@maxbehr
I'm sorry to bug you again, but while it's working in general, I'm having trouble with the AllowedDomainsForApps policy
It's a string and I'm not sure if it's just the way I'm putting it in or what.
I've tried it with and without quotes
(it's also apparently new to v. 51, which I do indeed have)
Every other policy below is being read properly
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DefaultGeolocationSetting</key>
<integer>2</integer>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>AllowedDomainsForApps</key>
<string>gmail.com</string>
<key>AllowOutdatedPlugins</key>
<false/>
</dict>
</plist>
@branthyatt It's no trouble at all. This is not one I've played around with. Looking at the documentation that looks like that is the correct syntax to use. The only thing I can think is to maybe put an * before the string so *gmail.com What exactly are you trying to accomplish with this setting?
@maxbehr
I'm trying to restrict chrome logins to only be to our gapps domain
I'll try that...but based on the documentation it seemed like they don't want the *:
From the chromium site:
Example value:
"managedchrome.com,gmail.com"
I wanted to go this route (vs. a firewall header injection) so that they can still access personal gmail accounts in safari
@maxbehr Thanks! It works for me!!!
@maxbehr, major thanks for all of the info you posted in this guide. You saved me hours and hours of time.
OK, @maxbehr I have a really, really newbie question here, but all I know about scripting, etc., is from OJT and lurking around smart folks... :)
When I use textedit it create the identical list above (was just trying it as a test) and I save that file with a .xml extension, and upload it in the Custom Content section of a Configuration Profile, I get the "Unable to complete file upload. File contents do not match file type." error message.
So what am I doing wrong? Is changing the file name suffix manually the problem?
FYI...ultimately my goal is to require our students to log into Chrome with their school email accounts and to block all extensions.
@lizmowens You'll probably want to preserve the .plist extension - i.e. - com.google.Chrome.plist --
Your .plist file will be formatted as an XML file, same as any other .plist, just preserve that extension before uploading as a custom config profile payload.
The key for blacklisting all extensions would look like:
<key>ExtensionInstallBlacklist</key>
<array>
<string>*</string>
</array>
Here's an example .plist I created to force install a particular Chrome extension. Notice I had to add the "ExtensionInstallBlacklist" key and enter a blank string - if you don't add this key and blank array, your end users will not be able to install any extensions except the one(s) listed under the "ExtensionInstallForcelist" key. I was unsure about the "ExtensionInstallWhitelist" key, so I left it in there, as it doesn't seem to interfere with extension install functionality.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallForcelist</key>
<array>
<string>pgjjikdiikihdfpoppgaidccahalehjh;https://clients2.google.com/service/update2/crx</string>
</array>
<key>ExtensionInstallWhitelist</key>
<array>
<string>*</string>
</array>
<key>ExtensionInstallBlacklist</key>
<array>
<string></string>
</array>
</dict>
</plist>
Sorry, unsure about forcing email/Google account login.
Hope this helps!
@lizmowens , @gokoudes is absolutely right. The file that you upload must be a properly formatted plist file called com.google.chrome.plist. As for forcing a sign in, I don't believe you can FORCE a user to sign in. You can limit the domain in which they can use to sign into Google Chrome.
The key would look like
<key>RestrictSigninToPattern</key>
<array>
<string>domain.com</string>
</array>
domain.com of course would be changed to match your domain.
Y'all rock. Just tested it and it works beautifully! Now to find a script that works for blocking private browsing... :)
OK, so @gokoudes & @maxbehr , I may have spoken too soon. Here's how I tested things. I had downloaded a couple of random Chrome extensions before adding the configuration profile. Created the plist, scoped the new configuration profile to the test computer, restarted the computer, reopened Chrome, and both of the extensions I had previously installed had been removed. So I was assuming success. But I went back in, installed two more extensions, and even though I've both restarted the computer and done a forced check-in with sudo jamf recon, those extensions are still there.
Hmmmm...so what have I done wrong?
@lizmowens Hmm, would you mind posting a copy of the com.google.Chrome.plist you used to create the custom config profile? Referencing my example .plist above, that configuration should auto-install the Ookla Speedtest extension and allow the end user to install any other extensions they'd like. The example custom config would also leave any pre-installed extensions in place even after config profile deployment.
I'm wondering if there are other keys/arrays that could be affecting browser behavior?
Here's what I have in my plist:
<?xml version=“1.0” encoding=“UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=“1.0”>
<dict>
<key>ExtensionInstallBlacklist</key>
<array>
<string>*</string>
</array>
<key>HomepageIsNewTabPage</key>
<false/>
<key>HomepageLocation</key>
<string>http://www.edsaugusta.com</string>
<key>RestoreOnStartup</key.
