Solved

How to set Google Chrome Policy via Casper

Forum|Forum|8 years ago
March 22, 2017
8 replies
65 views

wangl2
Contributor

Dear Forum Members,
Since the update of Google Chrome to 57, we have issue of "Your connection is not private" error and basically Chrome doesn't work with anything now. We are waiting on a proxy upgrade and in the mean time, also told to do a workaround on all clients for Google Chrome. Basically we need to set the Chrome Policy "EnableSha1ForLocalAnchors" to true. We did for all Windows clients via Group Policy. But I have no idea what to do with the Mac Clients. Anyone can shed some lights on how to approach this on a Mac?
Thanks all!

Best answer by wangl2

Thank you @nsantoro for your generous code. I copied them into TextEdit and saved it as extension .mobileconfig. When I try to upload it from Configuration Profile in JSS, it didn't allow me. However, I got it working by creating com.google.chrome.plist file with the following code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>EnableSha1ForLocalAnchors</key> <true/>
</dict>
</plist>
I then uploaded to Configuration Profile section in the JSS by creating a new one and upload the plist file in the Custom Settings. Distribute to the iMac and it worked.
Thank you everyone!

+22

boberito
Jamf Heroes
Forum|Forum|8 years ago
March 23, 2017

Maybe push out a Configuration Profile with Custom Settings.

Create a plist with the correct setting.

Here's a link to a site that I've used for doing things like setting Chrome to use the system print dialog and block extensions. https://www.chromium.org/administrators/policy-list-3

NickGuru
Contributor
Forum|Forum|8 years ago
April 18, 2017

Hi Wangl2.

Take this code, and save it as a mobileconfig file. (Example GooglePolicy.mobileconfig)
Then upload it in Jamf / Configuration Profile.

On the client/test mac type in: chrome://policy
EnableSha1ForLocalAnchors - will be seen as a managed policy, and allow you to get to sha1 sites.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadIdentifier</key>
    <string>com.schoolname.profile.chrome</string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>2015-04-20-6-20</string>
    <key>PayloadOrganization</key>
    <string>school name here</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadDisplayName</key>
    <string>Google Chrome Policy</string>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadIdentifier</key>
            <string>com.normandale</string>
            <key>PayloadUUID</key>
            <string>121-qasd</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadDisplayName</key>
            <string>Custom: (com.google.Chrome)</string>
            <key>PayloadContent</key>
            <dict>
                <key>com.google.Chrome</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>ShowHomeButton</key>
                                <true/>
                                <key>DeviceAutoUpdateDisabled</key>
                                <true/>
                                <key>EnableSha1ForLocalAnchors</key>
                                <true/>     
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
        </dict>
    </array>
</dict>
</plist>

+10

gabester
Valued Contributor
Forum|Forum|8 years ago
April 21, 2017

@nsantoro That did the trick when we added a key EnableCommonNameFallbackForLocalAnchors so that didn't ding our users either.

mroiger
New Contributor
Forum|Forum|8 years ago
April 25, 2017

Great thanks to all for the above tips, Chrome works again for me.

wangl2
Author
Contributor
Answer
Forum|Forum|8 years ago
April 27, 2017

nikgio
Contributor
Forum|Forum|8 years ago
May 12, 2017

@wangl2 This worked for me too - thanks!

+36

donmontalvo
Hall of Fame
Forum|Forum|8 years ago
May 13, 2017

@Sterritt yea, not sure I'd ever enable EnableSha1ForLocalAnchors, with the move away from SHA-1, that sounds dangerous, guess depends on the situation.

We're looking at enabling EnableCommonNameFallbackForLocalAnchors if only to avoid a flood of Help Desk calls when we push 58 out to users, due to private PKI certs on a bunch'a servers lacking Subject Alternate Names.

I'd imagine it'll take some time for folks running private PKI certs on their servers to redo them to include Subject Alternate Names (SAN). Although it seems like Mozilla Firefox 48 and later flicked that switch.

--https://donmontalvo.com

NickGuru
Contributor
Forum|Forum|7 years ago
April 20, 2018

@Sterritt -happy to help! glad it worked out for you.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded