Welcome to the second part of this two-part blog series for administrators who are new to the Chromebook enterprise system. In the previous blog, we discussed settings that are applicable to users and applications. In this blog, we will further explore the Chrome enterprise admin panel as we look into settings that pertain to privacy and physical devices.
Device settings apply to the physical Chromebook device. They are enforced no matter which user is logged in. All entries discussed in this section can be found by navigating to the Device Settings area in the G Suite Admin console via the following steps:
- Visit https://admin.google.com and log into the Chrome Admin panel.
- Select Devices from the home page.
- Expand the Chrome entry within the left navigation.
- Expand the Settings entry under the Chrome entry.
- Select Device under the settings entry.
Enrollment and access – Forced re-enrollment
This setting will vary by your organizational needs. You may wish to ensure that devices automatically enroll or enroll with credentials upon wiping, which can help track lost or stolen devices. However, in a Bring Your Own Device (BYOD) scenario, you may need to allow devices to be wiped and re-used with personal accounts.
Sign-In settings – Guest mode
By default, Guest mode is allowed, which allows access to the device circumventing any user policies or Chrome management extensions you may have force-installed. Set this value to Disable guest mode.
These settings are related to privacy and can be found mixed within the previously discussed sections. While not strictly related to security, altering these settings can reduce disclosure of sensitive information whether it be corporate or user data.
User & Browser Settings – Security: Browser History
Here you can chose to Never save browser history if your organization requires it or Always save browser history if required by your organization.
User & Browser Settings – Security: Clear browser history
Like above, some organizations may strictly want to either Allow or not Allow the clearing of browser history, depending on policy.
User & Browser Settings – Security: Force ephemeral mode
You may choose to Erase all local data to in order to remove all private data each time the browser is closed.
User & Browser Settings – Security: Geolocation
Choose Always ask the user if a site wants to detect their location in order to maintain privacy from individual websites where desired.
User & Browser Settings – Network: Data compression proxy
This setting uses Google as a proxy, meaning Google has access to either content or meta data. While this compression may be desirable for some mobile network scenarios, it is likely unwanted in most organizations. Choose Always disable data compression proxy.
User & Browser Settings – Printing: Google Cloud Print Submission
Google cloud print is a useful feature, and while Google claims your documents are strictly confidential, it does require that your document is sent to Google’s servers. Choose Disallow submission of documents to Google Cloud Print if your organization is unwilling to have confidential documents in Google’s hands. If cloud printing is disallowed, you may wish to see other options for enabling native ChromeOS printing.
User & Browser Settings – Content: Third-party cookie blocking
Third-party cookies are used for user tracking, and even Google is phasing them out. For now, select Disallow third-party cookies.
User & Browser Settings – Content: Enable URL-keyed anonymized data collection
This setting sends URLs visited by a user to Google. Disable this by changing the setting to Data collection is never active.
User & Browser Settings – User Experience: WebRTC event log collection
This setting allows Google services to collect WebRTC logs from customers who opt in. This is telemetry data, which you can opt out of by changing this setting to Do not allow WebRTC event log collection.
User & Browser Settings – User Experience: Spell check service
In order to provide spell and grammar checking, text may be sent to a remote service, which may be out of policy for some organizations. Choose to Disable the spell checking web service if you do not want your text sent to a remote service. You will still have client-side spell checking.
User & Browser Settings – User Experience: Google Translate
This is another very useful feature, but it does require sending text to Google for translation, which may be out of policy for your organization. Choose Never offer translation if desired for your organization.
User & Browser Settings – User Experience: Form auto-fill
There have been various attacks on user data via the form auto-fill mechanism ranging from detecting a user’s name or address to stealing passwords. Choosing Never auto-fill forms will reduce this risk. You can also encourage the use of a password manager at the expense of sometimes retyping your address.
User & Browser Settings – User Experience: DNS pre-fetching
DNS pre-fetching can speed up web browsing, but it can also have other risks such as potentially leaking information about the user over a network. This is a low-priority concern, but you can select Never pre-fetch DNS to stop it.
User & Browser Settings – User Experience: Network prediction
Similar to DNS pre-fetching above, network prediction can make requests to pre-load information even if the user never clinks a link, leaking information to sites that perhaps would have never been visited. You can disable this by choosing Do not predict network actions.
Content – Screenshot
By default, users are allowed to take screenshots. While this setting won’t protect all manners in which attackers might be able to capture screen data, it is one way to reduce the possibility that sensitive data is captured for unauthorized use.
Using Chrome OS Policy Settings for Your Organization
Chromebooks and the Google Chrome Enterprise Upgrade make compelling solutions particularly for those administrators who find themselves suddenly supporting an increased number of remote users. The cloud-native Chrome OS is positioned as a capable desktop operating system with a centralized management console and enough configuration options to satisfy even the most security conscious organizations. This blog has illuminated some of the settings that are most in need of consideration whether you have a new or existing Chromebook deployment.