<integer>0</integer>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
</dict>
</plist>
Thanks for being willing to take a look and tell me what I have wrong!
No worries, where would we be if somebody didn't lend a hand once in a while? :)
I think I may see what's preventing extension installs --
I changed the following to remove the asterisk between the <string> tags. Sorry, I realize my earlier post may have been confusing, as I had the asterisk in the one-liner, but removed it from the example .plist. The "ExtensionInstallBlacklist" key below should resolve any extension install issues.
<key>ExtensionInstallBlacklist</key> <array> <string></string> </array>
I also noticed the "RestoreOnStartup" key line has a syntax error that may cause issues. I've replaced a "." with a ">" in the line below:
<key>RestoreOnStartup</key><integer>0</integer>
Cheers!
Couple of things, if I read it correctly the * is required to blacklist all extensions. Second the syntax error after RestoreOnStartup. Also I don't think 0 is a valid argument for that key. I've put a complete plist at my server if you want to download it.
Here is the text…
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallBlacklist</key>
<array>
<string>*</string>
</array>
<key>HomepageIsNewTabPage</key>
<false/>
<key>HomepageLocation</key>
<string>http://www.edsaugusta.com</string>
<key>RestoreOnStartup</key>
<integer>1</integer>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>RestrictSigninToPattern</key>
<array>
<string>*@edsaugusta.com</string>
</array>
</dict>
</plist>
@maxbehr Yep, the ExtensionInstallBlacklist key will block all extension installs with the * present. If * is not there, users can install other extensions freely.
@lizmowens Also, bear in mind you can enter actual extension ID's in the string section to block specific extensions only.
Here's a list of Chrome's preferences, what the xml key would be called, etc - if you'd like to custom configure further.
@maxbehr
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallSources</key>
<array>
<string>http://*/*</string>
</array>
</dict>
</plist>
I place the plist above to /Library/Preferences and the name is 'com.google.chrome.plist'。the policy page is as below。
but it doesn't has any effect.
I am very confused, what should I do?
@york What exactly are you trying to accomplish? If your goal is to allow Extensions to be installed from any source other than the Google Chrome Store then I might caution against it. You would open up your users to malicious extension sources. If you still want to go ahead then I would try
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallSources</key>
<array>
<string>*</string>
</array>
</dict>
</plist>
or
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallSources</key>
<array>
<string>http://*</string>
</array>
</dict>
</plist>
Hi everyone,
Im trying to enforce "Click To Play" for Flash content in Chrome using "DefaultPluginsSetting" as explained here:
https://www.chromium.org/administrators/policy-list-3#DefaultPluginsSetting
I edited com.Google.chrome.plist to include the value and I manually copied it in to ~/Library/Preferences for testing, but the settings do not change. Here is the plist I created:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DefaultPluginsSetting</key>
<array>
<integer>3</integer>
</array>
<key>LastRunAppBundlePath</key>
<string>/Applications/Google Chrome.app</string>
<key>NSNavLastRootDirectory</key>
<string>~/Downloads</string>
<key>NSNavPanelExpandedSizeForOpenMode</key>
<string>{704, 440}</string>
<key>NSNavPanelExpandedSizeForSaveMode</key>
<string>{712, 727}</string>
<key>NSNavPanelExpandedStateForSaveMode</key>
<true/>
<key>PMPrintingExpandedStateForPrint2</key>
<true/>
</dict>
</plist>
Anything not look right here? If i can get the plist working locally on my test machine then I can work on deploying as a Configuration Profile.
Thanks,
-Mike
Try removing the <array> from Default Plugins Settings…so it would look like
<key>DefaultPluginsSetting</key>
<integer>3</integer>
You only need to enclose settings in an array when there is a possibility of having more than one option (usually when doing something with strings)
@maxbehr Just tried that, no difference. I also tried placing it in to /Library/Preferences , as well as making the .plist file only contain the "DefaultPluginsSetting" key+value pair.
-Mike
@maxbehr I have followed this thread for a while and have worked with a Jamf engineer on this as well. I cannot get the json file to be recognized. I will add in my json and plist files if you have a chance I would appreciate any feedback. Thank you for all the help you provide this community.
