Configuring Google Chrome

jbarnes
New Contributor

I'm interested in getting Google Chrome set up on an image where the first run and subsequent runs just opens the browser and sends the user to a homepage without prompting the user to log in or do anything else. It appears that this may not be so simple.

There have been a few posts in the past about this (one method with a manifest, the other Google Chrome Master Preference) but I haven't been able to get anything working. Would anyone be willing to share how they're doing it?

It feels like this ought to be possible.

81 REPLIES 81

gokoudes
New Contributor III

@maxbehr Yep, the ExtensionInstallBlacklist key will block all extension installs with the * present. If * is not there, users can install other extensions freely.

@lizmowens Also, bear in mind you can enter actual extension ID's in the string section to block specific extensions only.

Here's a list of Chrome's preferences, what the xml key would be called, etc - if you'd like to custom configure further.

york
New Contributor

@maxbehr

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ExtensionInstallSources</key>
        <array>
            <string>http://*/*</string>
        </array>
</dict>
</plist>

I place the plist above to /Library/Preferences and the name is 'com.google.chrome.plist'。the policy page is as below。
a58e18436c7141a3868403e171606735
but it doesn't has any effect.
775ee8ba4b8447b7baac8cdd1c802bdf

I am very confused, what should I do?

maxbehr
Contributor II

@york What exactly are you trying to accomplish? If your goal is to allow Extensions to be installed from any source other than the Google Chrome Store then I might caution against it. You would open up your users to malicious extension sources. If you still want to go ahead then I would try

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ExtensionInstallSources</key>
        <array>
            <string>*</string>
        </array>
</dict>
</plist>

or

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ExtensionInstallSources</key>
        <array>
            <string>http://*</string>
        </array>
</dict>
</plist>

michaelherrick
New Contributor III

Hi everyone,

Im trying to enforce "Click To Play" for Flash content in Chrome using "DefaultPluginsSetting" as explained here:

https://www.chromium.org/administrators/policy-list-3#DefaultPluginsSetting

I edited com.Google.chrome.plist to include the value and I manually copied it in to ~/Library/Preferences for testing, but the settings do not change. Here is the plist I created:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DefaultPluginsSetting</key>
    <array>
        <integer>3</integer>
    </array>
    <key>LastRunAppBundlePath</key>
    <string>/Applications/Google Chrome.app</string>
    <key>NSNavLastRootDirectory</key>
    <string>~/Downloads</string>
    <key>NSNavPanelExpandedSizeForOpenMode</key>
    <string>{704, 440}</string>
    <key>NSNavPanelExpandedSizeForSaveMode</key>
    <string>{712, 727}</string>
    <key>NSNavPanelExpandedStateForSaveMode</key>
    <true/>
    <key>PMPrintingExpandedStateForPrint2</key>
    <true/>
</dict>
</plist>

Anything not look right here? If i can get the plist working locally on my test machine then I can work on deploying as a Configuration Profile.

Thanks,

-Mike

maxbehr
Contributor II

Try removing the <array> from Default Plugins Settings…so it would look like

<key>DefaultPluginsSetting</key>
<integer>3</integer>

You only need to enclose settings in an array when there is a possibility of having more than one option (usually when doing something with strings)

michaelherrick
New Contributor III

@maxbehr Just tried that, no difference. I also tried placing it in to /Library/Preferences , as well as making the .plist file only contain the "DefaultPluginsSetting" key+value pair.

-Mike

gmillercmsd12
New Contributor

@maxbehr I have followed this thread for a while and have worked with a Jamf engineer on this as well. I cannot get the json file to be recognized. I will add in my json and plist files if you have a chance I would appreciate any feedback. Thank you for all the help you provide this community.

