Intune

Manage Google Chrome Policies via Intune

Welcome! In this second part of managing and deploying Google Chrome series, we’ll be looking into how to manage Google Chrome policies using Microsoft Endpoint Manager (aka Intune), if you missed the part on how to deploy Google Chrome, please find it here. In this post, I will list some of the common Google Chrome settings deployed via MEM. For the full list of available policies, please consult the Chrome.ADMX file downloaded below for any additional settings for your environment.

UPDATE: Microsoft have recently introduced Google Chrome policies within Intune administrative templates, see my blog post here on how to leverage these instead of custom policies

Objectives

As part of this post, I will demonstrate how to deploy the following Google Chrome policies:

  • Deploy corporate-managed favourites
  • Disable default browser check
  • Disable outdated plugins
  • Enable the bookmark bar
  • Force the Windows 10 accounts and Windows Windows Defender Browser Protection extensions
  • Hide the app’s icon in the bookmark bar
  • Set a specific page to load on startup
  • Set a specific homepage

Small introduction into OMA-URI’s

Because we’re deploying 3rd party application policies, the functionality to manage Google Chrome isn’t available out of the box via MEM, to get around this we’ll deploy a custom profile utilising OMA-URI’s (Open Mobile Alliance Uniform Resource Identifier), these settings are typically used by mobile device manufacturers to control features on a device, the purpose of custom OMA-URI’s is to deploy ADMX backed profiles that aren’t natively built into MEM. We won’t go into a deep dive on how OMA-URI’s work, but you can find out more information about ADMX backed OMA-URI’s here.

Prerequisites

  • Administrative permissions within MEM Portal
  • Test Windows 10 device enrolled into the MEM service
  • Test account with a valid Intune license assigned
  • Download the Google Chrome Enterprise x64 bundle here

Creating the custom profile

Log into the MEM portal, browse to the devices view, select configuration profiles and then create profile:

Select Windows 10 and later as the platform and profile type of Custom and then Create:

Name the Configuration Profile and set a description so suit your needs and then select Next:

On the next page, this is where we’ll be adding in the OMA-URI’s, select Add for each of the following entries (Note: all of the below OMA-URI’s entries were tested on Chrome version 84, the below settings are subject to change for upcoming versions of Chrome):

Ingesting the Google Chrome ADMX file

The first OMA-URI to create is to ingest the ADMX file downloaded earlier along with Google Chrome bundle, once extracted, you should see a chrome.admx file, keep this to one side for the moment. Add a new OMA-URI and insert the following:

SettingValue
NameChrome ADMX Ingestion
DescriptionChrome ADMX Version – <Bundle version>
OMA-URI./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data TypeString
Value<Entire contents of Chrome.ADMX file>

Managed Favourites

Change the data ID to match your corporate URL’s and site names, here’s an example:

SettingValue
NameManagedFavourites
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ManagedBookmarks
Data TypeString
Value<enabled/><data id=’ManagedBookmarks’ value='[{“toplevel_name”:”Contoso Favourites”},{“url”:”https://microsoft.com/”,”name”:”Contoso Website”},{“url”:”https://m365x888364.sharepoint.com/sites/SalesAndMarketing”,”name”:”Contoso Sales and Marketing Team Site”},{“url”:”https://m365x888364.sharepoint.com/sites/Retail”,”name”:”Contoso Retail Team Site”},{“url”:”https://www.yammer.com/m365x888364.onmicrosoft.com/#/home”,”name”:”Contoso Yammer Portal”},{“name”:”Microsoft Portals”,”children”:[{“url”:”https://portal.office.com”,”name”:”Office 365″},{“url”:”https://passwordreset.microsoftonline.com/”,”name”:”Password Reset Portal”},{“url”:”https://myapplications.microsoft.com”,”name”:”MyApps”},{“url”:”https://portal.manage.microsoft.com/”,”name”:”Endpoint Manager Portal”}]}]’/>

Disable Default Browser Check
SettingValue
NameDisable Default Browser Check
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DefaultBrowserSettingEnabled
Data TypeString
Value<disabled/>

Disable outdated plugins
SettingValue
NameDisable Outdated Plugins
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AllowOutdatedPlugins
Data TypeString
Value<disabled/>

Enable the bookmark bar
SettingValue
NameBookmark Bar Enabled
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/BookmarkBarEnabled
Data TypeString
Value<enabled/>

Force Browser Extensions

In this example, I am forcing the Windows 10 Accounts and Windows Defender Browser Protection extensions. To deploy browser extensions, you must browse to the Chrome store and obtain the application identifier in the URL, here’s an example, highlighted in red is the application identifier: https://chrome.google.com/webstore/detail/microsoft-defender-browse/bkbeeeffjjeopflfhgeknacdieedcoml which relates back to the Windows Defender Browser Protection extension, edit the data ID’s to suit the application ID’s that you wish to deploy:

SettingValue
NameExtension Install Force List (MS SSO Agent & MS Defender)
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
Data TypeString
Value<enabled/><data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx”/>

Hiding the ‘Apps’ icon in the bookmark bar
SettingValue
NameHide Apps Icon in Bookmarks Bar
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ShowAppsShortcutInBookmarkBar
Data TypeString
Value<disabled/>

Set specific URL to load on start-up

There are two OMA-URI’s required for this, one to set the start-up URL’s and the other to instruct Google Chrome to use the URL’s listed.

SettingValue
NameRestore on Startup
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartup
Data TypeString
Value<enabled/><data id=”RestoreOnStartup” value=”4″/>

Replace the URL to suit your needs

SettingValue
NameRestore on Startup URLs
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs
Data TypeString
Value<enabled/><data id=”RestoreOnStartupURLsDesc” value=”1&#xF000;https://letsconfigmgr.com”/>

Set a specific homepage URL

As above, three OMA-URL’s are required to set the homepage, edit the homepage URL to suit your requirements

SettingValue
NameHomepage Location
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
Data TypeString
Value<enabled/><data id=”HomepageLocation” value=”https://letsconfigmgr.com”/>

SettingValue
NameShow Home Button
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/ShowHomeButton
Data TypeString
Value<enabled/>

SettingValue
NameDisable Homepage is new tab page
OMA-URI./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage
Data TypeString
Value<disabled/>

The profile should look something like this:

Once all is set, deploy the configuration profile to a test device.

Verifying the results

On a sync’d Intune test device, open Google Chrome and the experience should be as follows:

Homepage, startup, managed favourites, bookmark bar, removal of the app’s icon and no default browser checks
Forced Extensions
Policy status from within Google Chrome

If you browse to chrome://policy, you’ll see policies set by the administrator, in this case from MEM:

Configuration profile status from MEM

Further reading

See my other posts on how to deploy customisations to Microsoft Edge and Mozilla Firefox.

I hope you found this blog entry useful, until next time….