Customizing Google Chrome for the Enterprise

I guess you could say this is a followup or addition to a series I started a while ago on customization of “other” (read non-IE) browsers in an enterprise environment. Today’s focus will be on Google Chrome. We originally offered IE9 and FireFox in our environment, mostly to compensate for IE’s decreasing performance with newer and newer web technologies/sites, BUT after working with FireFox for a good period of time we have discovered a few things:

1) Mozilla is not really “enterprise-aware” or is at least not making decent efforts to get there. One of the biggest frustrations is either lacking of documentation or sudden discontinuation of features needed to control the user experience. They also have a variety of random files, locations and techniques needed to customize FireFox appropriately.

2) FireFox has some serious memory leaks/issues. Throughout the course of the update cycle we have seen improvements then steps back in terms of memory consumption/leaks. We have had frequent high memory use where there shouldn’t be in our Citrix environment that ironically IE doesn’t have on the same sites.

3) Mozilla has also been making some unfriendly decisions in terms of what features they will or won’t endorse that are needed in an enterprise environment.

With that data in hand we began looking at Google Chrome. Now Google Chrome isn’t perfect and is guilty of a couple items on their own, most notably the lack of understanding of what IT groups need to be able to set/control for the user experience. Now we aren’t talking about “controlling” users in the “mean IT” way, we are talking about setting options and things that ensure they have a good experience. Take an example, a simple configuration option can ensure plugins are automatically run instead of prompting which if the user doesn’t see will cause their site to not work properly, etc.

If you are not at all familar with Chrome in a “business” setting, see this article to get yourself up to speed: https://support.google.com/chrome/a/answer/188446?hl=en

So with that said, let’s look at Google Chrome.

– First basic piece, get Chrome installed. Obviously using AD or a 3rd party automatic deployment is the “right answer” here. In our situation, this will be getting installed in a Citrix environment. Make sure you download the “business” installer and not the consumer one from here: https://www.google.com/chrome/browser/index.html?msi=true

– Now that Chrome is installed, we need to do some “customizations” so this works properly for our users. Now if you read the above KB article you will see there is a variety of ways to do this. In our situation a global policy for all users works fine but there are ways to do things a bit more specific if needed. There are ways you can auto deploy Chrome Extensions but we have all of these features disabled and use no extensions currently, just one more item to troubleshoot, cause issues, etc.
Note: If you are a Citrix or virtual desktop situation, there are some command line arguments that you will want to use when publishing the app. to avoid some issues. Citrix has an article here: http://support.citrix.com/article/CTX132057
Also TechRepublic has a good article, look for the “Avoid The Pothole” section: http://www.techrepublic.com/blog/google-in-the-enterprise/publishing-chrome-in-a-citrix-virtualized-environment/

The customizations we have been using are a mix of Google Best Practice and our own personal deployment preferences. I STRONGLY dislike 3rd party templates in my AD environment so I am NOT doing it that way, what I did was stage the desired settings, cleanup any unique settings and export a production-ready configuration that we apply at the HKLM registry level. This then applies to all users on all of our Citrix servers. Our configuration will not be changing pretty much at all which is why we chose this path, obviously if you are frequently updating things you may want to use the Google ADM templates. Thankfully Google Chrome has a slightly less “burdensome” process for customization than FireFox, although not by much.

Remove Desktop/Start Menu Shortcuts
In various versions of the browser installer there are ways to pass “dont create these shortcuts” but in my testing could not make this work. There seemed to be a lot of discussion on the Google Product Forums about this not working fully or correctly. After testing I found this 2 step to fix. The primary reason you want to remove these shortcuts is because you want to publish or create a shortcut for your users that passes the needed command line arguments to Chrome to avoid issues, see section in red above.

1) Create a master_preferences file in C:\Program Files (x86)\Google\Chrome\Application

The file should contain the following information:

{“distribution”:{“msi”:true,”system_level”:true,”verbose_logging”:true,”do_not_create_desktop_shortcut”: true, “do_not_create_quick_launch_shortcut”: true,”create_all_shortcuts”:false}}

This will help stop SOME of the shortcuts but not all, different versions of Chrome seemed to work and others didn’t.