{
  "homepage" : "http://www.cmsd12.org",
  "homepage_is_newtabpage" : true,
  "browser" : {
    "show_home_button" : true,
    "check_default_browser" : false
  },
  "bookmark_bar" : {
    "show_on_all_tabs" : false
  },
  "sync_promo" : {
    "show_on_first_run_allowed": false
  },
  "incognito" : {
    "mode_availability" : 1
  },
  "distribution" : {
    "auto_launch_chrome": false,
    "import_bookmarks": false,
    "import_history": false,
    "import_home_page": false,
    "import_search_engine": false,
    "show_welcome_page": false,
    "skip_first_run_ui": true,
    "suppress_first_run_bubble": true,
    "do_not_create_desktop_shortcut": true,
    "do_not_create_quick_launch_shortcut": true,
    "do_not_launch_chrome": true,
    "do_not_register_for_update_launch": true,
    "make_chrome_default": false,
    "system_level": true,
    "make_chrome_default_for_user": false,
    "suppress_first_run_default_browser_prompt": true,
    "require_eula": false,
    "msi": true,
    "first_run_tabs" : [
     "http://www.cmsd12.org",
     "welcome_page"
     ]
  }
}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AllowOutdatedPlugins</key>
    <false/>
    <key>AlwaysAuthorizePlugins</key>
    <true/>
    <key>AutoFillEnabled</key>
    <false/>
    <key>BackgroundModeEnabled</key>
    <false/>
    <key>DefaultBrowserSettingEnabled</key>
    <false/>
    <key>DefaultGeolocationSetting</key>
    <integer>2</integer>
    <key>DefaultNotificationsSetting</key>
    <integer>3</integer>
    <key>DefaultJavaScriptSetting</key>
    <integer>1</integer>
    <key>DefaultPluginsSetting</key>
    <integer>1</integer>
    <key>DefaultPopupsSetting</key>
    <integer>3</integer>
    <key>DefaultSearchProviderEnabled</key>
    <true/>
    <key>DefaultSearchProviderName</key>
    <string>Google</string>
    <key>DefaultSearchProviderSearchURL</key>
    <string>www.google.com/search?q=</string>
    <key>DeviceAutoUpdateDisabled</key>
    <true/>
    <key>HomepageIsNewTabPage</key>
    <false/>
    <key>HomepageLocation</key>
    <string>http://bmoor.cmsd12.org/useful-links</string>
    <key>RestrictSigninToPattern</key>
    <array>
        <string>*@cmsd12.org</string>
    </array>
    <key>ImportAutofillFormData</key>
    <false/>
    <key>ImportBookmarks</key>
    <false/>
    <key>ImportHistory</key>
    <false/>
    <key>ImportHomepage</key>
    <false/>
    <key>ImportSavedPasswords</key>
    <false/>
    <key>ImportSearchEngine</key>
    <false/>
    <key>IncognitoModeAvailability</key>
    <integer>1</integer>
    <key>PasswordManagerEnabled</key>
    <false/>
    <key>RestoreOnStartup</key>
    <integer>4</integer>
    <key>RestoreOnStartupURLs</key>
    <array>
        <string>http://bmoor.cmsd12.org/useful-links</string>
        <string>www.google.com</string>
    </array>
    <key>SafeBrowsingEnabled</key>
    <true/>
    <key>ShowHomeButton</key>
    <true/>
    <key>SyncDisabled</key>
    <false/>
</dict>
</plist>

Look
Valued Contributor III

In my configuration first_run_tabs is it's own item, not inside distribution as you have it.
Like so.

"distribution" : {
    "auto_launch_chrome": false,
    "import_bookmarks": false,
    "import_history": false,
    "import_home_page": false,
    "import_search_engine": false,
    "show_welcome_page": false,
    "skip_first_run_ui": true,
    "suppress_first_run_bubble": true,
    "do_not_create_desktop_shortcut": true,
    "do_not_create_quick_launch_shortcut": true,
    "do_not_launch_chrome": true,
    "do_not_register_for_update_launch": true,
    "make_chrome_default": false,
    "system_level": true,
    "make_chrome_default_for_user": false,
    "suppress_first_run_default_browser_prompt": true,
    "require_eula": false,
    "msi": true
},
"first_run_tabs" : [
"http://www.cmsd12.org",
"welcome_page"
]

Look
Valued Contributor III

Also some of your settings in there are Windows specific, although I think it will generally just ignore those, you never know! "do_not_create_desktop_shortcut": true, "do_not_create_quick_launch_shortcut": true,

maxbehr
Contributor II

@gmillercmsd12 , agree with @Look , the first run tabs sections needs to be in its own block outside of distribution. Also remember that the Master Prefs are only applied the one time and never again. Try setting up a new temp user to ensure that it's a "clean" first run for chrome.

Couple questions for your configuration policy, does it successfully upload when you attempt to create it in the JSS? What is the preference domain in your configuration profile it should be EXACTLY com.google.Chrome. Finally on a machine that has the policy applied, open chrome and type in chrome://policy into the URL bar. What if anything is returned?

EMCSD-IT
New Contributor

@maxbehr Hello! A few of us are working up the Chrome preferences and we have been able to push out via Configuration Profiles nicely, but a few issues have come up that I am hoping you or someone can help with. We can get our policies to apply and can see them within chrome://policy, but the only thing that does not work is "RestrictSigninToPattern" (we want to be able to limit users to just our domain only).

It shows within Policy, but Gmail and other non-domain emails still work. Extension blacklists, homepages, incognito mode all apply nicely, but the Sign-in does not work.

Any suggestions? Thanks!

704c31030d69446cb4b15e7604994e64
9c31a65be2374f04b2758dbb7bcfc6ef

maxbehr
Contributor II

You need to put your stings in quotes so it should look like "@e-marshall.k12.ia.us". It's the reason why you also don't see OK in the status. I find that generally whenever you are using a chrome setting that requires a wildcard () or accepts multiple stings as input, then the sting needs to be quoted.

