Posted on 04-01-2015 01:36 PM
I'm interested in getting Google Chrome set up on an image where the first run and subsequent runs just opens the browser and sends the user to a homepage without prompting the user to log in or do anything else. It appears that this may not be so simple.
There have been a few posts in the past about this (one method with a manifest, the other Google Chrome Master Preference) but I haven't been able to get anything working. Would anyone be willing to share how they're doing it?
It feels like this ought to be possible.
Posted on 04-01-2015 01:49 PM
I gave up with the Master Preference file and took a snapshot /Users/username/Library/Application Support/Google/Chrome. Made a DMG and it works just as fine.
Posted on 04-01-2015 01:53 PM
@jbarnes This can be a very daunting task. You have to go to /Applications/Google Chrome.app/Contents/Resources/com.google.Chrome.manifest. This is the file you need. Take this file, pop it into profile manager. Then select the options you want. Then download the manifest from profile manager, then load that manifest into JSS as a custom payload.
Posted on 04-01-2015 02:46 PM
Master Preferences are pretty easy as a DMG deployment. From memory It's basically just two files.
Library/Google/Google Chrome Master Preferences << Text file in JSON format from memory.
Library/Google/Bookmarks << Optional If you want to import predetermined bookmarks.
The one thing I will say is the file has to be almost character perfect, one tiny mistake and it invalidates the whole file and nothing happens.
You can download a fully functioning file from google and then just edit as you like, there is also a list of every available setting as well.
So just start with the vanilla working file and add your pieces one by one making sure it works after each one.
There was when I last looked a bug where you couldn't supress the "Use chrome as the default browser" on the very first run, it's listed as being looked at so may have already been resolved. But basically every other setting I have wanted has been managed with Master Preferences.
It's nice because it sits outside the Chrome Application deployment so you can deploy a new version and it generally just picks it up.
It also is used if a user deletes just their Chrome folder from Library and relaunches Chrome (as opposed to a user template for example that only affects a new user profile).
Posted on 04-01-2015 02:54 PM
I use two methods. One by setting some 'suggested' settings via the option in a file I believe in /Library/Application support (I'll update tomorrow if you are interested when I get into the office). This file sets some settings on a first time basis only and the user can override them with their own settings. I then lock all the settings required for my environment via a configuration profile (you could also use the legacy managed preferences method in the JSS). Basically I configured a plist file called com.google.chrome.plist (see picture attachment for a partial look at the file)
with all of the locked settings. Uploaded that into the configuration profile and applied it to the machines. It works great. Whenever I need to update settings, like whitelisting plugins or sites, I just update the plist file and re-upload it to that configuration profile.
Posted on 04-02-2015 06:21 AM
Thanks everybody. I have tried a bunch of these methods, but haven't been able to get them going -- as of now it seems the Chrome install is ignoring my attempts, so @maxbehr I am very interested in what you're up to.
Posted on 04-02-2015 07:04 AM
I too have had many many problems managing Chrome. My requirements:
Homepage
Skip the first run window
Prevent the yellow menu bars for updates showing
Tried policy & preference
Ended up doing a snapshot. Going to try once more.
Posted on 04-02-2015 01:39 PM
OK so here's the update. For one time only prefs you must create a file called Google Master Preferences found at /Library/Google/Google Chrome Master Preferences. It's a simple txt file in JSON format. More details at https://www.chromium.org/administrators/configuring-other-preferences . For this I just use Composer to package the file and deploy it when I image the computers. From what I can tell it only supports a subset of the available preferences ( they are listed at the end of the page ). Like I said previously this will ONLY give defaults prefs the first time chrome is run and they are NOT locked just friendly suggestions. For the real good stuff, I deploy a Configuration Profile (Computer not User). Per JAMF's recommendation they suggest only using one configuration profile per set of preferences so mine is ONLY dedicated to Google Chrome settings. To create the settings you must create a plist file called com.google.chrome.plist. In this file I put all of the settings that must be locked down and NOT changeable by the user. The complete list of available prefs is located at https://www.chromium.org/administrators/policy-list-3
When you construct your plist it must be in the right format, see my screenshot above. Once applied via configuration profile the changes are instant. You can verify that the prefs have taken hold by typing in chrome:policy in the address bar, it will then show you a list of all the prefs that have been applied.
Posted on 04-07-2015 11:23 AM
Thanks. That helped.
