I think it’s safe to say that Google Chrome has been viewed
for some time as a consumer browser. Many see it as something people install to
use in place of Internet Explorer or Firefox, both of which have more of a
corporate foothold and are “established” (or “made browsers”
for those of you Mafia fans out there). Internet Explorer can be extensively
customized by Active Directory shops using an array of Group Policies for
Windows systems. Firefox also benefits from similar configuration options,
though to a smaller extent.
You may not know it, but Chrome has actually been in the enterprise
game for a while. Google provides a full Windows installation package for
Chrome which can be deployed in an organization, and over 100 policies and
preferences to go with it. Sample policies include setting the default Search
engine to Google, disabling the default browser check or importing Internet
Explorer favorites. You can decide what settings to apply (or enforce), which updates
to allow and which extensions to include – all depending on your strategy. You
can even configure features for Chromebook and Chromebox users.
Chrome for Business
You have a few choices to get started using Chrome for
Business:
- You can push out a standard Chrome
install file and implement the desired settings for Windows systems via Group
Policy using custom ADM/ADMX templates. This is recommended for companies
running Active Directory. - You can push out a standard Chrome
install file and implement the desired settings for Windows systems via a
master preferences file copied to each computer. This is recommended for
companies without Active Directory. - You can configure Chrome user
policies/extensions (known as cloud policies) for Google Apps users via your Admin
Console. These will apply to any Chrome user who signs into their Google Apps
account; no special install file will be needed. This will work whether you
have Active Directory or not; the focus here is administration from the Google
Apps side.
You don’t have to be a Google Apps customer to use Chrome
for Business, but if you are running Google Apps for Business or Education then
the Chrome for Business option is already enabled for your domain(s).
Options
This article is the first of three and will focus on option
#1 above: installing the Chrome browser and configuring options using Group
Policies for Active Directory. The next two articles will cover options #2 and
options #3, so please stay tuned for their release if you are interested in
either scenario.
The first two articles are based upon the deployment of
Chrome in a Windows environment, but Mac and Linux users aren’t left out in the
cold. Instructions for pushing Chrome settings to Macs using MCX can
be found here. A similar page for Linux systems using JSON files is here.
Disclosure: I have not tested either set of functions myself as I presently
manage Windows systems, however further articles devoted to these topics, as
well as customized predefined Chrome extensions for users, may also be
forthcoming.
If you’re thinking about options #1 or #2, you may be
wondering “Do I need to roll out the new Chrome installation package to
users who already have it installed?” Not necessarily. Any existing Chrome
versions can be configured using the policies you set up, so long as these
machines are on your Windows domain. Non-domain computers (e.g. home systems
which employees connect to your organization with over a VPN) will not receive
these settings, and so option #2 may work better for those computers.
However, if you go with option #2, any preferences you set
up will not apply to existing Chrome
installations, so I recommend a removal then official re-install of Chrome if
you go that route.
As always, before you plan to implement Chrome for
Business you must thoroughly test all aspects in a lab or development
environment to be certain how these changes will impact users and systems.
Download the Chrome for Business installation file
Access the Chrome for Business page for administrators. (Figure A)
Figure A
Click “Download Chrome MSI.” The following box
will appear. (Figure B)
Figure B
You can uncheck “Set Google Chrome as my default
browser” if you like then click “Accept and Install.” This box
is a bit misleading because it seems to indicate that Chrome will then
automatically install on your system, but instead you will be provided the
option to save the GoogleChromeStandaloneEnterprise.msi file to your hard drive
or a network share.
Download the Google Chrome policy files and documentation
You can find the download link here.
Grab the .zip file and extract it to a folder.
If you’re interested in reviewing the full list of all
policies supported by Chrome, access the folder to which you extracted the
files (aka the policy extract folder) and open the \common\html\en-US\chrome_policy_list.html
file. Clickable links can give you further details for each. (Figure C)
Figure C
(This screenshot is just the tip of the iceberg!)
Add the Group Policy files into your AD environment
The policies are in ADM or ADMX format and which one you
use will depend on what level of Windows your domain controllers run.
You will need to use the ADM files if your Active
Directory environment is based on Windows 2003 or earlier (or if you will
administer Group Policy from a Windows XP or earlier PC). These files are in
the policy extract folder under \windows\adm. You’ll need to select the
subfolder for your language; en-US will work for United States English for
instance. That subfolder will contain a chrome.adm file. (Figure D)
Figure D
Use the ADMX files if your Active Directory environment is
based on Windows Server 2008 or later (ADM files can still be used, but ADMX offers more advantages so you are better off using this format). These files
are in the policy extract folder under \windows\admx. You can find the
chrome.admx file at the \windows\admx location. (Figure E)
Figure E
Another advantage to ADMX files is that you can load them
into your Group Policy environment more quickly, as I will demonstrate below.