EMCSD-IT
New Contributor

No luck... I have it showing as "e-marshall.k12.ia.us" and it shows "Expected string value" still. I tried the "" on the outside and inside of the quotation marks.

maxbehr
Contributor II

oops the string got changed from what I typed it should be this

<key>RestrictSigninToPattern</key>
<array>
<string>"*@e-marshall.k12.ia.us"</string>
</array>

maxbehr
Contributor II

@tnunnik I re-read your original post. To clarify, from my understanding RestrictSigninToPattern is setting what domains a user is allowed to login to chrome with, meaning the sign in function in Preferences that allows synching of bookmarks, passwords etc. If you are attempting to block a user from logging into a web page like gmail or some other google hosted email system RestrictSigninToPattern does not cover this. Furthermore I don't believe there is a way to restrict the logging in to google services by domain.

EMCSD-IT
New Contributor

Another director found this that seems to help:

https://www.jamf.com/jamf-nation/discussions/22837/chrome-restrictsignintopattern-not-taking-affect

Thanks for your help!

cbrewer
Valued Contributor II

Late to the party, but here's how I am handling this. I have 2 scripts running once per user per computer that create the Chrome First Run file as well as the local Chrome Preferences file. I'm not creating a master prefs file because I only want my settings applying to the users that I specify in my JSS. Below are the 2 scripts I'm using - pieced together with parts of other's work.

Create First Run file:

#!/bin/bash

if [ ! -d /Users/$3/Library/Application Support/Google ];then
    mkdir /Users/$3/Library/Application Support/Google
    echo "Created directory /Users/$3/Library/Application Support/Google"
fi

if [ ! -d /Users/$3/Library/Application Support/Google/Chrome ];then
    mkdir /Users/$3/Library/Application Support/Google/Chrome
    echo "Created directory /Users/$3/Library/Application Support/Google/Chrome"
fi

if [ ! -f /Users/$3/Library/Application Support/Google/Chrome/First Run ];then
    touch /Users/$3/Library/Application Support/Google/Chrome/First Run
    echo "Created file /Users/$3/Library/Application Support/Google/Chrome/First Run"
fi

chown -R $3 /Users/$3/Library/Application Support/Google

Create User Prefs file:

#!/bin/bash
# Output Chrome Preferences to User's Library

# https://www.chromium.org/administrators/configuring-other-preferences

# Check for existing prefs and exit if found
if [ -f /Users/$3/Library/Application Support/Google/Chrome/Default/Preferences ];then
    echo "Google Chrome Preferences file already exists. Exiting..."
    exit 0
fi

# Check for directory structure and create as needed
if [ ! -d /Users/$3/Library/Application Support/Google ];then
    mkdir /Users/$3/Library/Application Support/Google
    echo "Created directory /Users/$3/Library/Application Support/Google"
fi
if [ ! -d /Users/$3/Library/Application Support/Google/Chrome ];then
    mkdir /Users/$3/Library/Application Support/Google/Chrome
    echo "Created directory /Users/$3/Library/Application Support/Google/Chrome"
fi
if [ ! -d /Users/$3/Library/Application Support/Google/Chrome/Default ];then
    mkdir /Users/$3/Library/Application Support/Google/Chrome/Default
    echo "Created directory /Users/$3/Library/Application Support/Google/Chrome/Default"
fi


# Create Preferences file
(
cat <<'EOD'
{
  "browser": {
    "check_default_browser": false,
    "show_update_promotion_info_bar": false
  }
}
EOD
) > /Users/$3/Library/Application Support/Google/Chrome/Default/Preferences

chown -R $3 /Users/$3/Library/Application Support/Google

This combination results in opening Chrome and having no prompts for default browser or enabling updates. It loads the Google homepage by default, but you could easily add in homepage values if you want something else.

bstossel
New Contributor

@maxbehr I know this is an older post, but I am trying to create a preferences file and a policy file for Chrome. My Mac users are supported be myself with little IT involvement since my company is 99.9% Windows PC's (15,000+ Windows, less than 50 Macs).

I'm using Profile Manager to create the custom files to load manually on the 15 Macs I support. Right now, SSO is working for everything native to macOS (10.12.6). Chrome, however, requires credentials for everything...Proxy, intranet, you name it. I got the policies from my Windows Registry and the master_preferences file from the Managed Workstation team. Do I need to create two separate files for preferences and policies? I know I can basically take the master_preferences file from IT and make it a plist for the users. But the policies I'm struggling with.