{
"homepage" : "http://www.cmsd12.org",
"homepage_is_newtabpage" : true,
"browser" : {
"show_home_button" : true,
"check_default_browser" : false
},
"bookmark_bar" : {
"show_on_all_tabs" : false
},
"sync_promo" : {
"show_on_first_run_allowed": false
},
"incognito" : {
"mode_availability" : 1
},
"distribution" : {
"auto_launch_chrome": false,
"import_bookmarks": false,
"import_history": false,
"import_home_page": false,
"import_search_engine": false,
"show_welcome_page": false,
"skip_first_run_ui": true,
"suppress_first_run_bubble": true,
"do_not_create_desktop_shortcut": true,
"do_not_create_quick_launch_shortcut": true,
"do_not_launch_chrome": true,
"do_not_register_for_update_launch": true,
"make_chrome_default": false,
"system_level": true,
"make_chrome_default_for_user": false,
"suppress_first_run_default_browser_prompt": true,
"require_eula": false,
"msi": true,
"first_run_tabs" : [
"http://www.cmsd12.org",
"welcome_page"
]
}
}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowOutdatedPlugins</key>
<false/>
<key>AlwaysAuthorizePlugins</key>
<true/>
<key>AutoFillEnabled</key>
<false/>
<key>BackgroundModeEnabled</key>
<false/>
<key>DefaultBrowserSettingEnabled</key>
<false/>
<key>DefaultGeolocationSetting</key>
<integer>2</integer>
<key>DefaultNotificationsSetting</key>
<integer>3</integer>
<key>DefaultJavaScriptSetting</key>
<integer>1</integer>
<key>DefaultPluginsSetting</key>
<integer>1</integer>
<key>DefaultPopupsSetting</key>
<integer>3</integer>
<key>DefaultSearchProviderEnabled</key>
<true/>
<key>DefaultSearchProviderName</key>
<string>Google</string>
<key>DefaultSearchProviderSearchURL</key>
<string>www.google.com/search?q=</string>
<key>DeviceAutoUpdateDisabled</key>
<true/>
<key>HomepageIsNewTabPage</key>
<false/>
<key>HomepageLocation</key>
<string>http://bmoor.cmsd12.org/useful-links</string>
<key>RestrictSigninToPattern</key>
<array>
<string>*@cmsd12.org</string>
</array>
<key>ImportAutofillFormData</key>
<false/>
<key>ImportBookmarks</key>
<false/>
<key>ImportHistory</key>
<false/>
<key>ImportHomepage</key>
<false/>
<key>ImportSavedPasswords</key>
<false/>
<key>ImportSearchEngine</key>
<false/>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>PasswordManagerEnabled</key>
<false/>
<key>RestoreOnStartup</key>
<integer>4</integer>
<key>RestoreOnStartupURLs</key>
<array>
<string>http://bmoor.cmsd12.org/useful-links</string>
<string>www.google.com</string>
</array>
<key>SafeBrowsingEnabled</key>
<true/>
<key>ShowHomeButton</key>
<true/>
<key>SyncDisabled</key>
<false/>
</dict>
</plist>
In my configuration first_run_tabs is it's own item, not inside distribution as you have it.
Like so.
"distribution" : {
"auto_launch_chrome": false,
"import_bookmarks": false,
"import_history": false,
"import_home_page": false,
"import_search_engine": false,
"show_welcome_page": false,
"skip_first_run_ui": true,
"suppress_first_run_bubble": true,
"do_not_create_desktop_shortcut": true,
"do_not_create_quick_launch_shortcut": true,
"do_not_launch_chrome": true,
"do_not_register_for_update_launch": true,
"make_chrome_default": false,
"system_level": true,
"make_chrome_default_for_user": false,
"suppress_first_run_default_browser_prompt": true,
"require_eula": false,
"msi": true
},
"first_run_tabs" : [
"http://www.cmsd12.org",
"welcome_page"
]
Also some of your settings in there are Windows specific, although I think it will generally just ignore those, you never know!
"do_not_create_desktop_shortcut": true,
"do_not_create_quick_launch_shortcut": true,
@gmillercmsd12 , agree with @Look , the first run tabs sections needs to be in its own block outside of distribution. Also remember that the Master Prefs are only applied the one time and never again. Try setting up a new temp user to ensure that it's a "clean" first run for chrome.
Couple questions for your configuration policy, does it successfully upload when you attempt to create it in the JSS? What is the preference domain in your configuration profile it should be EXACTLY com.google.Chrome. Finally on a machine that has the policy applied, open chrome and type in chrome://policy into the URL bar. What if anything is returned?
@maxbehr Hello! A few of us are working up the Chrome preferences and we have been able to push out via Configuration Profiles nicely, but a few issues have come up that I am hoping you or someone can help with. We can get our policies to apply and can see them within chrome://policy, but the only thing that does not work is "RestrictSigninToPattern" (we want to be able to limit users to just our domain only).
It shows within Policy, but Gmail and other non-domain emails still work. Extension blacklists, homepages, incognito mode all apply nicely, but the Sign-in does not work.
Any suggestions? Thanks!
