Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-

Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using CloudAPAuthEnabled. Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online. If you want to know more about the use of these extensions, then you can read all about it over here.

Let's see the new policy involving CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions.

CloudAPAuthEnabled is a setting that can be configured using the policy Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider

By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatically. Information pertaining to the user's device and account is transmitted to the user's cloud identity provider for each authentication event. 

By setting this policy to 0 (Disabled) or leaving it unset, automatic sign-in as described above is disabled. Once the policy is enforced, the following registry will get created.

Software\Policies\Google\Chrome\CloudAPAuthEnabled

Now let's look at configuring the policy. Google has added the new policy in the v111 and later in .admx templates. Organizations have the option to use these templates and apply the policy or use custom scripts like a PS script to configure the relevant registry values. If your organization has already adopted modern workplace methodology and managing devices using Intune, then you can configure the policy easily. As of writing this blog, the new Google chrome .admx policies have not made it to the built-in Intune settings catalog for Google Chrome, therefore, we are going to import the relevant .admx templates and configure the necessary policy. If you want to know more about using built-in Google Chrome settings catalog, then you can read it about it here.

1. Head over to Download Chrome Browser for enterprise and make sure to download the bundle.


2. Extract the contents of  the downloaded zip file.


5. Import the .admx and .adml files for chrome, google at a minimum, located under Configuration\admx and Configuration\admx\en-US respectively. 

Note: For languages other than english, use other language .adml file.



Note: If you get the error NamespaceMissing:Microsoft.Policies.Windows, then chances are you are missing the Windows namespace.

To fix this you will need to import the Windows.admx file. Head over to Windows 10 or Windows 11 download links and import it in Intune using the same process as described above. You will need to install the downloaded .msi first which will extract the files under the default Program Files (x86) location -





6. After a successful import, it is time to create a new profile. Navigate to Devices > Configuration > Create Profile.
7. Select Platform as Windows 10 and later.
8. Select Profile type as Templates and then Imported Administrative templates (Preview).


9. Give a name and select the following value as shown below.


10. Assign to a device or user based group.

Time to put this to test

I am testing a CA policy requiring device compliance state. First let's see what the behavior is like when you try to access corporate resources without the extension and CloudAPAuthEnabled. As expected, the device state is not captured and the CA policy has blocked the access.



Now let's see what happens when the Intune policy is applied. According to event id 866, the .admx for chrome has been ingested successfully.


The device configuration policy has also applied successfully.


You can be verify for the ingestion of the .admx template in registry as well.



The CloudAPAuthEnabled registry can be seen as created.



With all the policies in place, accessing the corporate data from Google Chrome isn't blocked anymore and this time the device state was captured through CloudAPAuthEnabled.



Last but not the least, the compliance reported correctly in Intune against the setting.



Conclusion

It is simply wonderful that now CA policies on Google Chrome work natively. It certainly makes things easier when you don't have to deal with extensions especially if your organization has strict policy around the use of extensions. However, I did face an issue during my testing where google .admx couldn't be uploaded because an older version was already imported. As of writing this blog, you cannot import an .admx with the same name or containing the same namespace. You will need to delete the existing imported .admx and all its referenced policies and assignments. Alternatively, you can configure the registry using a PS script. Also, according to reddit, there have been some issues reported around getting CloudAPAuthEnabled to work with SSO against some enterprise Apps. I haven't tested this myself, but something to be mindful of.

Until next time..

Comments

  1. AnonymousAugust 10, 2023 at 1:21 PM

    Hey Rahul,
    Very great documented guide. I'm having issues that, the setting never tries to apply.
    My CSP have no compliance data, and it's assigned to a test AAD group. Do you know if this fix doesn't work anymore? Been waiting a couple of days now without luck.

    ReplyDelete
  2. Rahul JindalAugust 14, 2023 at 9:03 AM

    I have not tested the policy setting recently, but haven't seen any update to suggest that it doesn't. If there is no compliance reporting to Intune, then the issue could be something else. Have you checked if the policy from Intune is atleast enforced on the machine or not?

    ReplyDelete
    Replies
    1. AnonymousDecember 4, 2023 at 6:59 PM

      does this work on macOS Devices?

      Delete
  3. AnonymousDecember 3, 2023 at 10:40 PM

    great article, thank you. We deploy extension already for Chrome "windows10" extension, have you seen any issues having both deployed during a transition phase?

    ReplyDelete
  4. AnonymousDecember 4, 2023 at 6:59 PM

    how can one apply this for macOS devices?

    ReplyDelete
    Replies
    1. Rahul JindalDecember 18, 2023 at 3:37 PM

      I haven't looked into this requirement as yet. However, as far as I know, this will not work in macOS.

      Delete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more