Managing Google Chrome version 69 and later using Intune

Google Chrome has a great set of Group Policy settings we can configure which makes it possible for us to even use Chrome in environments with high-security requirements, and we can also do this with Intune as it supports ADMX ingestion and ADMX backed policies!
Starting with Google Chrome version 69 and later it supports ADMX-backed policies (Windows 10 1703 or later) delivered through Intune.

Let’s see how we can configure Chrome using Intune.

Some of the things we might want to configure is forcefully install Chrome Extensions like:

Windows Defender Browser Protection extension, which will protect you from suspicious and malicious sites.

https://chrome.google.com/webstore/detail/windows-defender-browser/bkbeeeffjjeopflfhgeknacdieedcoml 

Windows 10 Accounts extension which the possibility to use your AzureAD account for websites and for Conditional access in Chrome so it can be recognized as a managed device https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji

In this example we will configure the following:

  • Configure the Home Button
  • Forcefully install the two extensions above
  1. Create a custom Intune Configuration Profile for Windows 10 and later which we will use to ingest the Chrome.ADMX file to the clients. Create it with the settings shown below
    OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
    Data type: String
    And in the value for the “String” field copy all the content from the Chrome.ADMX file as shown below and then assign it to a test client.
  2. Verify that it works by looking in the registry of the test client under HKLM\Software\Microsoft\PolicyManager\ADMXInstalled
    There you should see ChromeADMX added as shown below.
  3. Create a new Configuration Profile that uses the Chrome.ADMX file we just ingested. Select a new Profile for Windows 10 and later and a Custom profile type. And then we add a new OMA-URI for each setting we make, it will look like this when we are finished

    Show Home Button:
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ShowHomeButton
    Data type: String
    Value: <enabled/>

    Forcefully Install extensions:
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
    Data type:String
    Value: <enabled/>
    <data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx”/>
    NOTE: “&#xF000;” are the characters used as separators
  4. Then we assign the Configuration Profile to our test client

On the clients we can see that the policies are applied either by entering chrome://policy/ as the URL in Chrome

or check the HKLM/Software/Policies/Chrome registry key.

And when starting Google Chrome, the extensions are automatically installed.

Note that not all policies seem to be working as many of the Group Policies for Google Chrome only works on devices that are AD Joined.

References: https://support.google.com/chrome/a/answer/9102677?hl=en

Add a Comment

Your email address will not be published. Required fields are marked *