Policy won't set-Linux

[Justin Taylor]

Ubuntu 20.04.3 LTS

Chromium 93.0.4577.63

I'm trying to set some policies on my laptop, which I've never done before.  I went through the instructions (https://www.chromium.org/administrators/linux-quick-start).  I had to create /etc/opt/chrome/ and  /etc/opt/chrome/policies/which wasn't included in those instructions.  I downloaded the master_preferences sample, copied and renamed per the docs.  At the bottom of the recommended policies, I added the policies supplied by the software vendor.  I started Chromium and chrome://policy showed nothing set.  I searched Google, but I can't find anything on how to troubleshoot this.

Can someone link a doc or point me in the right direction?  TIA

FWIW, here are the poilicies:

, "AuthNegotiateDelegateAllowlist" : "url_here"
, "AuthNegotiateDelegateWhitelist" : "url_here"
, "AuthServerAllowlist" : "url_here"
, "AuthServerWhitelist" : "url_here"

[Julian Pastarmov]

Hello,

On Saturday, September 4, 2021 at 2:33:52 PM UTC+2 jtayl...@gmail.com wrote:

Ubuntu 20.04.3 LTS

Chromium 93.0.4577.63

I'm trying to set some policies on my laptop, which I've never done before.  I went through the instructions (https://www.chromium.org/administrators/linux-quick-start).  I had to create /etc/opt/chrome/ and  /etc/opt/chrome/policies/which wasn't included in those instructions. 

It actually is included in the link you shared :) 

Create these directories if they do not already exist:

>mkdir /etc/opt/chrome/policies

>mkdir /etc/opt/chrome/policies/managed

>mkdir /etc/opt/chrome/policies/recommended

 

I downloaded the master_preferences sample, copied and renamed per the docs.  At the bottom of the recommended policies, I added the policies supplied by the software vendor.  I started Chromium and chrome://policy showed nothing set.  I searched Google, but I can't find anything on how to troubleshoot this.

The policy file is not the same as the master_preferences (btw also renamed to initial_preferences in recent versions of Chrome) file (which has some similar capabilities but is still a different configuration mechanism (see more info here). 

The policy file is a json file listing your preferences and should follow the syntax as outlined in the policy documentation page. For the policies you care about the value should be an array of strings instead of single string e.g.

"AuthNegotiateDelegateAllowlist": ["url_here", "url_here",...]

, "AuthServerAllowlist": ["url_here", "url_here",...]

I would suggest to run the final json through a validator just to be sure you have it all correct. Then you should be able to see the newly applied policies in chrome://policy.

Can someone link a doc or point me in the right direction?  TIA

FWIW, here are the poilicies:

, "AuthNegotiateDelegateAllowlist" : "url_here"
, "AuthNegotiateDelegateWhitelist" : "url_here"
, "AuthServerAllowlist" : "url_here"
, "AuthServerWhitelist" : "url_here"

Btw you don't need both the "*Allowlist" and "*Whitelist" policies. The old "*Whitelist" and "*Blacklist" policies have been replaced by the "*Allowlist" and "*Blocklist" policies for more inclusiveness. So unless you have very old Chrome versions in your environment you will only need the new ones.

Best,

Julian

[Justin Taylor]

I'm afraid that didn't work.  Chrome still shows no policies set.  I created these files:

-rw-r--r-- 1 root root 276 Sep  9 13:56 /etc/opt/chrome/policies/managed/managed_policies.json
-rw-rw-r-- 1 justin justin 276 Sep  9 13:52 /etc/opt/chrome/policies/recommended/recommended_policies.json

Both files contain the following:

{

    "AuthNegotiateDelegateAllowlist" : ["url_here"]

    , "AuthNegotiateDelegateWhitelist" : ["url_here"]

    , "AuthServerAllowlist" : ["url_here"]

    , "AuthServerWhitelist" : ["url_here"]

}   

Reference the deprecated policies, I'm working with server vendor support and they insist they're all mandatory.  I'm humoring them for now.

Thanks

[Julian Pastarmov]

Hi,

First I am sorry for misleading you about the format - you should indeed use a single string instead of an array of strings and comma-separate entries in it. So your format was correct. But regardless of the format error you should have been able to see the policies appear in chrome://policy at least with an error message about the wrong format

See this screenshot 

As you can see I have fixed only the format of AuthServerAllowlist to be just a string and it is accepted as correct (status is OK). You should be able to see a similar picture on your computer and if you fix them all to strings the two new ones will show OK while the deprecated will keep on saying that they are ignored because of the new ones which is expected. 

Best,

Julian

[Justin Taylor]

I've never seen any change in chrome:\\policy.  Nothing shows up by default, and if I show all policies the ones in question show as not set.

I'll try again with the new format and see if that just happens to make a difference.  I'll change the recommended_policies.json file to contains:

{

    "AuthNegotiateDelegateAllowlist" : "url_here"

    , "AuthNegotiateDelegateWhitelist" : "url_here"

    , "AuthServerAllowlist" : "url_here"

    , "AuthServerWhitelist" : "url_here"

}   

Thanks

[Julian Pastarmov]

Just a small comment you need to set those policies in the managed location not the recommended location because they don't support being set at the recommended level. In other words they need to go in /etc/opt/chrome/policies/managed/managed_policies.json from the two files you mentioned.

[Justin Taylor]

I've been setting identical values in both locations.  Unfortunately, still no policies are recognized.  Any idea what I should do next?

Thanks

[Julian Pastarmov]

Let's take the obvious out of the picture - you are running Google Chrome right? Not some other Chromium clone?

You can try to run chrome with --enable-logging and see if any error messages show up on the console that might point you towards what else might be going on.

--

Julian Pastarmov |

Software Engineer |

pasta...@google.com |

+41 79 7499344

[Justin Taylor]

I'm desperate to get this moving so I installed the closed source Google Chrome version.  The policies show up there.

[Justin Taylor]

i just saw your question about what Chromium I'm running.  It's from the Ubuntu repo, so I assume it's the official version.

[Torne (Richard Coles)]

There isn't an "official" version of Chromium. /etc/opt/chrome is only checked by Google Chrome. For Chromium the usual path is /etc/chromium as the docs say.

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

[Justin Taylor]

I'm not sure what's considered "official".  Chromium says official, which is all I have to go on.

Version 93.0.4577.82 (Official Build) snap (64-bit)

I missed that in the docs.  Kind of misleading for the Chromium docs to give Chrome examples that won't work in Chromium.

Thanks

[Torne (Richard Coles)]

On Mon, 20 Sept 2021 at 09:24, Justin Taylor <jtayl...@gmail.com> wrote:

I'm not sure what's considered "official".  Chromium says official, which is all I have to go on.

Version 93.0.4577.82 (Official Build) snap (64-bit)

That means "as opposed to a development build"; it doesn't mean anything else in the context of Chromium (it doesn't mean that this isn't a modified/forked version of the code, and it doesn't mean there's any support from anyone).

I missed that in the docs.  Kind of misleading for the Chromium docs to give Chrome examples that won't work in Chromium.

Many paths/etc are controlled by whether the build is branded as Google Chrome. The docs explain both because they're a general reference for how the configuration mechanism works and many people actually are trying to configure Chrome.