Locking down Google Chrome (Windows/Mac)

[Stephen Gale]

We are in process of moving to Chromebooks at our school district, but there is always the push to make existing technology last longer.  I undertook the process of changing some netbooks to Chrom(ium)books which took a considerable amount of time.  Now I am working on simplifying the existing PC/Mac computers we have while we wait for the next fiscal year when we can afford more Chromebooks.  I thought that some of you may appreciate what I've done, so I thought I'd share it with you.

Macintosh

First I unbound all of our Mac machines from our domain and created a new user.  After removing all the other users except the Administrator account and our State Testing account, I setup the new user (hereafter "Student") with the settings and Apps that I wanted.  I also changed the permissions for the apps I didn't want users accessing to ug=wrx o= and the user/group all set to root:admin.  I also removed the sticky bit with a chmod -t on all the applications I didn't want users seeing (Safari, iTunes, System Preferences all come to mind).  The only app that Student has full access to is Google Chrome.

Next I set the Chrome settings.  This is probably the most important in the daily operation since without proper setup, taking your PC off the domain leaves you open to anonymous browsing.  The per-user settings on the device are located at ~/Library/Preferences/com.google.Chrome.plist and the keys that the plist accepts are found at chrome://policy and check the box in the top right that says "Show policies with no set value".  Or you can read through http://www.chromium.org/administrators/policy-list-3 which contains all the policies, what the expected value is, and what platforms they work on.

Here is the output from Student's defaults read com.google.Chrome.plist

 {

    AutoFillEnabled = 0;

    ForceSafeSearch = 1;

    HomepageIsNewTabPage = 0;

    HomepageLocation = "chrome://chrome-signin/?source=0";

    IncognitoModeAvailability = 1;

    LastRunAppBundlePath = "/Applications/Google Chrome.app";

    NSNavLastRootDirectory = "~/Downloads";

    NSNavPanelExpandedSizeForOpenMode = "{712, 514}";

    "New Key" = "";

    PasswordManagerEnabled = 0;

    RestrictSigninToPattern = "*@wgsd.us";

    SafeBrowsingEnabled = 1;

    URLBlacklist =     (

        "http://*",

        "https://*"

    );

    URLWhitelist =     (

        "accounts.google.com",

        "accounts.youtube.com",

        "clients1.google.com",

        "clients2.google.com",

        "clients3.google.com",

        "clients4.google.com",

        "cros-omahaproxy.appspot.com",

        "dl.google.com",

        "dl-ssl.google.com",

        "www.googleapis.com",

        "m.google.com",

        "omahaproxy.appspot.com",

        "safebrowsing-cache.google.com",

        "m.safebrowsing-cache.google.com",

        "safebrowsing.google.com",

        "ssl.gstatic.com",

        "tools.google.com",

        "pack.google.com",

        "www.gstatic.com",

        "gweb-gettingstartedguide.appspot.com",

        "storage.googleapis.com",

        "commondatastorage.googleapis.com",

        "www.google.com/intl/en-US/chrome/blank.html"

    );

}

 

You will notice that the URLBlacklist key is set to "http://*, https://*" which blocks access to the internet until a user logs in.  In order to clear this value, you must have a managed account that changes the value to anything.  This is what I have in my admin console to clear the URLBlacklist.  It also populates in the chrome://policy page, but SaveToDrive won't take a screenshot of that.

This also prevents users from logging into their private gmail accounts, since the fields aren't cleared with unmanaged accounts.  Student accounts are set to Ephemerial mode which automatically logs them out if they close the browsing windows (Windows/Mac/Linux only).  The homepage is set to the Login to Chrome page, though occasionally after a student closes the window it goes to the new tab page instead.

Once Student account was the way I liked it (Google Chrome launch on startup, History empty, ChromeAppLauncher in Dock, mouse, power, login screen, and inactive logout settings), I logged into the Administrator account and use the Student account as a template.  I created a folder in /Library called Default and copied the user folder into the newly created folder.  Using "cp -Rp /Users/student /Library/Default/" preserved the permissions in the Template.

From here we have a blank starting point we can revert back to at anytime.  A simple bash script executes and reverts the profile back to our starting point.  Add in a LogoutHook and whenever someone logs out of an account, the profile resets.  Basically, a poor-man's DeepFreeze on an account.  Here's the script and command to create the LogoutHook

/Library/Default/refresh.sh 

!#/bin/bash

rm -rf /Users/student

cp -Rp /Library/Default/student /Users/student 

chown student:admin /Users/student

 and for the hook (as administrator);

sudo defaults write  com.apple.loginwindow LoginHook /Library/Default/refresh.sh

 

Make sure that the script is in the right location, is owned by root:admin and is executable (chmod 770 refresh.sh).  Test the script and hook by logging into the student account, changing some local setting like the background.  Then logout and log back in.  If the background went back to the original, it's working.

