This week is all about further simplifying management of the Google Chrome browser on Windows devices. The configuration of the Google Chrome browser was already possible by ingesting ADMX-files, by using PowerShell, or by using Chrome Browser Cloud Manager, but the IT administrator was always in for a sub-optimal experience. It was either a lot of work (when looking at ADMX-files), or it provided limited reporting capabilities (when using PowerShell), or it was a completely separate solution (Chrome Browser Cloud Manager). Non of those were optimal. The great thing is that with the latest service release of Microsoft Intune (2203), the Settings Catalog (and the Administrative Templates) now also include settings for the Google Chrome browser. That enables the IT administrator to simply use the available configuration options within the Microsoft Endpoint Manager admin center portal to configure settings for the Google Chrome browser. From a technology perspective those settings still rely on ADMX-ingestion. The best part: the related ADMX is maintained by Microsoft (in Microsoft Intune). This post will go through the simplified steps to configure settings of the Google Chrome browser and will show the configuration results on a Windows device.
Configuring the Google Chrome browser on Windows devices
When looking at configuring the Google Chrome browser on Windows devices, the focus of the IT administrator can be on a single place: the Settings Catalog. Even though the settings are also available via Administrative Templates, the Settings Catalog is the most future proof configuration path. That also makes the configuration steps pretty straight forward. The following eight steps walk through the creation of the Settings Catalog profile, with the required settings.
- Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next
- Click Add settings and perform the following in Settings picker
- Select Administrative Templates > Google Chrome > Extensions as category
- Select Configure the list of force-installed apps and extension as setting
- Configure the selected setting with the following values
- Switch the slider to Enabled
- Provide with the sub-setting Extension – App IDs and update URLs to be silently installed (Device) the extensions that should automatically and silently be instaled
Note: This example uses ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx to install the Windows Accounts extension.
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
User experience with the configured Google Chrome browser
When looking at the user experience with the configured Google Chrome browser, the user itself will only notice a smooth experience with potentialy some preconfigured settings. So, from that perspective there is nothing special to see. However, when looking in a bit more details, it gets interesting. Especially when looking at the Event Viewer in combination with the Google Chrome browser. That enables the user (well actually the IT administrator) to relate the configuration via Microsoft Intune with the configuration in the browser. The following six points walk through the most interesting pieces.
- The information in the Event Viewer about the policy setting that is succesfully configured. In this case the ExtensionInstallForcelist to force the installation of an extension.
- The information in the Event Viewer about the area of the policy setting that is succesfully configured. In this case the path to the setting in the automatically ingested ADMX-file.
- The information in the Event Viewer about the value of the policy setting that is successfully configured. In this case the XML-value to enable the setting and to add the Windows Accounts extension.
- The information in the Google Chrome browser about the configured policy setting. In this case the ExtensionInstallForcelist to force the installation of an extension.
- The information in the Google Chrome browser about the configured value of the policy setting. In this case the configured value for the installation of the Windows Accounts extension
- The visual in the Google Chrome browser that shows the installation of the Windows Accounts extension.
For more information about configuring the Google Chrome browser on Windows devices, refer to the following docs.
10 thoughts on “Further simplifying management of the Google Chrome browser on Windows devices”
Hi Peter. My understanding is that each extension should include the Update URL in it’s manifest file. Is including it in the policy required?
That’s what the example is showing. The extension and the update URL.
I can;t add extensionID and update URL in one row. When paste text, url auto replace to second row. This is correct?
Yes, that could be. As long as you don’t configure anything in that line, there is no problem.
This is not correct and probably a UI issue, in our testing it resulted in an error applying the profile. The way you can work around this is by importing a CSV that contains id;updateURL and it will import as one line and stay that way if you don’t touch it.
Ah, I misread that in the question. That indeed must be a recent UI issue, as it wasn’t the case initially.