For instance, I have the chrome_policy_list.html from chromium.org, to which none of the preferences on the master_preferences file are listed...so I presume its different (since the registry entries in Windows come from AD GPOs). Here is the master_preferences file loaded on all the Windows PC's:

6688efc30b75490e817a879bcccbae13

This file (if good as is for Macs) is called what and goes where?

The policies that I need to set/test is done in Profile Manager as a Custom Settings plist (com.google.Chrome)? Where does the file go or is that set in the profile itself?

Sorry...I know this sounds newb-ish, but until I can get jamf Pro approved and setup here, everything I do is manually and I'm struggling. Any help is appreciated!

maxbehr
Contributor II

@bstossel couple of things. First the master preference file is a one time thing. The first time a client opens the browser those preferences are applied. They are not locked however and the user is free to change (break) anything. I would only recommend it for basic things (homepage etc…). This is placed at /Library/Google/Google Chrome Master Preferences

The plist file is where all of the real work is done. These are all locked prefs that the user cannot override and are what are referenced on the chromium policy pages. This file is placed at /Library/Managed Preferences/com.google.chrome.plist

Assuming the name of your internal DNS network is marathon.com (if not substitute with your appropriate domain), for single sign on you need three specific keys

<key>AuthSchemes</key>
  <string>basic,digest,ntlm,negotiate</string>
<key>AuthNegotiateDelegateWhitelist</key>
  <string>marathon.com</string>
<key>AuthServerWhitelist</key>
  <string>marathon.com</string>

Since you also referenced a proxy server there are several other keys to set the proxy server depending on your particular setup.

Finally the file you have above is the master preference file which can be placed at /Library/Google/Google Chrome Master Preferences . The plist however you'll have to create as its syntax is completely different than the Windows format.

gokoudes
New Contributor III

@bstossel We use custom config profiles to manage Chrome settings on the fly. Your config file will be an .xml file, converted to .configprofile or .mobileconfig.

This site will have Chrome parameters + syntax you can set in your xml: https://www.chromium.org/administrators/policy-list-3

Use timsutton's MCX to Profile script to convert your .plist/xml to a custom Config Profile.

Upload custom config profile under Mac Configuration Profiles in your JPS. We set ours to "Computer Level" enforcement.

Deploy said profile to scope. No restart needed, you can observe Chrome settings get adjusted as you watch. We use this to restrict Chrome extensions in our Lower and Middle Schools. Just bear in mind these profiles can take minutes to install, depending on your load.

Here's an example of a very bare-bones xml that blocks all Chrome extension installations, force installs a specific extension, allows for Java and Citrix plugins (partly deprecated) and blocks the "no connection" dinosaur easter egg game. Convert this to a config profile, and you can deploy and enforce via Jamf.

In this example, you can adjust these parameters as your see fit, add extensions to force install or block, etc...

Convert this to a config profile, and you can deploy and enforce via Jamf.

Cheers!

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>EnabledPlugins</key>
            <array>
                <string>Java*</string>
                <string>Citrix*</string>
            </array>
        <key>ExtensionInstallBlacklist</key>
            <array>
                <string>*</string>
            </array>
        <key>ExtensionInstallForcelist</key>
            <array>
                <string>honjcnefekfnompampcpmcdadibmjhlk;https://clients2.google.com/service/update2/crx</string>
            </array>
        <key>ExtensionInstallWhitelist</key>
            <array>
                <string>honjcnefekfnompampcpmcdadibmjhlk</string>
            </array>
        <key>AllowDinosaurEasterEgg</key>
            <false/>
    </dict>   
</plist>

bstossel
New Contributor

Thanks, @gokoudes...but I don't have JPS yet. Everything done in Profile Manager on OS X Server.app.

@maxbehr thats what I was looking for. So as far as proxy goes, we have a bluecoat proxy server. GPOs in Windows allow passthrough of credentials to proxy for authentication. On macOS, you type your credentials once and it authenticates with that for anything that uses macOS natively. As Chrome does not, I need to configure the policies to do so. In Windows and macOS, its set to auto_detect, exclude simple hostnames and there is a wpad.dat that pulls from the server automatically using the auto_detect setting.

Not sure if that helps with what I need to configure in the com.google.Chrome.plist file. All I have (used from the Chrome Policies in Windows RegEdit) is ProxyMode [auto_detect]. If I need more, then I will certainly give it a shot! Appreciate everyones replies!

maxbehr
Contributor II

@bstossel So try this

  • Quit Chrome
  • Copy the below text into a blank text document. Save the file as com.google.chrome.plist
  • If not already present create the folder /Library/Managed Preferences
  • Copy plist file to the managed preferences folder
  • Open Chrome
  • Type in chrome://policy in the address bar…verify that the entries you created are present under the Chrome Policies section (if not quit chrome and from the command line type in sudo killall cfprefsd and then reopen chrome)
  • Attempt to navigate with chrome

From what you described, Chrome should auto discover the proxy server…using the wpad.dat file download the proxy.pac file and be setup.

