Android - Google Chrome Managed App Config

SOLVED
MCS_IT_Admin
Conversationalist

Android - Google Chrome Managed App Config

Hello everyone. I am not sure if this is the best place for this but I wanted to share my experience setting up the managed app config for Google Chrome on Android. This took me several days as I tested a bunch of settings and had limited success getting the settings to sync to my android devices. I wrote an internal KB for any future admins here at this organization but, wanted to share it with other Systems Manager users as I could not find a lot of good information/help documents on the internet for this process.

 

Android - Google Chrome Managed App Configuration

Some applications on the Google Play Store allow you to set custom configuration payloads either via the G Suite Admin portal or via your MDM solution. Our current configuration for mobile device management is set to allow the Cisco Meraki Systems Manager to control devices, not G Suite. As such, here are some MSM specific configuration/settings which allow you to manage some aspects of the Google Chrome App on Android devices.

 

This specific example will focus heavily on whitelisting/blacklisting URLs in Google Chrome. This may be a bit of an edge use case as many times, this type of restriction is handled by a firewall. However, for our purposes, at this time, it is more convenient to enforce these restrictions via MDM instead of putting limitations on the network.

  1. Settings:
    1. Note: This is the Profile List for devices managed by MSM. If this is blank, you will need to create a profile and decide what devices the profile should be applied to. I suggest a test profile that is not applied to any devices or only to test devices. Then, once you are satisfied with your profile configuration, you can copy the test profile to a new “live” profile and push that out to live/production devices.
    1. Select “Add Setting”
      1. Filter by “Android” and select “Managed App Config”
    2. Select:
      1. Settings:
        1. Note: In my experience, just because the setting is available here in MSM, it does not mean that it will successfully apply to your devices. I suggest making one change at a time, test syncing your profile to your test devices and make sure that the changes apply. The following settings are the ones that I ended up using as I was able to get them to sync to the devices we are using successfully.
      2. URLBlacklist:
        1. Format your entry as per this example:
          1. ["URL*", "URL*", "URL"]
          2. ["*"]
        2. We wanted to block all URL’s. Technically this can be completed by simply using the “*” symbol, however, I also included “HTTP” and “HTTPS” in case Google changes anything in the future.
          1. Our Entry: ["https://*", "http://*", "*"]
        1. Type: Text
        2. Value:
      3. URLWhitelist:
        1. Type: Text
        2. Value (Same format as the URLBlacklist): ["chrome://policy", "https://sites.google.com", "*docs.google.com", "*drive.google.com", "accounts.google.com", "admin.google.com", "*.googleapis.com", "*.drive.google.com", "drive.google.com", "googledrive.com", "docs.google.com", "*.docs.google.com", "*.c.docs.google.com", "script.google.com", "s.ytimg.com", "apis.google.com", "*.clients[N].google.com", "*.googleusercontent.com", "*.gstatic.com", "https://www.gstatic.com", "lh[N].google.com", "[N].client-channel.google.com", "clients[N].google.com", "www.google.com/accounts*",  "sheets.google.com", "slides.google.com", "*sheets.google.com", "*slides.google.com", "https://calendar.google.com", "https://calendar.google.com*", "www.google.com/calendar", "www.google.com/calendar*", "https://clients6.google.com"]
      4. SearchSuggestEnabled:
        1. Value: F
      5. PasswordManagerEnabled:
        1. Value: F
      6. DefaultSearchProviderEnabled:
        1. Value: F
      1. Platform: Android
      2. App: Google Chrome
    1. Navigate to: https://meraki.cisco.com/ and login
    2. Select “Network - Systems Manager”
    3. Select “Systems Manager - Settings”
    4. Select the appropriate policy
  2. Test
    1. Select your test device
    2. Scroll to “Profiles” and ensure that the applied profile is up-to-date. Reinstall it if it is not.
    3. Scroll to Activity Log and ensure the device applies the policy successfully. If it does not, most likely, there is a setting in the policy you have pushed that is not compatible/not working. Remove the previous payload setting you attempted to apply and try again.
    1. Navigate to: “Settings - Devices”

Notes and observations:

One payload I wanted to be pushed to my devices was to block incognito mode. Mostly to reduce confusion for users as that version of google chrome looks different than when launched normally and I have analytics built into company websites that I want to be tracked when users access them. However, this payload would not sync from MSM to the devices, it would always error out on profile sync. So, I ended up having to utilize the Chrome Management options in G Suite to change this setting. I have this setting blocked across my organization so I didn’t mind using G Suite. Instead of using MSM at all, I could have used a sub-OU in G Suite to achieve a similar end result as I got with using MSM for all the other payloads. However, on these devices, they share a single, licensed user in order to access certain company data. I did not want to have licensed users for each device as the scope of what they need to access is incredibly limited (but not quite single purpose). Making OU changes to the shared account could have caused issues elsewhere so I decided to push the URL payloads via MSM. This is a very edge case scenario but useful for us.

 

I used the following URLs as a reference for setting up these policies:

Chromium’s Policy List explains all policies available and what platforms they are available on. It also gives you access to resources for setting up Windows, Mac, and Linux policies in addition to the android settings pertinent to this document. Since this is an exhaustive list, not all settings apply to each platform and you will need to search the document for settings related to the platform you wish to restrict.

 

https://www.chromium.org/administrators/policy-list-3

 

Additionally, for the URL Blacklist payload, Chromium has posted a format template document. I had trouble understanding the examples listed here but it is a very helpful resource.

 

https://www.chromium.org/administrators/url-blacklist-filter-format

 

I never had to use this article but it was referenced to me by Cisco Meraki Support and is supposed to help you pull the logs from an Android device to troubleshoot sync issues.

https://documentation.meraki.com/SM/Other_Topics/Finding_Logs_for_Android_Troubleshooting

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Well done.

 

I have been invovled in doing this once - and it was not a nice memory.

View solution in original post

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Well done.

 

I have been invovled in doing this once - and it was not a nice memory.

T_Spriggs
Conversationalist

This is awesome, but has anyone figured out how to do it on iOS? I am simply trying to configure the home/start pages for opening Google Chrome but can't seem to find any documentation or assistance in what the settings should be. Any help would be greatly appreciated.

I was able to get it to run as a fixed app, but not the managedbookmarks option as previously listed in another community entry.

 

I also couldn't get the specific bookmarks to list anywhere on Chrome, despite that it should allow for that!

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels