Locking down Chrome(ium) for the Enterprise on Windows
187 views
Skip to first unread message
hesh
Sep 27, 2010, 12:29:07 PM9/27/10
to Chromium-discuss
In addition to the use of Managed Policy files on Windows, does anyone
know if there is a way to distribute these locked-down policies on a
network install of Chrome so we can pick it up when the binary starts
up? I was looking at the Linux setup and it would be great if Chrome
will pick up the policies set in:
policies/managed/test_policy.json
Basically we don't have support for centralized .admx files which
would be ideal (we're using Windows XP) and .adm won't be easy for us
to push out to users if we need to update them quickly. If we can
have Chrome installed on a network share and locked-down using these
policy files everything would work out perfectly.
Does anyone know if that's currently possible without recompiling
Chrome from source or making any further changes? By the way, great
job adding enterprise support!
Thanks,
Hesham
know if there is a way to distribute these locked-down policies on a
network install of Chrome so we can pick it up when the binary starts
up? I was looking at the Linux setup and it would be great if Chrome
will pick up the policies set in:
policies/managed/test_policy.json
Basically we don't have support for centralized .admx files which
would be ideal (we're using Windows XP) and .adm won't be easy for us
to push out to users if we need to update them quickly. If we can
have Chrome installed on a network share and locked-down using these
policy files everything would work out perfectly.
Does anyone know if that's currently possible without recompiling
Chrome from source or making any further changes? By the way, great
job adding enterprise support!
Thanks,
Hesham
Markus Heintz
Oct 4, 2010, 8:09:06 AM10/4/10
to Chromium-discuss
Hi Hesham
Could you please provide a little bit more information about your
setting?
- What OSes are you running? Is it Win XP only?
- Are your machines in a Windows Domain or Workgroup?
- Why don't ADM files work in your case?
- When you talk about pushing updates to users quickly, how quick is
quickly?
Could you please provide a little bit more information about your
setting?
- What OSes are you running? Is it Win XP only?
- Are your machines in a Windows Domain or Workgroup?
- Why don't ADM files work in your case?
- When you talk about pushing updates to users quickly, how quick is
quickly?
hesh
Oct 4, 2010, 11:06:55 AM10/4/10
to Chromium-discuss
Hi Markus,
I'd love to provide a bit more info :)
- OS's are currently almost all Windows XP and will be for at least a
year or two I'd say
- Windows Domain
- ADM files do work but we'd have to have another another group push
them out for us
- Pushing updates quickly is more like in the case of simply
restarting the app they will get the new policy settings
So, in an ideal situation, if we could have the Windows install
directory out somewhere on a locked-down network drive with a
preferences file that locks down our policy and not just our default
settings, essentially like the Linux model, it would make releasing
Chrome internally much more feasible and easier to support without
getting other groups involved. I see the code in Chromium already
compiles out the Linux code based on environment, but I don't see why
both can't co-exist having the ADM policy possibly be a higher
priority than the locked down preferences file or vice-versa.
The only reason I ask is that I work for a rather large company and
its very hard for users to actually get things released so having
certain features available by default would make it much easier to
convince the other groups involved to get it released. I think for
now what I might do is have all the registry keys copied over with the
binary through some script on startup to ensure we always have the
group policy set. But again, if Chrome were to read and honour that
policy file on startup it would be more secure and less chances for
users to get around that policy without somehow hacking the binary
file.
Regards,
Hesham
I'd love to provide a bit more info :)
- OS's are currently almost all Windows XP and will be for at least a
year or two I'd say
- Windows Domain
- ADM files do work but we'd have to have another another group push
them out for us
- Pushing updates quickly is more like in the case of simply
restarting the app they will get the new policy settings
So, in an ideal situation, if we could have the Windows install
directory out somewhere on a locked-down network drive with a
preferences file that locks down our policy and not just our default
settings, essentially like the Linux model, it would make releasing
Chrome internally much more feasible and easier to support without
getting other groups involved. I see the code in Chromium already
compiles out the Linux code based on environment, but I don't see why
both can't co-exist having the ADM policy possibly be a higher
priority than the locked down preferences file or vice-versa.
