This is the first of a three part series discussing options available to deploy and/or administer Google Chrome in the organization.
I think it's safe to say that Google Chrome has been viewed for some time as a consumer browser. Many see it as something people install to use in place of Internet Explorer or Firefox, both of which have more of a corporate foothold and are "established" (or "made browsers" for those of you Mafia fans out there). Internet Explorer can be extensively customized by Active Directory shops using an array of Group Policies for Windows systems. Firefox also benefits from similar configuration options, though to a smaller extent.
You may not know it, but Chrome has actually been in the enterprise game for a while. Google provides a full Windows installation package for Chrome which can be deployed in an organization, and over 100 policies and preferences to go with it. Sample policies include setting the default Search engine to Google, disabling the default browser check or importing Internet Explorer favorites. You can decide what settings to apply (or enforce), which updates to allow and which extensions to include - all depending on your strategy. You can even configure features for Chromebook and Chromebox users.
Chrome for Business
You have a few choices to get started using Chrome for Business:
- You can push out a standard Chrome install file and implement the desired settings for Windows systems via Group Policy using custom ADM/ADMX templates. This is recommended for companies running Active Directory.
- You can push out a standard Chrome install file and implement the desired settings for Windows systems via a master preferences file copied to each computer. This is recommended for companies without Active Directory.
- You can configure Chrome user policies/extensions (known as cloud policies) for Google Apps users via your Admin Console. These will apply to any Chrome user who signs into their Google Apps account; no special install file will be needed. This will work whether you have Active Directory or not; the focus here is administration from the Google Apps side.
You don't have to be a Google Apps customer to use Chrome for Business, but if you are running Google Apps for Business or Education then the Chrome for Business option is already enabled for your domain(s).
This article is the first of three and will focus on option #1 above: installing the Chrome browser and configuring options using Group Policies for Active Directory. The next two articles will cover options #2 and options #3, so please stay tuned for their release if you are interested in either scenario.
The first two articles are based upon the deployment of Chrome in a Windows environment, but Mac and Linux users aren't left out in the cold. Instructions for pushing Chrome settings to Macs using MCX can be found here. A similar page for Linux systems using JSON files is here. Disclosure: I have not tested either set of functions myself as I presently manage Windows systems, however further articles devoted to these topics, as well as customized predefined Chrome extensions for users, may also be forthcoming.
If you're thinking about options #1 or #2, you may be wondering "Do I need to roll out the new Chrome installation package to users who already have it installed?" Not necessarily. Any existing Chrome versions can be configured using the policies you set up, so long as these machines are on your Windows domain. Non-domain computers (e.g. home systems which employees connect to your organization with over a VPN) will not receive these settings, and so option #2 may work better for those computers.
However, if you go with option #2, any preferences you set up will not apply to existing Chrome installations, so I recommend a removal then official re-install of Chrome if you go that route.
As always, before you plan to implement Chrome for Business you must thoroughly test all aspects in a lab or development environment to be certain how these changes will impact users and systems.Download the Chrome for Business installation file
Access the Chrome for Business page for administrators. (Figure A)
Click "Download Chrome MSI." The following box will appear. (Figure B)
You can uncheck "Set Google Chrome as my default browser" if you like then click "Accept and Install." This box is a bit misleading because it seems to indicate that Chrome will then automatically install on your system, but instead you will be provided the option to save the GoogleChromeStandaloneEnterprise.msi file to your hard drive or a network share.
Download the Google Chrome policy files and documentation
You can find the download link here. Grab the .zip file and extract it to a folder.
If you're interested in reviewing the full list of all policies supported by Chrome, access the folder to which you extracted the files (aka the policy extract folder) and open the \common\html\en-US\chrome_policy_list.html file. Clickable links can give you further details for each. (Figure C)
Figure C(This screenshot is just the tip of the iceberg!) Add the Group Policy files into your AD environment
The policies are in ADM or ADMX format and which one you use will depend on what level of Windows your domain controllers run.
