Chrome Browser Enterprise Security Controls using Intune


Just like Microsoft provides security benchmark for Edge, Google does the same for Chrome. Well sort of.

While Microsoft provides .admx templates along with readily importable GPO xml files, Google just provides admx templates. Unless you manage chrome browser settings using Google's own browser cloud management service, you are pretty much left with the task of configuring these settings manually.

I recently configured the settings as part of security hardening process for browsers in general and thought of sharing the details here to make it convenient for others. Let's see how you can configure these settings using Intune.

ADMX template in Intune

Ever since Microsoft added Google's admx templates in Intune settings catalog in March 2022, things have never been simpler. If you are unfamiliar with this addition then you can head over to one of my previous blog posts to know more about it.

Chrome Browser Enterprise Security Controls

Google has shared an enterprise security configuration guide that breaks down the settings under the following 3 broad categories:

1. Threat Prevention
2. Privacy
3. Management and Performance

In this blog, I will focus on the first 2 categories as part of the security configuration for the Chrome browser ie. Threat Prevention and Privacy. For convenience, I have extracted the settings in the table below -


Note: To get a complete list of settings, refer to the enterprise security configuration guide.

Intune Settings Catalog

Now we create device configuration policy using settings catalog.

2. Under Devices -> Windows -> Configuration profiles -> Create profile.
3. Under Platform, select Windows 10 & later.
4. Under Profile types, select Templates -> Settings Catalog.
5. Give a name.
6. Use the policy table provided above in this blog and enable as per your organization's requirements.
Here is a list of settings that I have configured.








7. Assign to a device or user based group.

End Result

Navigate to the chrome://policy on the browser to bring up the list of policy settings applied.


You can click on individual settings to bring up description and other details.


Settings can also be verified in registry under HKLM\Software\Policies\Google\Chrome hive. 


To check the compliance status against each of the settings in Intune, click on 'Per setting status' report.


Conclusion

While Chrome is designed to be a secure browser, organizations can still configure further for added threat prevention. By standardizing default Google Chrome's behavior, users can’t override it and this way organizations can manage settings to reduce security threats and also ensure security for the users personally identifiable information (PII).

It would have been nice if Google released importable baselines just like Microsoft does, but for now one will need do the manual way.

Security all the way..

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Prevent users from running certain programs or applications on Windows endpoints using Intune