This week is all about simplifying the management of the Google Chrome browser. I’ve done my fair share of posts about different methods for managing settings for the Google Chrome browser, by using Microsoft Intune, like for example by using ADMX-files or by using PowerShell, but it can be easier. It can also be achieved by using Chrome Browser Cloud Management. Chrome Browser Cloud Management is a cloud-based solution that enables the management of the Google Chrome browser across Windows, Mac and Linux devices. In this post I’ll start with a short introduction about Chrome Browser Cloud Management, followed by the steps to enrol Windows devices by using Microsoft Intune. I’ll end this post by looking at the end-user experience.
Note: Keep in mind that this post is only intended to provide a simple management solution for the Google Chrome browser. Please make your own consideration if this would be added value for your organization.
Introduction to Chrome Browser Cloud Management
Let’s start with a short introduction to Chrome Browser Cloud Management. Chrome Browser Cloud Management provides the IT administrator with a unified managed experience across Windows, Mac and Linux devices via a single cloud-based console. That removes the need to use different management tools for different platforms when managing Google Chrome across the organisation. Besides that, it can even provide benefits when managing a single platform. Even in combination with Microsoft Intune. At this moment, Microsoft Intune can provide some challenges with managing Google Chrome, as it would require the use of either PowerShell scripting or ADMX-files. Both, at this moment, time intensive activities. In that case, using Chrome Browser Cloud Management would add an additional management tool, but would save time in configurations.
Chrome Browser Cloud Management provides a method to enroll Google Chrome browsers by providing an enrollment token to the browser. On Windows devices that can be achieved by applying a simple registry key. Once the Google Chrome browsers are enrolled, the Chrome Browser Cloud Management enables the management over user settings and apps and extensions. Both contain some often used configurations. Below are a couple of examples of often used configurations. Figure 1 shows how to easily configure the Homepage and Page to load on startup setting and Figure 2 shows how to easily add the Windows 10 Accounts extension.
Figure 2: Configure apps and extensions
Enroll cloud-managed Google Chrome browsers
Now let’s continue by looking at enrolling Google Chrome browsers. Basically that requires two actions. The first actions is to generate the enrollment token and the second action is to enroll Google Chrome browsers by using the enrollment token.
Action 1: Generate enrollment token
The first action is to generate and enrollment token. That token will be used for enrolling the Google Chrome browsers. The following four steps walk through the process of generating that token.
- Open the Google Admin console and navigate to Devices > Chrome management > Managed browsers to open the Managed browsers page
- On Managed browsers page, on the right bottom of the screen click on the + button to open the Chrome Browser Cloud Management License Agreement dialog box
- On the Chrome Browser Cloud Management License Agreement dialog box, click I ACCEPT to generate an enrollment token and to open the Enrollment token dialog box
- On the Enrollment token dialog box, click the copy sign to copy the enrollment token and click DONE.
Figure 3: Get the enrollment token
Note: I’m not downloading the registry file, as I think that it’s easier to deploy the enrollment token by using a PowerShell script.
Action 2: Enroll Google Chrome browsers on Windows devices
The second action is to enroll Google Chrome browsers on Windows devices by using the generated enrollment token. For that purpose I’ve created a small PowerShell script that will be deployed via Microsoft Intune. That means two steps. The first step is to create the PowerShell script and second step is distribute the PowerShell script via Microsoft Intune.
Let’s start with the first step. The following PowerShell script provides a simple example that will create the registry path and key if needed. Simply add the copied enrollment token as the value of the $KeyValue variable.
[gist https://gist.github.com/pvanderwoude/212b88124c2357b022f986bbeb45e07b /]
The second step is to distribute the PowerShell script by using Microsoft Intune. That will make sure that the enrollment token applied to the Windows devices, which will trigger the Google Chrome browser to enroll. The next seven steps walk through the deployment of the PowerShell script.
- Open Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > PowerShell scripts to open the Windows | PowerShell scripts blade
- On the Windows | PowerShell scripts blade, click Add to open the Add PowerShell script wizard
- On the Basics page, provide the following information and click Next
- Name: Provide a valid name for the PowerShell script
- Description: (Optional) Provide a description for the PowerShell script
- On the Script settings page, provide the following configuration and click Next
- Script location: Select the PowerShell script
- Run the script using the logged on credentials: Select No to run the script in SYSTEM context
- Enforce script signature check: Select No
- Run script in 64-bit PowerShell Host: Select Yes
- On the Scope tags page, configure any additional scope tags for this PowerShell script and click Next
- On the Assignments page, configure the assignment of this PowerShell script and click Next
- On the Review + add page, review the settings and click Add
Figure 4: PowerShell script configuration
Let’s end this post by having a look at the end-user experience. Below I’ve provided a few examples of the experience for the end-user. Figure 5 provides an overview of the applied registry key and its value and Figure 6 provides an overview of the Google Chrome browser and the applied policies. The latter shows the managed state of the Google Chrome browser and the applied Chrome policies. With those Chrome policies it provides the source of the policy, which is Platform for the cloud management enrollment token configured via Microsoft Intune and Cloud for all policies configured via Chrome Browser Cloud Management, and the policy name and value. The shown Chrome policies – and their results – are the examples provided in the introduction.
Figure 5: Applied registry configuration Figure 6: Result Google Chrome browser
Note: An administrator can also look at the enrolled browsers in the Google Admin console by navigating to Devices > Chrome management > Managed browsers.
For more information about cloud-management of the Google Chrome browser, refer to the documentation about Cloud-managed Chrome Browser.