Since we do thin imaging I ended up writing script that creates the Google Chrome Master Preferences File. Here it is (let's see if this works) in case anybody searching stumbles on this:
#!/bin/bash
# Output Chrome Master Preferences to /Library/Google/Google Chrome Master Preferences
# jbarnes 4/6/2015
if [ ! -d "/Library/Google" ]
then
mkdir "/Library/Google"
fi
(
sudo cat <<'EOD'
{
"homepage" : "http://www.homepage.yo",
"homepage_is_newtabpage" : false,
"browser" : {
"show_home_button" : true,
"check_default_browser" : false
},
"bookmark_bar" : {
"show_on_all_tabs" : false
},
"distribution" : {
"suppress_first_run_bubble": true,
"show_welcome_page" : false,
"skip_first_run_ui" : true,
"import_history" : false,
"import_bookmarks" : false,
"import_home_page" : false,
"import_search_engine" : false
},
"sync_promo" : {
"user_skipped" : true
},
"first_run_tabs" : [
"http://www.homepage.yo/"
]
}
EOD
) > "/Library/Google/Google Chrome Master Preferences"
Posted on 06-11-2015 08:32 PM
I used the method of importing a com.google.chrome.plist file into a configuration profile as mentioned by maxbehr and it works a treat. The full list of available options is at https://www.chromium.org/administrators/policy-list-3 (note, some preferences are only for Chromium OS, each setting is marked whether it is applicable to OS X or not).
For default settings (as opposed to enforced settings) we normally just load chrome a few times to capture all the prompts, then copy the chrome profile out of Library/Application Support into the default user template. Have tried using managed preferences but haven't had much luck getting it to work.
Posted on 08-17-2015 12:29 AM
I know this is an old post, but maybe just maybe someone like me is stuck with Yosemite, and comes across this.
Run the following lines in a login script to set the browser as default for each user.
Assuming Chrome is already installed:
open -a "Google Chrome" --args --make-default-browser
sleep 1
sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "REPLACE INTO access VALUES('kTCCServiceAccessibility','com.apple.loginwindow',0,1,1,NULL);"
osascript -e 'tell application "System Events" to tell process "CoreServicesUIAgent" to tell window 1 to click button 1' >/dev/null 2>&1
sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.loginwindow';"
Very subtle solution and works quite nicely.
Kamal
Posted on 11-10-2015 07:16 AM
@maxbehr Hi Max i've been following your method by deploying a configuration profile, and it's a great success. so i've deployed a bookmark folder to user chrome without hurting their existing bookmark. but one question, it seems i can't change the name of "Managed Bookmarks", even though i tried add <key>name</key>
<string>test</string>
at the end of dictionary, but its name still Managed Bookmarks, didn't change to test. you have any idea how to change it?
Posted on 11-12-2015 06:30 AM
@Dalmatian it does not look like there is a way to rename the Managed Bookmarks. Looking at the Chromium docs appears that Managed Bookmarks is the default name and I could not find a way to change it.
Posted on 03-23-2016 03:04 PM
@maxbehr Thanks for your hard work on this. Can you tell me where this com.google.Chrome.plist file needs to live on a computer? I've built the plist using Xcode and now I want to test the plist before deploying it with a configuration profile. Also, will this overwrite the rest of the settings in user's plist configuration? I just want to block some plugins using your method you've described.
Thanks!!
Posted on 03-23-2016 04:52 PM
@danhutchings, When using managed preferences / configuration profiles the file is placed in /Library/Managed Preferences so you should be able to put it in /Library/Preferences or in ~/Library/Preferences to test. Like most managed preferences the settings are additive to any settings the user has already set UNLESS you are overriding something that the user has set, then the managed preferences or /Library/Preferences take precedence over ~/Library/Preferences
Posted on 03-23-2016 05:05 PM
Thanks for the reply @maxbehr !
I was able to apply my preferences. I took the com.google.Chrome.manifest file and saved it to my desktop. I then made the changes to the file. I copied it to the managed preferences path you mentioned. I then renamed the file to com.google.Chrome.plist and it worked just fine. The struggle I have now is uploading the manifest file to the JSS. It tells me there is a format issue. How can I convert this manifest file so that it will work with the JSS in a configuration profile?
Thanks!
Posted on 03-23-2016 05:43 PM
More than likely you need to convert the plist to a text file from a binary. Try running
plutil -convert xml1 /path_to_plist
And then try uploading.
Posted on 03-25-2016 02:22 PM
I was able to upload the file now! So that is a plus. However, when I upload it, it just gives me the attached screenshot. Let me know what you think.
Thanks!
Posted on 03-31-2016 10:02 AM
Sorry for the delayed response, That is indeed odd. If I had to guess the plist is malformed in some way. Could you try copying and pasting the text into your response so I could see the raw plist?
Posted on 04-04-2016 07:18 AM
@maxbehr You might be able to help me out here...I'm having difficulty with google as there are no directories outside of the user account for chrome in OS X. I have tried the JAMF process with the configuration profile, using the manifest file and options there yet it effectively does nothing on the client machine. I have switched to manual manipulation of the manifest file and converting it to a plist file...yet still no enforcement/changes. What I am attempting to do is forced the user to log in under the provided domain account for our google apps for education and deny access to a personal log in - i.e. gmail or others. We are running 10.10.5 and up (I am building a workflow and wanted to incorporate this to the new image flow.)