You will need to use the ADM files if your Active Directory environment is based on Windows 2003 or earlier (or if you will administer Group Policy from a Windows XP or earlier PC). These files are in the policy extract folder under \windows\adm. You'll need to select the subfolder for your language; en-US will work for United States English for instance. That subfolder will contain a chrome.adm file. (Figure D)
Use the ADMX files if your Active Directory environment is based on Windows Server 2008 or later (ADM files can still be used, but ADMX offers more advantages so you are better off using this format). These files are in the policy extract folder under \windows\admx. You can find the chrome.admx file at the \windows\admx location. (Figure E)
Another advantage to ADMX files is that you can load them into your Group Policy environment more quickly, as I will demonstrate below.
Start your Group Policy Management console and go to the "Group Policy Objects" folder. (Figure F)
I highly recommend creating a brand new Group Policy for Chrome settings, rather than integrating the Chrome ADM/ADMX templates into an existing policy. You can then apply that new Group Policy as needed and easily deactivate it if necessary (such as if unexpected problems occur).
To create the new policy, right-click the Group Policy Objects folder, choose New, specify the name (Chrome Settings), and then click OK. (Figure G)
Now you will need to load the appropriate Group Policy template file.If you are using the ADM file
Right-click the Chrome Settings policy object and choose Edit. (Figure H)
Remember, Chrome settings are system-specific, so you will be working in the "Computer Configuration" section. Expand "Policies" under that. (Figure I)
Right-click Administrative Templates and choose Add/Remove Templates. (Figure J)
Click Add, then browse to the location of the chrome.adm file you will need. Double-click it to install. (Figure K)
Now click Close. You will return to the previous screen. Expand "Administrative Templates" then skip down to the "Configuring the Google Chrome policies" section below in this article.
If you are using the ADMX file
Copy the chrome.admx file to \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (where "FQDN" represents your fully qualified domain name in Active Directory, for instance \\company.com\SYSVOL\company.com\policies\PolicyDefinitions).
Copy the chrome.adml file from the appropriate language subfolder (e.g en-US) to the corresponding subfolder location under \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (if using en-US then you would place the file in the \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US directory).
Right-click the Chrome Settings policy object and choose Edit. Navigate to Computer Configuration \ Policies \ Administrative Templates: Policy definitions (ADMX files) retrieved from the central store.
Configuring the Google Chrome policies
Now the Google policies will be available for you to use and you can expand them to see more details. (Figure L)
If you used the ADMX file, note the "Google" section under "Administrative Templates: Policy definitions (ADMX files) retrieved from the central store."
If you used the ADM file, the same "Google" section appears under "Classic Administrative Templates."
You will only see one set of Google options; I loaded both sets of files for the purpose of researching this article which explains why there are two shown in the screenshot above.
You've probably noticed there are two subsections under "Google":
- Google Chrome
- Google Chrome – Default Settings (users can override)
The "Google Chrome" group represents mandated settings. The "Google Chrome – Default Settings (users can override)" group represents initial Chrome settings which your users can change if they like. For instance, you could set their startup page to the company intranet, but provide some leeway if they want to change it to www.redsox.com.
This second group has the same items found in the first so it's completely optional; there is nothing you can set up here which you can't already configure in the "Google Chrome" group.
Now the fun starts! If you expand the "Google Chrome" section you will see the following subfolders. (Figure M)
At first glance you might be disappointed by the small amount of subfolders. However, click the main "Google Chrome" folder and you will see a long list of available settings underneath. (Figure N)
The "Google Chrome - Default Settings (users can override)" folder also has more items. (Figure O)
I advise checking all the available settings then deciding which ones are right for you, or which your security policies might mandate. Some sample elements you might want to implement. (Table A)
|Cookie handling||Google Chrome/Content Settings|
|Default Search Provider||Google Chrome/Default Search Provider|
|Disable Saving Browser History||Google Chrome|
|Download Diretory||Google Chrome|
|Enable Safe Browsing||Google Chrome|
|Import Bookmarks||Google Chrome|
|Proxy Server Setting||Google Chrome/Proxy Server|
|URLs to open on start up||Google Chrome/Start up Pages|
One caveat: configuring a home page for users is a little trickier than it should be. It's not enough to simply establish a home page; if you want Chrome to load that page on startup you'll have to add a separate option.