Start your Group Policy Management console and go to the “Group
Policy Objects” folder. (Figure F)
Figure F
I highly
recommend creating a brand new Group Policy for Chrome settings, rather than
integrating the Chrome ADM/ADMX templates into an existing policy. You can then
apply that new Group Policy as needed and easily deactivate it if necessary
(such as if unexpected problems occur).
To create the new policy, right-click the Group Policy
Objects folder, choose New, specify the name (Chrome Settings), and then click
OK. (Figure G)
Figure G
Now you will need to load the appropriate Group Policy
template file.
If you are using the ADM file
Right-click the Chrome Settings policy object and choose
Edit. (Figure H)
Figure H
Remember, Chrome settings are system-specific, so you will
be working in the “Computer Configuration” section. Expand “Policies”
under that. (Figure I)
Figure I
Right-click Administrative Templates and choose Add/Remove
Templates. (Figure J)
Figure J
Click Add, then browse to the location of the chrome.adm
file you will need. Double-click it to install. (Figure K)
Figure K
Now click Close. You will return to the previous screen. Expand
“Administrative Templates” then skip down to the “Configuring
the Google Chrome policies” section below in this article.
If you are using the ADMX file
Copy the chrome.admx file to
\\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (where “FQDN”
represents your fully qualified domain name in Active Directory, for instance
\\company.com\SYSVOL\company.com\policies\PolicyDefinitions).
Copy the chrome.adml file from the appropriate language
subfolder (e.g en-US) to the corresponding subfolder location under
\\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (if using en-US then you would
place the file in the \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US
directory).
Right-click the Chrome Settings policy object and choose
Edit. Navigate to Computer Configuration \ Policies \ Administrative Templates:
Policy definitions (ADMX files) retrieved from the central store.
Configuring the Google Chrome policies
Now the Google policies will be available for you to use
and you can expand them to see more details. (Figure L)
Figure L
If you used the ADMX file, note the “Google”
section under “Administrative Templates: Policy definitions (ADMX files)
retrieved from the central store.”
If you used the ADM file, the same “Google”
section appears under “Classic Administrative Templates.”
You will only see one set of Google options; I loaded both
sets of files for the purpose of researching this article which explains why
there are two shown in the screenshot above.
You’ve probably noticed there are two subsections under “Google”:
- Google Chrome
- Google Chrome – Default Settings
(users can override)
The “Google Chrome” group represents mandated
settings. The “Google Chrome – Default Settings (users can override)”
group represents initial Chrome
settings which your users can change if they like. For instance, you could set
their startup page to the company intranet, but provide some leeway if they
want to change it to www.redsox.com.
This second group has the same items found in the first so
it’s completely optional; there is nothing you can set up here which you can’t
already configure in the “Google Chrome” group.
Now the fun starts! If you expand the “Google Chrome”
section you will see the following subfolders. (Figure M)
Figure M
At first glance you might be disappointed by the small
amount of subfolders. However, click the main “Google Chrome” folder
and you will see a long list of available settings underneath. (Figure N)
Figure N
The “Google Chrome – Default Settings (users can
override)” folder also has more items. (Figure O)
Figure O
I advise checking all the available settings then deciding
which ones are right for you, or which your security policies might mandate. Some
sample elements you might want to implement. (Table A)
Table A
| Function | Location |
| Cookie handling | Google Chrome/Content Settings |
| Default Search Provider | Google Chrome/Default Search Provider |
| Disable Saving Browser History | Google Chrome |
| Download Diretory | Google Chrome |
| Enable Safe Browsing | Google Chrome |
| Import Bookmarks | Google Chrome |
| Proxy Server Setting | Google Chrome/Proxy Server |
| URLs to open on start up | Google Chrome/Start up Pages |
One caveat: configuring a home page for users is a little
trickier than it should be. It’s not enough to simply establish a home page; if
you want Chrome to load that page on startup you’ll have to add a separate
option.
