UserAllowList to restrict users allowed to login to device

[Jeffrey Kurpaska]

Hello All,

I want to try and restrict logins to chromebooks to specific users and not allow logins by others. Looks like it's a policy setting ?

Is it possible via GAM to set values for DeviceUserAllowlist and DeviceAllowNewUsers ?

and have you seen any sample code ?

thanks as always !

--

Jeff Kurpaska

[Ross Scroggs]

Jeffrey,

You can only do this by OU.

gam update chromepolicy chrome.devices.SignInRestriction deviceAllowNewUsers RESTRICTED_LIST userAllowlist test...@domain.com,test...@domain.com ou /Test

Ross

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CABYJDDGesDsG2zoAFScxsfpkUuB%2BH%3DOF_6KXaAGYJHQi3ENWMA%40mail.gmail.com.

--

Ross Scroggs

ross.s...@gmail.com

[Kim Nilsson]

Jeffrey,

So if you create individual OUs for all of your devices, you can use this setting to restrict each individual device.

If you have 50 devices, that's 50 OUs. If you have 25 000 devices, that's 25k OUs. It quickly gets out of hand.

An alternative is to use a Chrome extension called oneTwoOne, actually created by Jay Lee (creator of GAM).

Then you push the Chromebook owner email into the attribute Location on each device, and nobody else will enjoy using the device. :-)

No need for separate OUs.

[Corey Schneer]

Kim, do you use this method? The chrome extension is quite out of date. When you say they won't enjoy it, how do you mean? There isn't much information out there on oneTwoOne

[Kim Nilsson]

No, I don't do any of this, as we don't consider it a problem, and just don't want to do the extra work, because it's not worth it.

Cost vs benefits just doesn't justify it.

--

/Kim

--

There is No Substitute!

[Jay Lee]

The oneTwoOne extension isn't terribly complex so if you have any understanding of programming it wouldn't take a ton of work to get it going for your needs.

I do agree with Kim that you should be asking if this is a good problem to solve with technology or if other processes may work better and be less time consuming.

Jay

--

You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFuFX4OU9jz1Wcwyiz-PFa9RHuZYa%3DVuBjfgjvJbjhHHvA%40mail.gmail.com.

[Kim Nilsson]

There is the exact amount of documentation needed to make it work.--

[Paul S]

Hello Jay,

I test tried this extension and it works pretty well. Only thing I would like to do is change the blocked text from "You are not allowed to use this device. Please log off." to something different like "This is not your assigned Chromebook. If you can't locate your assigned Chromebook, please check with your teacher or the tech department."

I would love to know if there is any way to do it, even if by hosting with a different extension ID.

Thank a lot for all these tools and support!

Paul

[Ross Scroggs]

I don't see a policy that let's you change the message.

Ross

This e-mail communication (including attachments) contains confidential and privileged information which is intended for the individual(s) or entity(ies) to whom this e-mail is addressed. If you are not an intended recipient, you are notified that any forwarding, copying, disclosure, distribution, or use of this e-mail and any of its contents or attachments is prohibited. The recipient should check this e-mail and any attachments for the presence of malware. Twin Rivers Charter School has taken reasonable precautions to ensure no viruses are present in this e-mail, it accepts no liability for any loss or damage arising from the use of this e-mail or attachments.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0cfb701a-f8a4-4930-843f-8a6123f13117n%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[Paul S]

Thanks for your reply, Ross!  Yes, I don't think there is any policy to change the message. The message is coming from the html file that's part of the extension. I was wondering if there is any way the message could be changed.

[Kim Nilsson]

Yes, you can copy Jay's, adjust and publish your own extension.

Alternatively, Jay could edit his to accept JSON information from the admin console.

Either way, someone has to publish a new version to adjust built-in text.

[Paul S]

Thank you, Kim! I was wondering if it's okay to download, edit, and publish as your own?

Does Google/admin console allow extensions from alternate sources other than publishing to the Chrome store?

[Kim Nilsson]

Yes, but I don't know how.

You are also OK to publish it privately so it's only available for your organisation.

[Paul S]

Yes, that's what I was thinking – publishing it privately and adding by ID. I don't have the developer account though.

I'm really interested in knowing if there's a way to install from a local source, google drive etc., or some other way without publishing it to the Store. I know you can enable the Chrome developer setting and install from local storage, but that's not a solution for production.

Thanks for all the help!

Paul

[Kim Nilsson]

Just sign up for one.

But it's best to do it with a impersonal utility account, and not your own accoun, in case you leave the organisation.

[Paul S]

Thanks for all the help, Kim and Ross! I think that's the way to go.

[Jay Lee]

Note that One2One is using Chrome extension manifest v2 and when Google finally deprecates v2 for Chrome / ChromeOS the extension will break. GitHub pull requests to upgrade One2One to v3 are welcome...

Jay Lee

This e-mail communication (including attachments) contains confidential and privileged information which is intended for the individual(s) or entity(ies) to whom this e-mail is addressed. If you are not an intended recipient, you are notified that any forwarding, copying, disclosure, distribution, or use of this e-mail and any of its contents or attachments is prohibited. The recipient should check this e-mail and any attachments for the presence of malware. Twin Rivers Charter School has taken reasonable precautions to ensure no viruses are present in this e-mail, it accepts no liability for any loss or damage arising from the use of this e-mail or attachments.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/8492d60c-0913-42dd-b314-edf944bbdd5cn%40googlegroups.com.