Two things: You may need to manually populate the ProxyBypassList, and second make sure that the domain you enter for the two settings matches your internal DNS zone.

If it all works then you can add the plist file to Profile Manager in OSX server and push it to your clients.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ProxyMode</key>
    <string>auto_detect</string>
    <key>AuthSchemes</key>
    <string>basic,digest,ntlm,negotiate</string>
    <key>AuthNegotiateDelegateWhitelist</key>
    <string>marathon.com</string>
    <key>AuthServerWhitelist</key>
    <string>marathon.com</string>
    <key>ProxyBypassList</key>
    <string></string>
</dict>
</plist>

bstossel
New Contributor

@maxbehr Okay so that did work for not prompting for internet...but still being prompted for credentials for our intranet site.

Our intranet site is quirky at best. Everything but the search functionality is on Sharepoint Server 2008 (uses Kerberos tgt for authentication). The search site/functionality (search.domain.com) is on Sharepoint Server 2012 and uses NTLM authentication.

Anything you can offer to complete policy setup for those two scenarios?

dbjz2005
New Contributor

@maxbehr Quick question, I see this thread is mostly about managing google chrome, with the plist. I have a plist that is working but I am trying to add managed bookmarks to that plist. I cannot get them to work. Could you perhaps help me out with that.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">

    <key>ManagedBookmarks</key>
<array>
  <dict>
    <key>toplevel_name</key>
    <string>BlueApron</string>
  </dict>
  <dict>
    <key>name</key>
    <string>MyADP</string>
    <key>url</key>
    <string>adpvantage.adp.com/public/index.htm</string>
  </dict>
  <dict>
    <key>name</key>
    <string>Internal BA Jobs</string>
    <key>url</key>
    <string>https://blueapron.taleo.net/careersection/1/jobsearch.ftl?lang=en&portal=10100010122</string>
  </dict>
  <dict>
    <key>name</key>
    <string>Benefits Enrollment</string>
    <key>url</key>
    <string>https://hcdt.login.us2.oraclecloud.com/oam/server/obrareq.cgi?encquery%3DcCUPtWkonD5DZLoiM36HuJnWto%2FQtCqhHIEyOD3FEHvx0CipaoQup03jIJ1D0pXAoPUQrm6XZyTqVexrD7fe2L1g8%2FkwYK%2FssGPmRICPvUD3Si6IxG2%2FZpRh9qSYliwsMSfWNGvLzXTp1yXkd07TJtbVlKYRKw0xgTgV6joq12nBozaiTJihbnsRexg%2FqGx3UMaUPuKAw6caZX9qBzTl7GQ2T42xxEgfP4EzuKvRZD8v7DYSo9McCP87eFoczGhf2PYsZj4SE1ta3BcHCKbospciyqs6uHtVrq7deZFpcMoOUbeNNkvucJ15lzvYpG%2BaRN0L1ah%2Bnz34%2FO34gX1ZEgfgGtmWU15nWNX7EuVum5mhjjhAhoxMAtHyOLekemO5f0kl1VV5cEBu%2FojCoavJLOiKJKCh9lrwRy8tuAIQjARCwAWkDuTxZpfGj5fUyYqDj2vcmHsAtEMizCWL0upCHuw8XBU6%2FMfZCccA1y0x0hQZrYsRsl60skyHnJmaPXoy%20agentid%3DOraFusionApp_11AG%20ver%3D1%20crmethod%3D2&ECID-Context=1.005NT0xd5LkBX7W_PxO5yd0007yt0003Om%3BkXhgv0ZCLILIHV8QZTRGjITPj1OPaHHToOPPiKTQZHOTdVQR</string>
  </dict>
    <key>name</key>
    <string>Chrome links</string>
  </dict>
</array>
<dict>
    <key>AllowOutdatedPlugins</key>
    <false/>
    <key>AlwaysAuthorizePlugins</key>
    <true/>
    <key>AutoFillEnabled</key>
    <false/>
    <key>BackgroundModeEnabled</key>
    <false/>
    <key>DefaultBrowserSettingEnabled</key>
    <false/>
    <key>DefaultGeolocationSetting</key>
    <integer>2</integer>
    <key>DefaultNotificationsSetting</key>
    <integer>3</integer>
    <key>DefaultJavaScriptSetting</key>
    <integer>1</integer>
    <key>DefaultPluginsSetting</key>
    <integer>1</integer>
    <key>DefaultPopupsSetting</key>
    <integer>3</integer>
    <key>DefaultSearchProviderEnabled</key>
    <true/>
    <key>DefaultSearchProviderName</key>
    <string>Google</string>
    <key>DefaultSearchProviderSearchURL</key>
    <string>www.google.com/search?q=</string>
    <key>DeviceAutoUpdateDisabled</key>
    <true/>
    <key>HomepageIsNewTabPage</key>
    <false/>
    <key>HomepageLocation</key>
    <string>https://wms.blueapron.com</string>
    <key>ImportAutofillFormData</key>
    <false/>
    <key>ImportBookmarks</key>
    <false/>
    <key>ImportHistory</key>
    <false/>
    <key>ImportHomepage</key>
    <false/>
    <key>ImportSavedPasswords</key>
    <false/>
    <key>ImportSearchEngine</key>
    <false/>
    <key>IncognitoModeAvailability</key>
    <integer>1</integer>
    <key>PasswordManagerEnabled</key>
    <false/>
    <key>AllowDeletingBrowserHistory</key>
    <false/>
    <key>RestoreOnStartup</key>
    <integer>4</integer>
    <key>RestoreOnStartupURLs</key>
    <array>
        <string>https://wms.blueapron.com</string>
    </array>
    <key>SafeBrowsingEnabled</key>
    <true/>
    <key>ShowHomeButton</key>
    <true/>
    <key>SyncDisabled</key>
    <true/>
    <key>HideWebStoreIcon</key>
    <true/>
  </dict>
    </plist>

