Google Chrome for Work is a simple enterprise wide deployment of Google Chrome. The installation for Chrome is an MSI. It can be silently deployment with Group Policy Software Installation, SCCM, etc. Controlling updates, home pages, plugins and other settings can be done with the Google Chrome ADMX templates. Basically, Google has finally addressed the Enterprise issues with Chrome. In this guide, we will deploy Google Chrome for Work with Group Policy and configure our user settings.
Download the Google Chrome MSI and Google ADMX templates
Grab the following downloads:
Save the Google Chrome MSI to a network share. Domain computers will need to have read/execute to the share and folder.
You will need to extract the contents of the Google Chrome ADMX into your Group Policy Central Store or into your local policy definitions folder (C:\windows\PolicyDefinitions). The Google Update ADM is needed to control the Google Update service which provides update for Chrome and other Google products. As far as I know, there isn’t an ADMX available for this product.
Create the Google Chrome GPO and Groups
Create a new GPO named APP_Google Chrome. Create a security group with the same name and scope your GPO to this security group. Edit your GPO and navigate to Computer Configuration/Policies/Software Settings/Software installation. Right click on software installation and select new package. Browse to the Google Chrome MSI. Be sure to browse to the network share (\\Server\share\folder\google chrome.msi). Do not use a local path (C:\Software\google chrome.msi) when deploying applications. If you have trouble deploying this MSI, see this troubleshooting guide.
If your Google Chrome ADMX files were correctly placed in the Central Store/Policy Definitions folder, you should now see a Google folder under Computer Configuration/Policies/Administrative Templates. When configuring Chrome settings with Group Policy, I prefer to use the first option (highlighted below). This option enforces the settings that you configure instead of treating them like preferences.
The four settings that I configure are:
- Allow running plugins that are outdated: Enabled
- Set Chrome as Default Browser: Disabled
- Startup pages\Action on startup: Enabled – open a list of URLs
- Startup pages\URLS to open on startup: Enabled – homepage URL
Disable Google Update for Chrome with Group Policy
You will likely want to configure the automatic update service for Google Chrome. Right click on Administrative Templates and select Add/Remove templates. Click Add and browse to your Google Update ADM (downloaded from above). Under Classic Administrative Templates, you should now see Google. Select Google Chrome under Classic Administrative Templates/Google/Google Update/Applications.
To disable updates, select Update policy override and enable it. Change the policy option to Updates disabled. As a test, I am seeing if automatic silent updates only will allow standard users to receive updated applications without administrative permissions. More to come on that experiment.