Google Chrome for Work is a simple enterprise wide deployment of Google Chrome. The installation for Chrome is an MSI. It can be silently deployment with Group Policy Software Installation, SCCM, etc. Controlling updates, home pages, plugins and other settings can be done with the Google Chrome ADMX templates. Basically, Google has finally addressed the Enterprise issues with Chrome. In this guide, we will deploy Google Chrome for Work with Group Policy and configure our user settings.
Download the Google Chrome MSI and Google ADMX templates
Grab the following downloads:
Save the Google Chrome MSI to a network share. Domain computers will need to have read/execute to the share and folder.
You will need to extract the contents of the Google Chrome ADMX into your Group Policy Central Store or into your local policy definitions folder (C:\windows\PolicyDefinitions). The Google Update ADM is needed to control the Google Update service which provides update for Chrome and other Google products. As far as I know, there isn’t an ADMX available for this product.
Create the Google Chrome GPO and Groups
Create a new GPO named APP_Google Chrome. Create a security group with the same name and scope your GPO to this security group. Edit your GPO and navigate to Computer Configuration/Policies/Software Settings/Software installation. Right click on software installation and select new package. Browse to the Google Chrome MSI. Be sure to browse to the network share (\\Server\share\folder\google chrome.msi). Do not use a local path (C:\Software\google chrome.msi) when deploying applications. If you have trouble deploying this MSI, see this troubleshooting guide.
If your Google Chrome ADMX files were correctly placed in the Central Store/Policy Definitions folder, you should now see a Google folder under Computer Configuration/Policies/Administrative Templates. When configuring Chrome settings with Group Policy, I prefer to use the first option (highlighted below). This option enforces the settings that you configure instead of treating them like preferences.
The four settings that I configure are:
- Allow running plugins that are outdated: Enabled
- Set Chrome as Default Browser: Disabled
- Startup pages\Action on startup: Enabled – open a list of URLs
- Startup pages\URLS to open on startup: Enabled – homepage URL
Disable Google Update for Chrome with Group Policy
You will likely want to configure the automatic update service for Google Chrome. Right click on Administrative Templates and select Add/Remove templates. Click Add and browse to your Google Update ADM (downloaded from above). Under Classic Administrative Templates, you should now see Google. Select Google Chrome under Classic Administrative Templates/Google/Google Update/Applications.
To disable updates, select Update policy override and enable it. Change the policy option to Updates disabled. As a test, I am seeing if automatic silent updates only will allow standard users to receive updated applications without administrative permissions. More to come on that experiment.
I’m also very interested in the bookmark situation. Even using roaming profiles still – chrome stores the bookmarks in the local only profile. Doh!
Thanks for a great post!
No problem Stead!
Google still has a bit more work to do to make Chrome as enterprise ready as IE.
I’m curious how you are handling bookmarks. The main thing that’s stopped me from making Chrome or Firefox the default browser for us is the fact that I haven’t found a way to back up/sync bookmarks. IE has a group policy to redirect Favorites to a network location, but the closest thing for other browsers is to redirect AppData, which I’m not keen on doing (too much junk, and it causes compatibility issues).
I also don’t want to rely on a Google login (which not everyone will have anyway).to synchronize the bookmarks.
I haven’t ran into that issue yet as our users were using their google login. I am curious on what other people are doing – hopefully, someone will chime in.
Saje, wondering if you ever found a solution to your question here. I have the same issue on my network with the same feelings in regards to redirecting appdata.
Pre-installing extensions via group policy
https://support.google.com/chrome/a/answer/188453
Deploying and Securing Google Chrome in a Windows Enterprise from NSA 🙂
https://www.nsa.gov/ia/_files/app/deploying_and_securing_google_chrome_in_a_windows_enterprise.pdf
Thanks for the links! I have used that second one.