bstossel
New Contributor

@dbjz2005 did you run the sudo killall cfprefsd command in Terminal to clear out the existing policies before applying the new ones?

dbjz2005
New Contributor

the main problem that I am having @bstossel with the above managed bookmark part is that the jss will not accept it as a plist file. says that it needs to be written in xml. which im pretty sure that it is. I dont think that is anything wrong with the code but I could be wrong. I have added the URLs with just regular generic URLs like google.com or youtube.com and it accepts that file. however with the above URLs it will not accept it.

bstossel
New Contributor

@dbjz2005 hmm...I threw the plist into text wrangler and the only thing I can see that I might suggest (know that I'm a total newb with chrome policy/prefs) would be to start with one URL at a time. Create a plist using the first one you entered...delete the rest. Load it to a test machine and see if it populates.

If it does, add the next one and try again...and so forth. If the first one fails, add the 2nd one and work from there. I'm sort of a trial and error kind of guy when it comes to this stuff. But I wouldn't be surprised if someone like @maxbehr has a quicker solution.

dbjz2005
New Contributor

Looks like I have it figured out. For some reason it was not liking the long URLs. I used a URL shortener and it worked no problem.

maxbehr
Contributor II

@dbjz2005 looks like your syntax is off. The entire plist body is enclosed in a <dict> tag. Good test is to install Xcode. Open the PLIST in Xcode if it fails to open it's not a properly formatted plist.