If you access "Home page" folder you will see an option to "Configure the home page URL." (Figure P)
You can enable this option and set the URL (such as to www.techrepublic.com). (Figure Q)
On its own this just means that when users click the Home button they'll go to www.techrepublic.com. To have a specific site load on startup go to the Startup pages folder. (Figure R)
Enable "Action on startup" and then access the "Open a List of URLs" option. (Figure S)
Enable this function, click the "Show" button and enter your desired URL. (Figure T)
Click OK twice to save and exit the dialogue box.
(You can skip the Home Page configuration entirely if you just want this site to load when the browser opens, but it may be useful to designate the default Home location to help users get back to a certain site easily).
Configuring Chrome updates
I generally recommend allowing Chrome to update itself as per the default schedule. I have seen few issues with unwanted Chrome updates causing problems and there may be important security benefits with each new release. However, you can find more information here on how to customize auto-updates.
When you're ready to apply the new Chrome Group Policy to your systems, make sure you do so to an OU which contains the desired computer accounts rather than the user accounts (if you separate these into different OUs). The policy is computer-based, so it won't apply to the users. For instance, I've set up a "Computer Testing OU" under my main company computer OU, dropped my test machine's computer object there and applied the "Chrome Settings" policy to the "Computer Testing OU." (Figure U)
Once you have the desired configuration in place, you can proceed to pushing out the Google Chrome for Business installation package to the desired computers.
Installing Chrome for Business on local or remote computers
The Chrome for Business install file will apply at a system level to all users; any existing user-specific Chrome installation will wind up overwritten – though the user data will still remain present. The exception would be if the present Chrome application is newer than the version associated with the install file - in that case the install file won't run.
Since user data will be saved under each user's local profile folder (for instance "C:\Users\(account name)\Local Settings\Google\Chrome\User Data") this could pose an issue if users in your organization log onto multiple systems and would like a consistent Chrome experience no matter which workstation they use. You can use the "Set user data directory" and "Set disk cache directory" Group Policy options for Chrome to redirect these locations to network folders (such as the user's home directory) to address this. I tested this across multiple machines (Windows 7 and XP) and it worked fine.
The syntax to install the Chrome MSI file is:
Msiexec /q /I GoogleChromeStandaloneEnterprise.msi
You can copy this file to a network share (for instance \\fileserver\installdirectory and have users run it from there with the specified syntax. For simplicity sake you could create a .bat or .cmd file containing the full install string above including the path:
Msiexec /q /I \\fileserver\installdirectory\ GoogleChromeStandaloneEnterprise.msi
Users could then just double-click this file to run it.
That's a bit too old-school for me however (and not in a classy way). I recommend using Group Policy itself to configure the installation (my colleague Tim Lange wrote a good article on how to do this). You can also use Microsoft's System Center Configuration Manager if applicable or Windows Sysinternals' PsExec utility for a scripted remote installation from your administrative workstation.
You can even just use a simple logon script in Active Directory to silently run that install string when users log into their computers (you might need the .msi file to copy down locally to a folder users have write permissions to for this to work properly; MSI files can be unpredictable depending on your Windows level). Be mindful that administrative rights are needed for whichever user handles the execution of the MSI file.
If attempting to run the .msi file gives you a hard time with permissions or access errors, you might need to right-click the file, go to Properties and then click the "Unblock" button. (Figure V)
Installation problems (and success) will be logged in the Windows Application Log. You can also check these files if you run into any issues:
If you don't see any Windows Application log entries related to this effort and neither of the above files are present there may be a problem with your installation script/routine and the installation was never attempted.
Now that you've gotten Chrome for Business installed on the machine, fire it up and confirm your policies are working! If you would like to review the applied policies just enter chrome://policy in the browser address field. (Figure W)
Once you're comfortable with this procedure are seeing the expected results you can plan the company-wide rollout and adjust your group policy/MSI installation processes as necessary.
Coming up in Part II: How to set up the Chrome for Business browser in your organization using a master preferences file.
Getting more information
I highly recommend bookmarking Google's Chrome for Business and Education page which contains lots of useful data (including how to set up legacy browser support to automatically open certain websites in other browsers). There is also a Chrome for Business FAQ available.