Enterprise browser check-up: 6 Chrome Browser policies every IT admin should know
With more than 300 policies available to IT admins, we’re constantly expanding Chrome’s support for enterprises. Here’s a round-up of policies—some old, some new—designed to help IT admins make their organizations more secure and productive.
1. Enforce policies through forced sign-in.
Administrators can decide if they want to set many of their policies at a device level, or manage them by user. But if a user isn’t signed into their Google account, IT is unable to enforce some user-based policies in their organization.
Especially handy for organizations that use G Suite, the Forced Sign-In policy requires users to sign in to their Google account before they can use their browser. This helps you better enforce policies that you want to manage at the user level, for example enabling or disabling password manager or managing outdated plugins. This policy has been available since January 2018 for Windows and since April 2018 for Mac.
2. Make sure your users are running the latest version of Chrome Browser with relaunch notifications.
Chrome Browser automatically updates to ensure users are running the latest version of Chrome, which helps protect businesses against known security vulnerabilities. But if employees are in the middle of working, they might not always restart their browser for the latest updates.
Starting with Chrome 66 (released in April 2018), you can now set a policy that prompts your users to re-launch their browser to finalize updates. You can select from a variety of options for when and how to prompt users, such as indicating whether a restart is recommended or required, or setting forced restarts after a specific number of days. With this policy, IT can balance the need to ensure users are running on the latest, most secure version of Chrome Browser with giving them the flexibility to re-launch at a time that’s convenient for them.
3. Balance security with productivity through extension controls.
To help, Chrome Browser allows you to allowlist and blocklist extensions for added assurance. You also have the option to change specific access of an extension, like if you want to specifically prevent an extension from requesting to access a camera. This gives you the flexibility to open up the use of extensions as much or as little as makes sense for your organization.
4. Add additional layers of protection with Site Isolation.
With browser-based threats like universal cross-site scripting (UXSS) increasingly prevalent, it’s always a good idea to consider additional layers of protection. Site isolation ensures that pages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do. It also blocks the process from receiving certain types of sensitive data from other sites. As a result, a malicious website will find it more difficult to steal data from other sites.
Since the release of Chrome 63, Site Isolation has been available to IT admins. Starting with Chrome 66 (released in April 2018), Site Isolation is automatically turned on for some users. If you want to manage centrally, IT can override this via policy.
5. Time updates or handle them manually.
Because Chrome Browser offers continuous release cycles—with new versions available every six weeks—you can rest assured that you’re protected from vulnerabilities without having to wait on manual patches. That said, if your business is performing testing or internal security checks, you may need more control around rolling out these updates.
Chrome Browser allows you to time when these automatic updates happen, or handle them manually so you can pace based on your internal processes or testing schedules. This makes it easier for you to control when updates happen so you can keep your users secure without disrupting business activity.
6. Update your Symantec Security Certificates.
In an effort to help businesses stay secure, we announced a temporary Chrome Browser policy in 2016 to protect those companies that rely on Symantec security certificates pre-dating June 2016. This policy is going away in Chrome 73 (estimated release in January 2019).
If you have this temporary policy turned on, now's a good time to check in on the status of your certificate updates. This will ensure that your users aren't exposed to security warnings when the policy expires.
To configure any of these policies, you can either use Group Policy in your Windows environment with the templates available in the enterprise bundle, or Google Admins can use the management console through Windows, Mac, or Linux computers. Just visit Device management > Chrome > User Settings in the Admin Console, or check out these instructions.
Chrome Browser also now offers release notes so you can stay updated on critical enterprise policies with each release. And if you’re interested in learning more, we’ll have several breakout sessions this year at Google Cloud Next to help you get the most from Chrome Browser. Visit the Next ‘18 website for more information.