Restrict Browser Password Saving

wmayhone
New Contributor III

Simply put we are looking for a way to disable the ability to save passwords in the major three browsers (Safari, Firefox, Chrome). Through all of our searching we're unable to find which preference files, or settings we can push out via Jamf to disable this. It seems the modern versions of the browsers make this complicated. Ideally if it was a package we could deploy via a policy that would be perfect, especially if the users themselves couldn't go and manually enabled this option later. Also if it was something we had to run say, once per day, we are probably open to doing that as well. Just seeing if anyone has any ideas or methods they are using.

11 REPLIES 11

ShaunRMiller83
Contributor III

The way I've handled this in the past comes in a few diffrent forms.

For Safari:
On an admin system setup the Safari Prefs exactly how I wanted them to be. Then copy the com.Apple.Safari plist from (User Library Prefs) to my desktop. Open it in your favorite text editor and remove any settings you may not want or need. Lastly I would import that into a JAMF Config Profile as a custom setting. (Note: I believe in Mojave the Safari settings are now stored in a db file so this may only work in OSs below 10.14.x)

For Firefox:
Use the CCK2 extension, package up the resulting files using composer and deploy the package to a smart group for systems with Firefox installed

For Google Chrome:
Use Google Chrome Managed Prefrences which in turn would also become a a JAMF config profile.

This post was mentioned in another question where there was a question about more detail, namely https://community.jamf.com/t5/jamf-pro/disable-chrome-auto-fill-and-saving-for-passwords-and-credit/... referencing  


@ShaunRMiller83 wrote:

Use Google Chrome Managed Prefrences which in turn would also become a a JAMF config profile.


To which I'll add from the other page, do something like :
Find the desired behavior / value for https://chromeenterprise.google/policies/#PasswordManagerEnabled which in this case is:
  • false = Disable saving passwords using the password manager

Then you need an XML file to upload into JAMF, something that looks like this, which you'll upload to your Jamf Pro configuration profile's Applications & Custom Settings payload under the preference domain com.google.Chrome: 

 

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PasswordManagerEnabled</key>
    <false />
  </dict>
</plist>

 

 

hello, once it blocks do you know how to delete the passwords already saved in Chrome?

medmason
New Contributor II

If you add this to your chrome config profile you can set it to remove password data every 12h. Can also be done on Chrome exit. Note that you need to have the SyncDisabled option set to true before automatic deletion will work. 

 

<key>BrowsingDataLifetime</key>
<array>
<dict>
<key>data_types</key>
<array>
<string>password_signin</string>
<string>autofill</string>
</array>
<key>time_to_live_in_hours</key>
<integer>12</integer>
<key>SyncDisabled</key>
<true />
<key>PasswordManagerEnabled</key>
<false />
</dict>
</array>

mforeman1
New Contributor III

gabester hello is it possible that you can create a step by step on this? appreciate the assistance

Hello- did you get a step by step on this? Config profile to NOT save passwords in Chrome and to delete all saved passwords? Thanks!

wmayhone
New Contributor III

Thanks a ton for the info @ShaunRMiller83 Chrome is now going to be locked down and we're working on the other two.

mberger
New Contributor II

Whats the exact location of the " com.Apple.Safari " plist?

Nate1981
New Contributor

You can disable Safari autofill in configuration profiles. Under restrictions there is an Allow Safari AutoFill checkbox.

jcarr
Release Candidate Programs Tester

Please excuse the rant, but I'm curious as to the reasoning behind this? This just sounds like bad news to me. Preventing users from using the built-in password management features will likely force users into bad habits (e.g. using simple, easy to guess password and re-using passwords at multiple sites). Teaching and enforcing good password habits would seem to be a better approach. Might this be a technical solution to a non-technical problem?

Just my $0.02.

royaltouchez
New Contributor

Thanks @Nate1981 if this works; I will test it out.

@jcarr .... I would agree in that if you were not providing an alternative to good habits with passwords this would be a bad idea BUT if you were building an enterprise password management solution this is a much needed step to assist in enforcing new habits.