Try this

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ManagedBookmarks</key>
    <array>
        <dict>
            <key>toplevel_name</key>
            <string>BlueApron</string>
        </dict>
        <dict>
            <key>name</key>
            <string>Google</string>
            <key>url</key>
            <string>google.com</string>
        </dict>
        <dict>
            <key>name</key>
            <string>MyADP</string>
            <key>url</key>
            <string>adpvantage.adp.com/public/index.htm</string>
        </dict>
        <dict>
            <key>name</key>
            <string>Internal BA Jobs</string>
            <key>New item</key>
            <string>https://blueapron.taleo.net/careersection/1/jobsearch.ftl?lang=en&amp;portal=10100010122</string>
        </dict>
        <dict>
            <key>name</key>
            <string>Benefits Enrollment</string>
            <key>url</key>
            <string>https://hcdt.login.us2.oraclecloud.com/oam/server/obrareq.cgi?encquery%3DcCUPtWkonD5DZLoiM36HuJnWto%2FQtCqhHIEyOD3FEHvx0CipaoQup03jIJ1D0pXAoPUQrm6XZyTqVexrD7fe2L1g8%2FkwYK%2FssGPmRICPvUD3Si6IxG2%2FZpRh9qSYliwsMSfWNGvLzXTp1yXkd07TJtbVlKYRKw0xgTgV6joq12nBozaiTJihbnsRexg%2FqGx3UMaUPuKAw6caZX9qBzTl7GQ2T42xxEgfP4EzuKvRZD8v7DYSo9McCP87eFoczGhf2PYsZj4SE1ta3BcHCKbospciyqs6uHtVrq7deZFpcMoOUbeNNkvucJ15lzvYpG%2BaRN0L1ah%2Bnz34%2FO34gX1ZEgfgGtmWU15nWNX7EuVum5mhjjhAhoxMAtHyOLekemO5f0kl1VV5cEBu%2FojCoavJLOiKJKCh9lrwRy8tuAIQjARCwAWkDuTxZpfGj5fUyYqDj2vcmHsAtEMizCWL0upCHuw8XBU6%2FMfZCccA1y0x0hQZrYsRsl60skyHnJmaPXoy%20agentid%3DOraFusionApp_11AG%20ver%3D1%20crmethod%3D2&amp;ECID-Context=1.005NT0xd5LkBX7W_PxO5yd0007yt0003Om%3BkXhgv0ZCLILIHV8QZTRGjITPj1OPaHHToOPPiKTQZHOTdVQR</string>
        </dict>
    </array>
    <key>AllowOutdatedPlugins</key>
    <false/>
    <key>AlwaysAuthorizePlugins</key>
    <true/>
    <key>AutoFillEnabled</key>
    <false/>
    <key>BackgroundModeEnabled</key>
    <false/>
    <key>DefaultBrowserSettingEnabled</key>
    <false/>
    <key>DefaultGeolocationSetting</key>
    <integer>2</integer>
    <key>DefaultNotificationsSetting</key>
    <integer>3</integer>
    <key>DefaultJavaScriptSetting</key>
    <integer>1</integer>
    <key>DefaultPluginsSetting</key>
    <integer>1</integer>
    <key>DefaultPopupsSetting</key>
    <integer>3</integer>
    <key>DefaultSearchProviderEnabled</key>
    <true/>
    <key>DefaultSearchProviderName</key>
    <string>Google</string>
    <key>DefaultSearchProviderSearchURL</key>
    <string>www.google.com/search?q=</string>
    <key>DeviceAutoUpdateDisabled</key>
    <true/>
    <key>HomepageIsNewTabPage</key>
    <false/>
    <key>HomepageLocation</key>
    <string>https://wms.blueapron.com</string>
    <key>ImportAutofillFormData</key>
    <false/>
    <key>ImportBookmarks</key>
    <false/>
    <key>ImportHistory</key>
    <false/>
    <key>ImportHomepage</key>
    <false/>
    <key>ImportSavedPasswords</key>
    <false/>
    <key>ImportSearchEngine</key>
    <false/>
    <key>IncognitoModeAvailability</key>
    <integer>1</integer>
    <key>PasswordManagerEnabled</key>
    <false/>
    <key>AllowDeletingBrowserHistory</key>
    <false/>
    <key>RestoreOnStartup</key>
    <integer>4</integer>
    <key>RestoreOnStartupURLs</key>
    <array>
        <string>https://wms.blueapron.com</string>
    </array>
    <key>SafeBrowsingEnabled</key>
    <true/>
    <key>ShowHomeButton</key>
    <true/>
    <key>SyncDisabled</key>
    <true/>
    <key>HideWebStoreIcon</key>
    <true/>
</dict>
</plist>

maxbehr
Contributor II

@bstossel does your proxy server force the client to bypass it for intranet sites? If you strip out the proxy info for chrome and direct connect to the sharepoint server does it still fail? I'm guessing the proxy server does not forward kerberos credentials on to the sharepoint server. Also try adding the sharepoint server to the list of bypass proxy addresses in your plist.

As for search, NTLM will always prompt for username and password on the Mac. The mac does not have the ability to do SSO NTLM authentication, only Kerberos.

bstossel
New Contributor

@maxbehr yes, the proxy server does force bypass of intranet sites but I believe thats enforced through the wpad.dat file. Even then, I have the intranet site and internal domains added to the bypass list in SysPrefs/Network/Proxies for each connection on native macOS.

Isn't there an NtlmV2Enabled policy key that forces NTLMv2 in Chrome? Or does that force NTLMv2 for all connection attempts?

maxbehr
Contributor II

@bstossel yes there is a NTLMv2Enabled policy key, but that only forces any NTLM authentication to be V2 only. It does not make NTLM SSO happen unfortunately.

bstossel
New Contributor

@maxbehr well crap! That certainly puts a crimp in my plans:(

So I don't know if you're familiar with these or not...but I'm part of the macadmins Slack and I had talked to them over a year ago about enabling SSO and problems I was having. I ended up getting into ADmitMac client by Thursday software which had code built in that could read certain GPOs that Windows could. That included LANMAN authentication. As soon as I bought it, they went end of life. It was right around that time that the search.domain.com stuff stopped working for my Mac users (once I uninstalled it).

There is another client called Nomad that has been mentioned there which performs similar functions. While macOS doesn't support NTLM SSO natively, is that whats actually happening here since everything else in the system runs on Kerberos for SSO? Is there some 3rd party piece that allows NTLM SSO on Macs?

maxbehr
Contributor II

@bstossel As far as I know there is no piece of software that does NTLM SSO on the Macintosh. Whilst ADmitMac may be able to read GPO's (Centrify does the same thing) this would have not given you NTLM SSO. Instead it would have regulated authentication methods (similar to the NTLMv2Enabled policy) as well as things like requiring smb signing.