Just as a note I have edited the manifest using this page: https://www.chromium.org/administrators/policy-list-3 utilizing the *@domain restriction pattern
Thanks for any input on this
-Nate
Posted on 04-04-2016 09:23 AM
@Npooter229
Nate, unfortunately it looks like those two policy options are Chrome OS only. If you notice each preference setting has a Supported On clause, only the ones that list Chromium (Mac OS X) will work on the Mac. Those with Chrome OS will only work on Chrome OS devices (Chrome book, etch…). The only policy I can think of would be the SyncDisabled preference but that only restricts whether a user can login to a google account to sync across devices, there is no way I know to further restrict which accounts (personal or institutional) they can use…sorry.
Posted on 06-03-2016 09:45 AM
I could really use some help on this...I seem to be doing everything posted here and get no errors, but Chrome just isnt reading/applying the policies
I have a very simple plist (for testing):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowOutdatedPlugins</key>
<false/>
<key>defaultgeolocationsetting</key>
<integer>2</integer>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
</dict>
</plist>
I'm uploading that to jss for a preference domain named com.google.chrome.plist and the file uploads and shows each setting and value pair correctly.
It is set for Computer
And I can easily verify the file is being created in /Library/Managed Preferences on the scoped client
But chrome://policy shows nothing!
after reloading and rebooting
Any help would be greatly appreciated!!
Thx
Posted on 06-03-2016 09:59 AM
Two things, first (don't know if capitalization matters) try DefaultGeolocationSetting instead of defaultgeolocationsetting . Second the preference domain should be com.google.chrome no .plist
in the preference domain. Also are you doing this via Managed Preferences or a Configuration Profile
Posted on 06-03-2016 10:40 AM
@maxbehr
Thanks for the fast response!!
I am doing this via configuration profile...? Is that right ?
Also, how do I force jamf to update configuration profiles??
The scoped machine is stuck on pending even though it just checked in
(I made the change in name)
Posted on 06-03-2016 10:46 AM
@branthyatt Either will work I think, Configuration Profile is the preferred method. I know of no way of forcing the client to reconnect to Apple's Push Service Network. Configuration profiles require use of Apple's Push Service. The JSS needs access to 17.0.0.0/8 via ports 2195 and 2196. And the client needs access to 17.0.0.0/8 via port 5223.
If you don't have access to those ports or you just want to test the easiest method is to download your config profile, there is a download button on the configuration profile edit screen, from the JSS and then manually install it on the client.
Posted on 06-03-2016 11:11 AM
Thanks!!!
Working now (via download...assuming it will work via push eventually) and Yes capitalization does matter!
Thanks again...
Posted on 06-03-2016 11:56 AM
I'm sorry to bug you again, but while it's working in general, I'm having trouble with the AllowedDomainsForApps policy
It's a string and I'm not sure if it's just the way I'm putting it in or what.
I've tried it with and without quotes
(it's also apparently new to v. 51, which I do indeed have)
Every other policy below is being read properly
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DefaultGeolocationSetting</key>
<integer>2</integer>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>AllowedDomainsForApps</key>
<string>gmail.com</string>
<key>AllowOutdatedPlugins</key>
<false/>
</dict>
</plist>
Posted on 06-03-2016 12:33 PM
@branthyatt It's no trouble at all. This is not one I've played around with. Looking at the documentation that looks like that is the correct syntax to use. The only thing I can think is to maybe put an * before the string so *gmail.com What exactly are you trying to accomplish with this setting?
Posted on 06-03-2016 01:21 PM
@maxbehr
I'm trying to restrict chrome logins to only be to our gapps domain
I'll try that...but based on the documentation it seemed like they don't want the *:
From the chromium site:
Example value:
"managedchrome.com,gmail.com"
I wanted to go this route (vs. a firewall header injection) so that they can still access personal gmail accounts in safari
Posted on 08-10-2016 02:04 PM
@maxbehr Thanks! It works for me!!!
Posted on 09-21-2016 02:09 PM
@maxbehr, major thanks for all of the info you posted in this guide. You saved me hours and hours of time.
Posted on 11-01-2016 08:22 AM
OK, @maxbehr I have a really, really newbie question here, but all I know about scripting, etc., is from OJT and lurking around smart folks... :)
When I use textedit it create the identical list above (was just trying it as a test) and I save that file with a .xml extension, and upload it in the Custom Content section of a Configuration Profile, I get the "Unable to complete file upload. File contents do not match file type." error message.
So what am I doing wrong? Is changing the file name suffix manually the problem?