 

Windows 

Presently, I've done nothing other than push out Google Chrome with the preferences listed above in the plist file.  I have also restricted the application "iexplore.exe" to keep students from using alternative browsers.  I am toying with the idea of having a local account that the computers auto-login to or a local account with no password, but a large part of me wants to say screw it and leave them as they are. I don't want to have to manage a second set of login credentials (Active Directory & Google).  I know there are tools to do a one way sync, but it's the wrong way for what I'm wanting to do (they sync local to cloud, not cloud to local).  The ultimate goal is to get rid of both Windows and Mac and be 100% Google for Authentication, Authorization and Auditing.  Ok, so auditing is still a ways off, but that is the ultimate goal.

For those of you using OSX, I hope you find this helpful.  For Windows shops I hope you can glean something from it.  Feel free and comment or make any suggestions.  And Thanks to Kery at East Grand School District for helping with the DeepFreeze feature.

 

 

[Marion Bates]

WOW! I can't wait to get back from my conference and try this, especially on our older Macs. Thank you for the writeup!!!

-- MB

[Bill Long]

I LOVE your solution for locking down Chrome. We are Google Apps school and rolled out Chromebooks for Grades 6-12 this year. Most student computers in my District (other than Chromebooks) run Ubermix (Ubuntu based) Linux. I have very few Windows PCs that students use. I have a filter that forces Authentication to access the internet and uses Google Authentication to validate the user (so no NT Authentication). I have thought about configuring a chromium load for my labs vs Ubermix but have not taken on that yet. I have a few Chromboxes in use as well. Thanks to your post I can get a better idea on how to better lock down the Linux OS using your Mac tutorial (very similar). 

Thanks Again

CONFIDENTIALITY NOTICE: This email & attached documents may contain confidential information. All information is intended only for the use of the named recipient. If you are not the named recipient, you are not authorized to read, disclose, copy, distribute or take any action in reliance on the information and any action other than immediate delivery to the named recipient is strictly prohibited. If you have received this email in error, do not read the information and please immediately notify sender by telephone to arrange for a return of the original documents. If you are the named recipient you are not authorized to reveal any of this information to any other unauthorized person. If you did not receive all pages listed or if pages are not legible, please immediately notify sender by phone. http://harper.txed.net

[Ryan Collins]

This is what I set up for our older machines:

https://github.com/mrrcollins/gozbrowserbox

It installs Ubuntu which only launches Chrome, can run on Macs or Windows. On quit, the Chrome profile is deleted. With the remote browser set up we have iBook G4 still in service (they have to be plugged in, but they're pretty compact).

On Monday, November 17, 2014 11:11:56 PM UTC-5, Stephen Gale wrote:

[Anne]

Wow, Stephen, You are brilliant.  They are lucky to have you!

On Monday, November 17, 2014 11:11:56 PM UTC-5, Stephen Gale wrote:

[Kevin O'Donnell]

I have been wanting to try this on our older Dell Windows netbooks as they are a beast to keep updated.  I am going to try these suggestions to see if I can get them to work.  Do you think I can use management console on them if I have some extra licenses from dead Chromebooks?

I have three carts of them and they are not that old.  I tell this story to schools I assist in the transition to Google Apps and Chromebooks
"Periodically we need to bring laptop carts into the tech office to run Windows updates, Media updates, malware scans, etc.  It took an entire day to run updates on one cart of 25.  The following day we got a shipment of 75 Chromebooks.  We inventoried them unboxed them, enrolled them, labeled them, restarted to finish the update and set them up, with their power cords, in 5 carts. We had them out the door and into the classrooms for use before the end of the day.  I never have to see them again unless there is an issue with a device"

LOVE CHROMEBOOKS!!!!

On Monday, November 17, 2014 11:11:56 PM UTC-5, Stephen Gale wrote:

^{Confidentiality Notice: the information contained in this email and any attachments may be legally privileged and confidential. If you are not an intended recipient, you are hereby notified that any dissemination, distribution, or copying of this e-mail is strictly prohibited.} 

^{All email to and from @belmar.k12.nj.us is to be used for educational purposes}

[Kevin O'Donnell]

Although I think I am going to try this method for the netbooks http://lifehacker.com/5820358/how-to-turn-your-netbook-into-a-chromebook-with-chromium-os I may try your method with some old PCs I have as spares - that is when I get some spare time to play ;)

[Jonathan Sallée]

Hexxeh's builds, referenced in the Lifehacker article, are over; but Arnold the Bat still seems to be at it.