2) Create a Group Policy logon script that manually removes the shortcuts on login, this also protects against updates recreating them consistently. The basics would be:

rmdir /S /Q “%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome”

del /q /f /s “%USERPROFILE%\Desktop\Google Chrome.lnk”

del /q /f /s “%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Google Chrome.lnk”

Is this ideal, NO, but of course I’m sure it will be fixed in the future but this keeps us moving at least!

Deploy Some Google Defaults

If you load the ADM template into a test machine and configure the desired parameters, you can then export HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
Make sure you clean out any “unique” attributes, you need to keep it “generalized”. Most of the settings are pretty self explanatory based on their names. If you reference these names on the Google Chrome site you can get more detail, see here: http://www.chromium.org/administrators/policy-list-3

A lot of these items do things like reduce cache sizes which aren’t good for roaming profiles. We also shut off a lot of the Google “cloud” features like printing, sync, etc. We allow outdated plugins and always authorize plugins so the user’s site they are visiting if it needs a plugin will automatically load and work thus reducing helpdesk calls, the security trade off is minimal as we have other mechanisms to protect against vulnerability, virus, etc. We also define the user data directory to a roaming profile directory so the user’s data roams with them. Note some of the cloud services can’t really “effectively” be disabled via these methods so what we have done is to block these services at the web/content filter level, things like drive.google.com, docs.google.com, etc. Some of this will depend on your organization’s tolerances for cloud use, etc.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
“SuppressChromeFrameTurndownPrompt”=dword:00000001
“DisablePluginFinder”=dword:00000001
“ShowHomeButton”=dword:00000001
“MediaCacheSize”=dword:00000001
“DiskCacheSize”=dword:00000001
“DefaultBrowserSettingEnabled”=dword:00000000
“IncognitoModeAvailability”=dword:00000001
“ImportSearchEngine”=dword:00000000
“ImportSavedPasswords”=dword:00000000
“ImportHomepage”=dword:00000000
“ImportHistory”=dword:00000000
“ImportBookmarks”=dword:00000001
“HideWebStoreIcon”=dword:00000001
“ForceSafeSearch”=dword:00000001
“CloudPrintSubmitEnabled”=dword:00000000
“SearchSuggestEnabled”=dword:00000000
“MetricsReportingEnabled”=dword:00000000
“SpellCheckServiceEnabled”=dword:00000001
“PrintingEnabled”=dword:00000001
“CloudPrintProxyEnabled”=dword:00000000
“BookmarkBarEnabled”=dword:00000001
“AutoFillEnabled”=dword:00000001
“SyncDisabled”=dword:00000001
“DeveloperToolsDisabled”=dword:00000001
“BackgroundModeEnabled”=dword:00000000
“AlwaysAuthorizePlugins”=dword:00000001
“SigninAllowed”=dword:00000000
“AllowOutdatedPlugins”=dword:00000001
“FullscreenAllowed”=dword:00000000
“DefaultSearchProviderEnabled”=dword:00000001
“DefaultSearchProviderName”=”Google”
“HomepageIsNewTabPage”=dword:00000001
“SupervisedUserCreationEnabled”=dword:00000000
“NativeMessagingUserLevelHosts”=dword:00000000
“PasswordManagerEnabled”=dword:00000001
“ProxyMode”=”direct”
“RestoreOnStartup”=dword:00000005
“UserDataDir”=”${roaming_app_data}\\Google\\Google Chrome\\”

 

That is all we are doing today to customize/control the Google Chrome experience. We do allow auto-updates and have not really seen any negatives (yet) in doing this. There are ways to disable auto-update for organizations that prefer that level of control.

Also be advised as of August 2014 Chrome is now 64bit capable, see here: http://blog.chromium.org/2014/08/64-bits-of-awesome-64-bit-windows_26.html

Advertisements

Author: Travis Kensil

Director of IT. Husband and father. Michigan beachbum.

2 thoughts on “Customizing Google Chrome for the Enterprise”

  1. Dan,
    I have noticed that a lot of these settings/options are “fluid” and that they work in one version then don’t the next. I usually follow the Chrome KBs and forums which usually highlight these differences.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s