Nomad allows you to not bind your mac to AD, instead users use regular local accounts and use the Nomad application to get kerberos credentials, but again this is only Kerberos.

The closest I think you are going to get to NTML SSO is having the user check the remember in keychain option for anything that requires NTLM. This would give the illusion of NTLM SSO, until such time as they change their password and then would have to enter it again into keychain. If you are using smart cards like I am, this of course won't work.

dbjz2005
New Contributor

@maxbehr I have a question that maybe you can answer. Is it possible to use the JSS to make a print setting default in google chrome? specifically the setting for print background graphics. I have an html document that defaults with no background printed and it is causing issues. 720ce3825b11406d9581d2d6deeb0081 A lot of our users are not savvy so just making this default through the JSS would be great.

maxbehr
Contributor II

@dbjz2005 Two potential, though not so elegant options. You can try the policy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisablePrintPreview</key>
<true/>
</dict>
</plist>

This will disable the Google print dialog box and set it to use the OS dialog box. In my very limited testing printing this way caused the HTML images to print.

The other method is if you control the pages that you want to pics printed from, your web developers could add the following tag to the CSS tags for your background images:

-webkit-print-color-adjust: exact;

Check out this stack overflow page for more info

cwwirth
New Contributor III

So this thread has been a big help in trying to get our Chrome install under control, but there are still a couple of settings that aren't quite working right.

I'm using a Google Chrome Master Preferences file, and a com.google.chrome.plist file. (I have the plist in /Library/Preferences as I want those settings to apply to all users, but for them to be able to override as needed.) What I'm left with is a bit of underisable first-run behavior -- specifically, "Google Chrome isn't your default browser" and "Google Chrome may not be able to keep itself updated" bars:

8a4d8649cde344b4a95f853cfe5bd536

What settings am I missing? I went through the Chrome policy list and added what I thought would be applicable. That update bar is interesting too since I'm not setting anything related to that.

My Google Chrome Master Preferences settings:

{ "homepage": "https://www.mydomain.whatever", "homepage_is_newtabpage": false, "browser": { "show_home_button": true, "check_default_browser": false }, "session": { "restore_on_startup": 4, "startup_urls": [ "https://www.mydomain.whatever" ] }, "bookmark_bar": { "show_on_all_tabs": true }, "sync_promo": { "show_on_first_run_allowed": false }, "distribution": { "import_bookmarks": false, "import_history": false, "import_home_page": false, "import_search_engine": false, "ping_delay": 60, "do_not_launch_chrome": true, "make_chrome_default": false, "make_chrome_default_for_user": false, "suppress_first_run_default_browser_prompt": true, "suppress_first_run_bubble": true, "show_welcome_page": false, "skip_first_run_ui": true, "system_level": true, "verbose_logging": true }, "first_run_tabs": [ "https://www.mydomain.whatever" ] }

...and my com.google.chrome.plist:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AutoFillEnabled</key> <false/> <key>DefaultBrowserSettingEnabled</key> <false/> <key>ExtensionInstallForcelist</key> <array> <string>cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx</string> </array> <key>PasswordManagerEnabled</key> <false/> <key>RestoreOnStartup</key> <integer>4</integer> <key>RestoreOnStartupURLs</key> <array> <string>https://www.mydomain.whatever</string> </array> <key>SyncDisabled</key> <true/> </dict> </plist>

maxbehr
Contributor II

For disabling updates (assuming thats what you want to do) you should do that in the plist with the key DeviceAutoUpdateDisabled. If you want auto-update to work then you need to make sure you install the pieces in /Library that chrome installs to make that happen. Easiest way to do that is to use composer, and then click that setup up automatic updates.

As for the checking of the default browser you should use the key DefaultBrowserSettingEnabled set to false

mhatt
New Contributor III

@maxbehr I dig your profile picture! Anyways, I have been following this feature request:

Enterprise Option to Enforce Chrome Sign-in

Q2 has long passed and no update has been provided. However, I have recently found this page:

Force users to sign in to Chrome Browser

It would seem as though this is now supported on macOS? So far I have tried manipulating this setting in a fresh com.google.Chrome.manifest then changing it to com.google.Chrome.plist and finally uploading it as a custom setting to Jamf. I get no sign in prompts on the client and I can use the browser as normal. Am I doing this wrong or is it still just not yet supported on macOS?

maxbehr
Contributor II

@mhatt thanks! According to the Chromium policy site, it should force sign in on version 70 or greater. Looking at that second link I don't think the sample code is correct. I do not think there should be a <dict> after the preference key.

Try the following

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>BrowserSignin</key>
    <integer>2</integer>
</dict>
</plist>