FYI...ultimately my goal is to require our students to log into Chrome with their school email accounts and to block all extensions.
Posted on 11-01-2016 08:37 AM
@lizmowens You'll probably want to preserve the .plist extension - i.e. - com.google.Chrome.plist --
Your .plist file will be formatted as an XML file, same as any other .plist, just preserve that extension before uploading as a custom config profile payload.
The key for blacklisting all extensions would look like:
<key>ExtensionInstallBlacklist</key>
<array>
<string>*</string>
</array>
Here's an example .plist I created to force install a particular Chrome extension. Notice I had to add the "ExtensionInstallBlacklist" key and enter a blank string - if you don't add this key and blank array, your end users will not be able to install any extensions except the one(s) listed under the "ExtensionInstallForcelist" key. I was unsure about the "ExtensionInstallWhitelist" key, so I left it in there, as it doesn't seem to interfere with extension install functionality.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallForcelist</key>
<array>
<string>pgjjikdiikihdfpoppgaidccahalehjh;https://clients2.google.com/service/update2/crx</string>
</array>
<key>ExtensionInstallWhitelist</key>
<array>
<string>*</string>
</array>
<key>ExtensionInstallBlacklist</key>
<array>
<string></string>
</array>
</dict>
</plist>
Sorry, unsure about forcing email/Google account login.
Hope this helps!
Posted on 11-01-2016 09:44 AM
@lizmowens , @gokoudes is absolutely right. The file that you upload must be a properly formatted plist file called com.google.chrome.plist. As for forcing a sign in, I don't believe you can FORCE a user to sign in. You can limit the domain in which they can use to sign into Google Chrome.
The key would look like
<key>RestrictSigninToPattern</key>
<array>
<string>domain.com</string>
</array>
domain.com of course would be changed to match your domain.
Posted on 11-01-2016 10:29 AM
Y'all rock. Just tested it and it works beautifully! Now to find a script that works for blocking private browsing... :)
Posted on 11-01-2016 11:16 AM
OK, so @gokoudes & @maxbehr , I may have spoken too soon. Here's how I tested things. I had downloaded a couple of random Chrome extensions before adding the configuration profile. Created the plist, scoped the new configuration profile to the test computer, restarted the computer, reopened Chrome, and both of the extensions I had previously installed had been removed. So I was assuming success. But I went back in, installed two more extensions, and even though I've both restarted the computer and done a forced check-in with sudo jamf recon, those extensions are still there.
Hmmmm...so what have I done wrong?
Posted on 11-01-2016 11:56 AM
@lizmowens Hmm, would you mind posting a copy of the com.google.Chrome.plist you used to create the custom config profile? Referencing my example .plist above, that configuration should auto-install the Ookla Speedtest extension and allow the end user to install any other extensions they'd like. The example custom config would also leave any pre-installed extensions in place even after config profile deployment.
I'm wondering if there are other keys/arrays that could be affecting browser behavior?
Posted on 11-01-2016 01:13 PM
Here's what I have in my plist:
<?xml version=“1.0” encoding=“UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=“1.0”>
<dict>
<key>ExtensionInstallBlacklist</key>
<array>
<string>*</string>
</array>
<key>HomepageIsNewTabPage</key>
<false/>
<key>HomepageLocation</key>
<string>http://www.edsaugusta.com</string>
<key>RestoreOnStartup</key.
<integer>0</integer>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
</dict>
</plist>
Thanks for being willing to take a look and tell me what I have wrong!
Posted on 11-02-2016 06:03 AM
No worries, where would we be if somebody didn't lend a hand once in a while? :)
I think I may see what's preventing extension installs --
I changed the following to remove the asterisk between the <string> tags. Sorry, I realize my earlier post may have been confusing, as I had the asterisk in the one-liner, but removed it from the example .plist. The "ExtensionInstallBlacklist" key below should resolve any extension install issues.
<key>ExtensionInstallBlacklist</key> <array> <string></string> </array>
I also noticed the "RestoreOnStartup" key line has a syntax error that may cause issues. I've replaced a "." with a ">" in the line below:
<key>RestoreOnStartup</key><integer>0</integer>
Cheers!
Posted on 11-02-2016 08:23 AM
Couple of things, if I read it correctly the * is required to blacklist all extensions. Second the syntax error after RestoreOnStartup. Also I don't think 0 is a valid argument for that key. I've put a complete plist at my server if you want to download it.
Here is the text…
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallBlacklist</key>
<array>
<string>*</string>
</array>
<key>HomepageIsNewTabPage</key>
<false/>
<key>HomepageLocation</key>
<string>http://www.edsaugusta.com</string>
<key>RestoreOnStartup</key>
<integer>1</integer>
<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>RestrictSigninToPattern</key>
<array>
<string>*@edsaugusta.com</string>
</array>
</dict>
</plist>