I have used ChromiumOS quite a little bit. There are a lot of issues with hardware, java, pdf, &c. Remember that everything proprietary used in ChromeOS is stripped out. I would use it, but I would not give it to my students.

Ryan Collins, you, sir, are a rock star.

Regards,

Jonathan T. Sallée, M.Ed.

Supervisor of Technology

Lincoln Elementary School District 156

410 West 157th Street

Calumet City, IL 60409

708.862.6620

--

--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stephen Gale]

I have done the Netbook-to-Chromebook and we have it as a cart in our science room.  It took less time overall to set up locked down Chrome Browser than make sure that all the Netbooks could connect due to the Broadcom NIC that is installed in the Netbooks.

Stephen Gale
Director of Technology
970-364-6196

-Sent from my Galaxy S4

You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.

[Kevin O'Donnell]

I like the less time part so will try that first - thanks for that part of the info!!!

On Monday, November 17, 2014 11:11:56 PM UTC-5, Stephen Gale wrote:

[Lisa Fusco]

I have Lenovo x130e anyone know about converting them to Chrome OS. I know that it is a model type used for Chromebooks, but I'm not sure of the particulars.

--

--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Lisa Fusco
Director of Educational Technology & Innovation

The Moriah School
53 S. Woodland Street
Englewood, NJ  07631
201-567-0208 ext. 325

 

[Stephen Gale]

Look into arnoldthebat.co.uk for chromium OS.  If you like, from there you can follow the guide here to "Upgrade" to ChromeOS.  The process is long and arduous since there isn't a netboot feature, although I have considered setting up one master ChromeBook and then launching TrinityRescueKit's mClone Server on it and mClone receiver on the Other devices to push out the image to them.

The problem with setting up Chromium on School owned devices is they are more difficult to lock down.  By default, anyone with a Google account can login and bypass the device settings, unless you enroll them in your school's Chrome Management.  To lockdown a Chromium device, or BYOD Chrome devices read here.

Stephen Gale

Director of Technology

West Grand School District

(970) 364-6196

You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.

[Forgette, Trae]

How would you go about enrolling converted pc>chromebooks into the management console?  Strictly by user?

 

Trae

[Stephen Gale]

Enterprise Enrollment happens at first boot, before logging in.  You Press the Keys Ctrl+Shift+E and it brings up the Enterprise Enrollment Dialog box.  This will enforce "Device Settings" that are set in the admin console (admin.google.com > Device management > Device Settings) Without these, you have to follow the instructions listed in the link above in order to get features like RestrictLoginToPattern

For a list of Chrome Policies, you can goto chrome://policy and click the box by "Show policies with no set value" or goto http://www.chromium.org/administrators/policy-list-3  

Stephen Gale

Director of Technology

West Grand School District

(970) 364-6196

[Joel Lowsky]

Hi Steve,

I think you need to buy licenses before you enroll devices.  In my experience there is a "float" of licenses, maybe 5, so you can enroll one or two retail Chromebooks into an enterprise domain, but licenses are required for the vast majority of enrolled Chrome devices.

Joel

[Alex Wagner]

This is seriously brilliant stuff.  I've forwarded this information to a few of my co-workers, I get questions on how to do this all the time.  Thank you!!  

Do you guys use any sort of management technique on the students?

On Monday, November 17, 2014 10:11:56 PM UTC-6, Stephen Gale wrote:

[Stephen Gale]

For those who are looking to enroll Chromium devices in their enterprise enrollment, be aware that it does take up one of your licenses (retail $30). 

If you choose to install Chromium and do not do an enterprise enrollment, at least limit who can login to the device to your domain name.  This is done by logging into the device first, which sets you up as the owner.  From there, go to settings and under Users, manage other users.  Restrict who can login by checking the box and typing in *@yourdomain.com in the dialog box, replacing yourdomain.com with your domain, and clicking Save.  Make sure that the entry populates in the list of approved users, otherwise only the owner will be able to login to the device.

This method is far from perfect, but it at least prevents enforces your USER domain policies (not DEVICE) from Admin console to be applied to the users.