If you access “Home page” folder you will see an
option to “Configure the home page URL.” (Figure P)
Figure P
You can enable this option and set the URL (such as to www.techrepublic.com). (Figure Q)
Figure Q
On its own this just means that when users click the Home
button they’ll go to www.techrepublic.com. To have a
specific site load on startup go to the Startup pages folder. (Figure R)
Figure R
Enable “Action on startup” and then access the “Open
a List of URLs” option. (Figure S)
Figure S
Enable this function, click the “Show” button
and enter your desired URL. (Figure T)
Figure T
Click OK twice to save and exit the dialogue box.
(You can skip the Home Page configuration entirely if you
just want this site to load when the browser opens, but it may be useful to
designate the default Home location to help users get back to a certain site
easily).
Configuring Chrome updates
I generally recommend allowing Chrome to update itself as
per the default schedule. I have seen few issues with unwanted Chrome updates
causing problems and there may be important security benefits with each new
release. However, you can find more information here on how to customize
auto-updates.
When you’re ready to apply the new Chrome Group Policy to
your systems, make sure you do so to an OU which contains the desired computer
accounts rather than the user accounts (if you separate these into different
OUs). The policy is computer-based, so it won’t apply to the users. For
instance, I’ve set up a “Computer Testing OU” under my main company
computer OU, dropped my test machine’s computer object there and applied the “Chrome
Settings” policy to the “Computer Testing OU.” (Figure U)
Figure U
Once you have the desired configuration in place, you can proceed
to pushing out the Google Chrome for Business installation package to the
desired computers.
Installing Chrome for Business on local or remote computers
The Chrome for Business install file will apply at a
system level to all users; any existing user-specific Chrome installation will
wind up overwritten – though the user data will still remain present. The
exception would be if the present Chrome application is newer than the version
associated with the install file – in that case the install file won’t run.
Since user data will be saved under each user’s local
profile folder (for instance “C:\Users\(account name)\Local
Settings\Google\Chrome\User Data”) this could pose an issue if users in your
organization log onto multiple systems and would like a consistent Chrome
experience no matter which workstation they use. You can use the “Set user data directory” and “Set disk cache directory” Group
Policy options for Chrome to redirect these locations to network folders (such
as the user’s home directory) to address this. I tested this across multiple
machines (Windows 7 and XP) and it worked fine.
The syntax to install the Chrome MSI file is:
Msiexec /q /I GoogleChromeStandaloneEnterprise.msi
You can copy this file to a network share (for instance \\fileserver\installdirectory and
have users run it from there with the specified syntax. For simplicity sake you
could create a .bat or .cmd file containing the full install string above
including the path:
Msiexec /q /I \\fileserver\installdirectory\ GoogleChromeStandaloneEnterprise.msi
Users could then just double-click this file to run it.
That’s a bit too old-school for me however (and not in a
classy way). I recommend using Group Policy itself to configure the
installation (my colleague Tim Lange wrote a good article on how to do this). You can also use Microsoft’s System Center Configuration Manager if applicable or Windows Sysinternals’ PsExec utility for a scripted remote installation from your
administrative workstation.
You can even just use a simple logon script in Active
Directory to silently run that install string when users log into their
computers (you might need the .msi file to copy down locally to a folder users
have write permissions to for this to work properly; MSI files can be unpredictable
depending on your Windows level). Be mindful that administrative rights are
needed for whichever user handles the execution of the MSI file.
If attempting to run the .msi file gives you a hard time
with permissions or access errors, you might need to right-click the file, go
to Properties and then click the “Unblock” button. (Figure V)
Figure V
Installation problems (and success) will be logged in the
Windows Application Log. You can also check these files if you run into any
issues:
%TEMP%\chrome_installer.log
%TEMP%\chrome_frame_installer.log
If you don’t see any Windows Application log entries
related to this effort and neither of the above files are present there may be
a problem with your installation script/routine and the installation was never
attempted.
Bottom line
Now that you’ve gotten Chrome for Business installed on
the machine, fire it up and confirm your policies are working! If you would
like to review the applied policies just enter chrome://policy in the browser
address field. (Figure W)
Figure W
Once you’re comfortable with this procedure are seeing the
expected results you can plan the company-wide rollout and adjust your group
policy/MSI installation processes as necessary.
Coming up in Part II: How to set up the Chrome for
Business browser in your organization using a master preferences file.
Getting more information
I highly recommend bookmarking Google’s Chrome for Business and Education page which contains lots of useful data (including how to set
up legacy browser support to automatically open certain websites in other
browsers). There is also a Chrome for Business FAQ
available.
Daily Tech Insider Newsletter
Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.
Delivered Weekdays