The only reason I ask is that I work for a rather large company and
its very hard for users to actually get things released so having
certain features available by default would make it much easier to
convince the other groups involved to get it released. I think for
now what I might do is have all the registry keys copied over with the
binary through some script on startup to ensure we always have the
group policy set. But again, if Chrome were to read and honour that
policy file on startup it would be more secure and less chances for
users to get around that policy without somehow hacking the binary
file.
Regards,
Hesham
hesh
Oct 4, 2010, 11:08:46 AM10/4/10
to Chromium-discuss
Also, some more colour: "the ADM files do work but we'd have to have
another group push them out for us", forgot to add that the other
group supports all the Windows machines for the firm so is very
unlikely to add special policies for just one application that isn't
going to be used by everyone at the firm.
Regards,
Hesham
another group push them out for us", forgot to add that the other
group supports all the Windows machines for the firm so is very
unlikely to add special policies for just one application that isn't
going to be used by everyone at the firm.
Regards,
Hesham
Markus Heintz
Oct 5, 2010, 8:11:18 AM10/5/10
to Chromium-discuss
So far we have no plans to support configuring Chrome policy on
Windows through configuration files (in addition to Group Policy). But
it's an exciting idea we will explore.
Supporting arbitrary policy-directories however might be difficult,
because you must prevent the user from changing the configuration
directory. Otherwise a user could just point Chrome to a different
directory and load it's own policies or none at all. On order to make
your idea work, you would need to point Chrome to a custom directory
where you store your policy definitions and which you look-down
afterwards. But how would you prevent the user from pointing Chrome to
another directory?
Anyway your suggestion raises an interesting point and we will
definitely think about this. But there is no plan to support this yet.
Windows through configuration files (in addition to Group Policy). But
it's an exciting idea we will explore.
Supporting arbitrary policy-directories however might be difficult,
because you must prevent the user from changing the configuration
directory. Otherwise a user could just point Chrome to a different
directory and load it's own policies or none at all. On order to make
your idea work, you would need to point Chrome to a custom directory
where you store your policy definitions and which you look-down
afterwards. But how would you prevent the user from pointing Chrome to
another directory?
Anyway your suggestion raises an interesting point and we will
definitely think about this. But there is no plan to support this yet.
hesh
Oct 5, 2010, 10:00:47 AM10/5/10
to Chromium-discuss
Thanks for considering this. Obviously the only way to truly lock it
down is to ensure that they don't just copy the binary or install
folder and run directly. The thing is that any user that is able to
do that can probably get around most of the restrictions anyways on
their personal machine, ADM or otherwise. This is more of a way of
making it easier to configure and set the policy without needing to
touch so many machines and have the ability to update that policy
simply by having them restart their browser. I don't think polling a
network drive for changes in the policy file would be very useful as
it probably won't change much anyways. Another way for us to lock it
down better is to compile Chrome from source and point it to a
specific location for the policy file, but again, that's overkill as
anyone that truly wants it could probably email the installer to
themselves with a different extension to circumvent our browser
firewall then install it locally :) My only reasoning for this
request is for ease of deployment and support and not necessarily from
a 100% enforcement of policy :)
Thanks again for your time and consideration!
down is to ensure that they don't just copy the binary or install
folder and run directly. The thing is that any user that is able to
do that can probably get around most of the restrictions anyways on
their personal machine, ADM or otherwise. This is more of a way of
making it easier to configure and set the policy without needing to
touch so many machines and have the ability to update that policy
simply by having them restart their browser. I don't think polling a
network drive for changes in the policy file would be very useful as
it probably won't change much anyways. Another way for us to lock it
down better is to compile Chrome from source and point it to a
specific location for the policy file, but again, that's overkill as
anyone that truly wants it could probably email the installer to
themselves with a different extension to circumvent our browser
firewall then install it locally :) My only reasoning for this
request is for ease of deployment and support and not necessarily from
a 100% enforcement of policy :)
Thanks again for your time and consideration!
Reply all
Reply to author
Forward
0 new messages