[Kevin O'Donnell]

I am looking at this from the standpoint of dell netbooks being bogged down by Windows. All I need the devices to do is go out to the Internet to access educational site and to use Google Apps.
I wonder if I can use management licenses from dead Chromebooks I have deprovisoned?
We have three shared carts for 1st - 3rd grade so I am not overly concerned by them logging in with other accounts. I am trying to make it easier for them and get a few more years out of the devices until I can get more Chromebooks
--

Confidentiality Notice: the information contained in this email and any
attachments may be legally privileged and confidential. If you are not an
intended recipient, you are hereby notified that any dissemination,
distribution, or copying of this e-mail is strictly prohibited.

*All email to and from @belmar.k12.nj.us <http://belmar.k12.nj.us> is to be
used for educational purposes*

[Stephen Gale]

If you're still using Windows, you won't need to use licenses at all. If you're moving to Chromium or ChromeOS, you can if you choose.  When I spoke with Google last about licenses, they said that deprovisioned licenses were spent and could not be repurposed.  They may have changed that position since last we spoke, and I do recall seeing something about it in a recent press release. 

If you need to get some clarification on how I was locking down Chrome Browser, feel free to send me a personal message or even call.  My Google Voice number is in my signature.

Stephen Gale

Director of Technology

West Grand School District

(970) 364-6196

[Stephen Gale]

Just a note with ChromiumOS.  You can install java and pepperflash and they do have Google's PDF Viewer pre-installed.  It takes quite a bit of research to get a build the way you like it and then you're likely not dealing with a verified boot, which is one of the major security advantages of ChromeOS over Chromium.

I will likely be testing the GozBrowserBox on a couple of our Windows machines. Thanks +Jonathan Sallée for making me aware of it.

[Stephen Gale]

For those running Linux, here is the chrome.json file used to make the lockdown adjustments to Chrome Browser.

chrome.json

I edited it using  Drive Notepad and saved it to my Google Drive so anyone can download it.  Feel free to make any changes you would like to.  The descriptions of the settings are commented out.  

If you would like the original unedited template from Google it can be found here along with the chrome.adm/chrome.admx for Windows domain machines.

[Andrew Schwab]

Kevin,

Check out http://ubermix.org/

andrew

-

Andrew T. Schwab

@anotherschwab

Google Certified Teacher - #GTAWA11 | Google Education Trainer

CUE Board Member | CETPA CCTO

LEC Leading Edge Certified Administrator & Professional Developer

"First they ignore you, then they laugh at you, then they fight you, then you win."

- Mahatma Gandhi

"In times of change learners inherit the earth; while the learned find themselves beautifully equipped to deal with a world that no longer exists."

- Eric Hoffer

To those who would lead:
http://www.jimklein.org/2011/05/to-those-who-would-lead.html

A must watch for every education technology leader:
http://www.youtube.com/watch?v=7vevGmzmWnI

"HOW to do Common Core, we already know WHY"

http://www.youtube.com/watch?v=_QnbOMn6NQw

[Kevin O'Donnell]

It looks awesome but a little tricky to install. I really want to turn them into "Chromebooks" for the management aspect of it.  I want devices that boot quickly and that I can push settings out through the admin console. Of course free and easy are important. Time is money and if it take me hours and hours to turn 75 into Chromebooks it is almost worth the money to just but Chromebooks 

^{All email to and from @belmar.k12.nj.us is to be used for educational purposes}

[Kevin O'Donnell]

I had some success - got the netbook to boot into Chromium but can install to the HD. I am stuck here.

Guess I could buy some usb keys to plug in but not optimal

[Stephen Gale]

Sec. Getting on my Chrome book instead of the phone.

Stephen Gale
Director of Technology

970-364-6196

-Sent from my Galaxy S4

You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.

[Andrew Schwab]

Very easy to setup and install Ubermix. If it takes you more than 20 min to make a key and 5 min to install, I'd be  very surprised. There is even a chromeOS mode that boots them right into Chrome.

andrew

-

Andrew T. Schwab

@anotherschwab

Google Certified Teacher - #GTAWA11 | Google Education Trainer

CUE Board Member | CETPA CCTO

LEC Leading Edge Certified Administrator & Professional Developer

"First they ignore you, then they laugh at you, then they fight you, then you win."

- Mahatma Gandhi

"In times of change learners inherit the earth; while the learned find themselves beautifully equipped to deal with a world that no longer exists."

- Eric Hoffer

To those who would lead:
http://www.jimklein.org/2011/05/to-those-who-would-lead.html

A must watch for every education technology leader:
http://www.youtube.com/watch?v=7vevGmzmWnI

"HOW to do Common Core, we already know WHY"

http://www.youtube.com/watch?v=_QnbOMn6NQw

[O'Donnell, Kevin]

Does the Chrome Os mode act.like a chromebook?
Can it be managed?

