Hello everyone. I am not sure if this is the best place for this but I wanted to share my experience setting up the managed app config for Google Chrome on Android. This took me several days as I tested a bunch of settings and had limited success getting the settings to sync to my android devices. I wrote an internal KB for any future admins here at this organization but, wanted to share it with other Systems Manager users as I could not find a lot of good information/help documents on the internet for this process.
Android - Google Chrome Managed App Configuration
Some applications on the Google Play Store allow you to set custom configuration payloads either via the G Suite Admin portal or via your MDM solution. Our current configuration for mobile device management is set to allow the Cisco Meraki Systems Manager to control devices, not G Suite. As such, here are some MSM specific configuration/settings which allow you to manage some aspects of the Google Chrome App on Android devices.
This specific example will focus heavily on whitelisting/blacklisting URLs in Google Chrome. This may be a bit of an edge use case as many times, this type of restriction is handled by a firewall. However, for our purposes, at this time, it is more convenient to enforce these restrictions via MDM instead of putting limitations on the network.
Notes and observations:
One payload I wanted to be pushed to my devices was to block incognito mode. Mostly to reduce confusion for users as that version of google chrome looks different than when launched normally and I have analytics built into company websites that I want to be tracked when users access them. However, this payload would not sync from MSM to the devices, it would always error out on profile sync. So, I ended up having to utilize the Chrome Management options in G Suite to change this setting. I have this setting blocked across my organization so I didn’t mind using G Suite. Instead of using MSM at all, I could have used a sub-OU in G Suite to achieve a similar end result as I got with using MSM for all the other payloads. However, on these devices, they share a single, licensed user in order to access certain company data. I did not want to have licensed users for each device as the scope of what they need to access is incredibly limited (but not quite single purpose). Making OU changes to the shared account could have caused issues elsewhere so I decided to push the URL payloads via MSM. This is a very edge case scenario but useful for us.
I used the following URLs as a reference for setting up these policies:
Chromium’s Policy List explains all policies available and what platforms they are available on. It also gives you access to resources for setting up Windows, Mac, and Linux policies in addition to the android settings pertinent to this document. Since this is an exhaustive list, not all settings apply to each platform and you will need to search the document for settings related to the platform you wish to restrict.
https://www.chromium.org/administrators/policy-list-3
Additionally, for the URL Blacklist payload, Chromium has posted a format template document. I had trouble understanding the examples listed here but it is a very helpful resource.
https://www.chromium.org/administrators/url-blacklist-filter-format
I never had to use this article but it was referenced to me by Cisco Meraki Support and is supposed to help you pull the logs from an Android device to troubleshoot sync issues.
https://documentation.meraki.com/SM/Other_Topics/Finding_Logs_for_Android_Troubleshooting
Solved! Go to solution.
Well done.
I have been invovled in doing this once - and it was not a nice memory.
Well done.
I have been invovled in doing this once - and it was not a nice memory.
This is awesome, but has anyone figured out how to do it on iOS? I am simply trying to configure the home/start pages for opening Google Chrome but can't seem to find any documentation or assistance in what the settings should be. Any help would be greatly appreciated.
I was able to get it to run as a fixed app, but not the managedbookmarks option as previously listed in another community entry.
I also couldn't get the specific bookmarks to list anywhere on Chrome, despite that it should allow for that!