Wednesday, November 1, 2017

Chrome Browser - prevent / restrict user sign in

In the past I've always forced my end users to use IE.  This made sense as IE is integrated with Windows and could be heavily managed by GPO and other domain settings.
More and more I found myself personally going to Chrome for tasks since it "worked better".  So, I finally admitted (few years back actually) that maybe it makes sense for me to loosen up a bit and let the end users in on Chrome in the workplace as well.

As with all good things come that pain in the arse with them as well.  Google of course wants users to utilize it's services and logging into the Chrome site helps simplify this.  But in the workplace this may not be a great thing to have end users purposely or accidentally logging into their personal Gmail (or even other company G Suite) accounts.

One would think a simple google search would yield lots of results on how to prevent login to Chrome browser, but for me at least I only found lots of irrelevant junk.  Perhaps I need to work on my googlefoo.

At one time Chrome ADM templates had a settings called "Allow sign-in to chrome" or something to that respect.  Fairly obvious and easy to find.  That has since been removed.

NOW there is a setting in the ADMX labeled "Restrict which users are allowed to sign in to Google Chrome".  This is the new setting that we want.  Found under the following after you add your ADMX template.
Computer Configuration/Administrative Templates/Google/Google Chrome  (also under User Config if that meets your needs better)

Enable the setting, put in a bogus expression (or your organizations matching expression if you utilize Google business apps) and deploy to computers or users depending on your needs.

Users can now attempt to login to Chrome and they are greeted with a lovely "you can't do that"

Funny enough I found that I could go to other Google services, for instance blogspot, and login.  But then once I tried to go away from blogspot to say, gmail, it choked.