Kevin M. O'Donnell
Belmar Elementary School
Technology Education and Support
Authorized Google Education Trainer

[Ryan Collins]

:-D

The GozBrowserBox uses Puppet manifests to configure the machine. For the adventurous it would be possible to fork the repo and modify the set up to use your own manifests, letting you re-configure the machines over the net. No point and click interface though, you would have to modify the Puppet manifest.

[Jonathan Sallée]

Andrew, thanks for the tip on Ubermix. I had kind of given up on it a while back, but the ChromeOS-style boot might make that worthwhile again.

Stephen, thanks for the +, but that was all Ryan Collins. Any pointers on that upgrade from ChromiumOS to ChromeOS? It looks like a nice option for getting all the little bugs resolved, but I am stalling out waiting for the recovery options. 

Kevin, on the machine I have been testing with the install command didn't work. I had to:

• shell
• sudo su
• password
• /usr/sbin/chromeos-install (which didn't work so...)
• /usr/sbin/chromeos-install --dst /dev/sda 
  

Regards,

Jonathan T. Sallée, M.Ed.

Supervisor of Technology

Lincoln Elementary School District 156

410 West 157th Street

Calumet City, IL 60409

708.862.6620

[Stephen Gale]

​There is a flag for legacy hard drives in ChromeOS​. I would imagine that this is necessary for the majority of older PCs being converted into ChromeBooks.

Rather than shell, at the start page, Press Ctrl+Alt+F2  Username: Chronos Password:password

Remount the root FS in rewritable mode

• sudo su
• mount -o remount, rw /

From there, I installed PepperFlash on to the USB drive so that when it is installed, it passes Flash onto the Chromebooks

• curl -L http://goo.gl/JL1An5 >> setup.sh
  

ensure that the script downloaded,

• cat ./setup.sh

if there is output, run the setup.  If not, you are likely not connected to the internet.  Connect and try again.

• ./setup.sh

Ok, Now you have Flash.  Next you want to install Chromium onto the device rather than the USB.  Most times I've had to run cgpt repair on the target drive to make sure the partitions are compatible with what chrome will be looking for.

• cgpt --repair sda
  

in the help for cgpt there is a listing for boot and a description of "Edit the PMBR sector for legacy BIOSes"  I've not had much experience with this since the BIOS I was working with was compatible, but I imagine that here is where some PCs will have a problem.

• cgpt legacy -e /dev/sda
  
• /sbin/chromeos-install --skip_dst_removable --dst /dev/sda --yes
  

cross your fingers, shutdown, reboot without USB drive.

• shutdown -h now

Note: I did not do the cgpt legacy -e /dev/sda command.  I would recommend against it, but if it doesn't work without it, try it with.

Stephen Gale

Director of Technology

West Grand School District

(970) 364-6196

You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.

[Stephen Gale]

Just discovered a new "must have" on this lockdown browser.

chrome://flags/#enable-account-consistency = Enabled

This setting will make it so that the settings set on the browser are passed to logging into and out of Google services. Translation: If your browser only allows users from your domain to login, users can't add another account that is outside of your domain.  This along with Multiple Sign-in Access solidifies any setup.

If only there was a way to force-enable the flag through the Admin Console...

[drezac]

I was looking to re-purpose some older laptops (DELLS) as quasi-Chromebooks. Would this work for that purpose? 

On Wednesday, November 19, 2014 at 12:49:57 PM UTC-6, Ryan Collins wrote:

This is what I set up for our older machines:

https://github.com/mrrcollins/gozbrowserbox

It installs Ubuntu which only launches Chrome, can run on Macs or Windows. On quit, the Chrome profile is deleted. With the remote browser set up we have iBook G4 still in service (they have to be plugged in, but they're pretty compact).

[Stephen Gale]

We have done this for our 7  year old DakTek devices. It helps with speed since users don't log in to AD, only to Chrome. 

Stephen Gale
Director of Technology

970-364-6196

-Sent from my Galaxy S4

--

[Ryan Collins]

That's the main reason I set up https://github.com/mrrcollins/gozbrowserbox

(I do need to revisit it, right now adding wireless connections is a pain.)

[Kevin O'Donnell]

They are text boxes within table cells - and they are absolutely horrible to work with.  Your best options are to build what you want in either a Google Doc and embed it OR build it in a HTML wysiwig web editor and copy the HTML over OR if you know CSS use that to position what you want where you want it