Deploying and Controlling Google Chrome Settings Using Microsoft Intune

Tagged as tech, microsoft, azure, chrome, intune
Written on 2018-07-27

Righto. This one has given me a mild headache for the last couple of days, but I've found a workable solution that allows me to set a home page for users in Chrome. You would have thought that would be really easy, right? Well, Google in its infinite wisdom has decided that conventional Windows management is for wusses. So down the rabbit hole we go.

Ingesting ADMX Templates

Let us say, for the sake of argument, that you have deployed the Chrome Enterprise .msi to your devices either during a build or using Intune. Now you want to control some of the settings for your users in order to provide a consistent experience. If you look around online, you'll see various references to ingesting ADMX templates and leveraging these for using with Chrome. This looks something like this:

# Create an OMA-URI to import your ADMX template
* ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeADMX}
* Data Type = String
* Value = the whole body of the Chrome ADMX template
# Leverage policies from within this template using nested OMA-URI settings
* ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ShowHomeButton
* Data Type = String
* Value = <enabled/>

Pretty simple stuff. This allows us to show the home button. Tickedy boo. So what about setting the home page and landing pages for users? Well, unfortunately, this isn't possible.

When you use the CSP settings to load and edit the GPO locally, Chrome detects that the computer is not connected to an on-prem AD, and will ignore certain settings including but not limited to your custom home page. Bum gravy. This is mentioned in some capacity in this thread  and in this advisory, but it's far from a satisfactory explanation in an Azure AD connected world.

What is a Boy to do?

So here's the dilemma. I know that another way to control Chrome is using a file called master_preferences located in the C:\Program Files (x86)\Google\Chrome\Application folder, so for future deployments it would be entirely possible to simply place this in the image. However, we have nearly 60 devices already out in the world due to the unreal pressure we've been under to deliver, so I need a remote deployment method.

First option is to use Powershell. Powershell could easily be pointed at a publicly accessible Azure blob containing the master_preferences file. The problem with this is that Powershell scripts can only be targeted at users, which would mean that in the long run we would not be able to set different preferences on different types of machines.

So, what about a .msi file? I got this idea in my head to package the file up as an application, which would give us the power not only to deploy per device but also to supersede if we ever want to make changes to the config. The two tools I used to achieve this were NSIS and the free version of exemsi. The steps are as follows:

After this, upload your .msi to Intune, deploy it to a test group, and watch the magic happen. Please note that you cannot deploy the ADMX template and the master_preferences file at the same time as the two conflict with one another.

Previous
Next

Unless otherwise credited all material Creative Commons License by sporiff