates.

When you're ready to apply the new Chrome Group Policy to your systems, make sure you do so to an OU which contains the desired computer accounts rather than the user accounts (if you separate these into different OUs). The policy is computer-based, so it won't apply to the users. For instance, I've set up a "Computer Testing OU" under my main company computer OU, dropped my test machine's computer object there and applied the "Chrome Settings" policy to the "Computer Testing OU." (Figure U)

Figure U

u_smatteson_using_google_bus_1.png

Once you have the desired configuration in place, you can proceed to pushing out the Google Chrome for Business installation package to the desired computers.

Installing Chrome for Business on local or remote computers

The Chrome for Business install file will apply at a system level to all users; any existing user-specific Chrome installation will wind up overwritten – though the user data will still remain present. The exception would be if the present Chrome application is newer than the version associated with the install file - in that case the install file won't run.

Since user data will be saved under each user's local profile folder (for instance "C:\Users\(account name)\Local Settings\Google\Chrome\User Data") this could pose an issue if users in your organization log onto multiple systems and would like a consistent Chrome experience no matter which workstation they use. You can use the "Set user data directory" and "Set disk cache directory" Group Policy options for Chrome to redirect these locations to network folders (such as the user's home directory) to address this. I tested this across multiple machines (Windows 7 and XP) and it worked fine.

The syntax to install the Chrome MSI file is:

Msiexec /q /I GoogleChromeStandaloneEnterprise.msi

You can copy this file to a network share (for instance \\fileserver\installdirectory and have users run it from there with the specified syntax. For simplicity sake you could create a .bat or .cmd file containing the full install string above including the path:

Msiexec /q /I \\fileserver\installdirectory\ GoogleChromeStandaloneEnterprise.msi

Users could then just double-click this file to run it.

That's a bit too old-school for me however (and not in a classy way). I recommend using Group Policy itself to configure the installation (my colleague Tim Lange wrote a good article on how to do this). You can also use Microsoft's System Center Configuration Manager if applicable or Windows Sysinternals' PsExec utility for a scripted remote installation from your administrative workstation.

You can even just use a simple logon script in Active Directory to silently run that install string when users log into their computers (you might need the .msi file to copy down locally to a folder users have write permissions to for this to work properly; MSI files can be unpredictable depending on your Windows level). Be mindful that administrative rights are needed for whichever user handles the execution of the MSI file.

If attempting to run the .msi file gives you a hard time with permissions or access errors, you might need to right-click the file, go to Properties and then click the "Unblock" button. (Figure V)

Figure V

v_smatteson_using_google_bus_1.png

Installation problems (and success) will be logged in the Windows Application Log. You can also check these files if you run into any issues:

%TEMP%\chrome_installer.log

%TEMP%\chrome_frame_installer.log

If you don't see any Windows Application log entries related to this effort and neither of the above files are present there may be a problem with your installation script/routine and the installation was never attempted.

Bottom line

Now that you've gotten Chrome for Business installed on the machine, fire it up and confirm your policies are working! If you would like to review the applied policies just enter chrome://policy in the browser address field. (Figure W)

Figure W

w_smatteson_using_google_bus_1.png

Once you're comfortable with this procedure are seeing the expected results you can plan the company-wide rollout and adjust your group policy/MSI installation processes as necessary.

Coming up in Part II: How to set up the Chrome for Business browser in your organization using a master preferences file.

Getting more information

I highly recommend bookmarking Google's Chrome for Business and Education page which contains lots of useful data (including how to set up legacy browser support to automatically open certain websites in other browsers). There is also a Chrome for Business FAQ available.


About

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

5 comments
Chrome User
Chrome User

Hi Scott,


Great article. I'm wondering if you can give more information on Browser legacy support (LBS) of Chrome. 


I tried yo experiment and install it on a standalone system and I can not get it to work. Chrome just never redirect to IE.


In an enterprise LBS  is a very valuable tools, because some of the intranet pages are just designed for old version of IE.



zaxxon13
zaxxon13

Personally i found the installation rather trivial and not much different than many thousands of other programs. where i did find issues was in RDS/TS environments.

to date i utilize the allow no sandbox and disable gpu switches. the one other problem i found was wit hthe way it pins a shortcut to the taskbar. with out disabling the pinning function, its next to impossible to remove auto pinned copies of the chrome shortcut from users desktops. you can remove the

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] - See more at: http://www.itninja.com/question/how-remove-taskbar-short-cut-of-google-chrome#sthash.BLWqiXmk.dpuf

but that didnt work for me.

it would be handy to find a way to get chrome to behave like any other decent application and  not nestle itself in hard to remove locations...

any info on that will be most welcome

jdayman
jdayman

Thanks for this Scott. We deployed the Chrome Browser to our Active Directory Windows machines last year. I knew about the enterprise edition of Chrome, and I knew about the ADMX files. But there are quite a few things I didn't understand until I read your article. (Google's documentation on using the enterprise installer and on the Group Policy ADMX templates could use some work.)

One note on disabling automatic Chrome updates - in a small office I can see where auto updates make sense. When you have many thousands of Windows computers in your domain, then I think the hit on network bandwidth could be substantial. All the computers will see the new software version at the same time, and each one will download the installer separately. Not efficient.

Incidentally Gisabun - the enterprise version of Chrome doesn't install in the user's profile. As far as I know that only happens with personal installs of Chrome, and only then if the user doing the install does not have admin rights on the computer. And to restore some sanity in managed environments - if you install the enterprise version of Chrome it automatically disables any personal installs on that computer.

I'm not the biggest fan of Google, and I'm not exactly thrilled to be installing and supporting their browser. But Scott's article sheds some light on how we can maybe get this to work. I'm adding a link to his article in my Google Chrome deployment documentation.

Gisabun
Gisabun

Unsure why anyone would want to install the second most buggiest web browser [after Safari; according to Symantec and Secuna in different reports]. The fact that it installs in a user's profile and not in Program Files is another issue.