Description

Deploy the ConcealBrowse extension to Google Chrome on Windows 10+ endpoints seamlessly with Group Policy Objects (GPO).

Applies to

• Active Directory and Group Policy Objects (GPO)
  • You need an administrator account capable of administering your active directory domain(s) and Group Policy.

• Any edition of Windows 10 and 11 but not Windows Home

• Google Chrome 101+

• ConcealBrowse Extension v0.7+

Pre-requisite: Google Chrome and ConcealBrowse administrative templates

Download ConcealBrowse ADMX files

1. Download the ConcealBrowse.admx and .adml files attached to this article
2. Note the download location of the files for the import step

Download Chrome ADMX files

1. Navigate to the official Google’s ADMX templates and Google’s Updater ADM template here.

2. In the Manage Policies section for Policy templates, click the button labeled Download under the Chrome ADM/ADMX templates
   

3. Locate policy_templates.zip and unzip/extract it
4. Note the location of the extracted files for the import step

Import or Update the ADMX files

Reference: https://learn.microsoft.com/en-US/troubleshoot/windows-client/group-policy/create-and-manage-central-store

1. Navigate to %LogonServer%\sysvol\<DomainName>\Policies\PolicyDefinitions where <DomainName> is your domain. Create the PolicyDefinitions folder if not present
   - Ex: %LogonServer%\sysvol\conceal.io\Policies\PolicyDefinitions

2. Copy google.admx, chrome.admx, and ConcealBrowse.admx:

       - From: ..\policy_templates\windows\admx and Downloads

       - To:  %LogonServer%\sysvol\<DomainName>\Policies\PolicyDefinitions

3. Copy google.adml, chrome.adml, and ConcealBrowse.adml:

      - From: ..\policy_templates\windows\admx\en-US and Downloads

      - To: %LogonServer%\sysvol\<DomainName>\Policies\PolicyDefinitions\en-US

You may either edit an existing group policy which configures Google Chrome or create a new policy. These instructions assume the creation of a new policy.

1. Open the Group Policy Management Console
2. Expand the navigation tree until you see your domain
3. Expand your domain
4. Right click Group Policy Objects and click New
5. Name the new policy, example “Computer - Google Chrome” and click OK
6. Right Click the new policy and choose Edit
7. Within the policy, navigate to Computer Configuration > Policies > Administrative Templates
8. Using the Chrome Settings Guide below:
   1. Navigate to Google > Google Chrome > Extensions and set the "Extension management settings" and Recommended settings as desired
   2. Navigate to Conceal > ConcealBrowse Extension and set the Google Chrome, ConcealBrowse Company ID and Google Chrome, ConcealBrowse Site ID
9. Apply the policy to a limited group of test devices, this is usually done with an Organizational Unit (OU) containing a few computers
   - Right click the target OU and choose Link an Existing GPO
   - Select the policy created above
10. Once testing is successful, apply the policy more generally across your organization.
    

Recommended Steps

Assuming your policy contains no User settings, it’s recommended to disable User settings to improve enterprise group policy performance:

1. Right click the google chrome policy, choose properties, then the General tab
2. Select Disable User Configuration Settings

Procedure for Enforced Installation (users cannot disable)

Use the Procedure for Normal Installation and within the "Extension management settings", edit the installation_mode from normal_installed to force_installed

Chrome Settings Guide

Required Setting

"Extension management settings"

• Path: Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions\Extension management settings
• Toggle: Enabled
• Value:

• {"jmdpihfpelphmllgmamebdbelmobjfpg": {"installation_mode": "normal_installed","toolbar_pin": "force_pinned","update_url": "https://clients2.google.com/service/update2/crx"}}

"Google Chrome, ConcealBrowse Company ID"

• Path: Computer Configuration\Policies\Administrative Templates\Conceal\ConcealBrowse Extension
• Toggle: Enabled
• Value: Your Company ID, Find your Company ID & Site ID: Register New Device > Step 4

• Example: abcdefgh-ijklm-nopq-rstuvwxyz123

"Google Chrome, ConcealBrowse Site ID"

• Path: Computer Configuration\Policies\Administrative Templates\Conceal\ConcealBrowse Extension
• Toggle: Enabled
• Value: Your Site ID, Find your Company ID & Site ID: Register New Device > Step 4

• Example: abcdefgh-ijklm-nopq-rstuvwxyz123

Recommended Settings

"Incognito mode availability"

• Conceal Recommends because extensions cannot be enforced for Incognito mode (STIG Medium)
• Path: Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Incognito mode availability
• Toggle: Enabled
• Value: Incognito mode disabled

"Enable guest mode in browser"

• Conceal Recommends because extensions cannot be enforced for Guest mode (STIG Medium)
• Path: Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Enable guest mode in browser
• Toggle: Disabled

References

• Manage Chrome browser with Microsoft’s Intune Import Administrative templates - Chrome Enterprise and Education Help
• Google Chrome Current Windows Security Technical Implementation Guide