Recommended Google Admin policies for schools using the Connect for Chrome extension

This article is intended for IT support. 

You can implement Google Admin Console policies that prevent students from interfering with the operation of the Connect for Chrome extension.

Info

Leave the Top Organizational Unit selected to apply the setting to all users and enrolled browsers. Otherwise, select a Child Organizational Unit. For example, you can select the students OU to ensure that these policies only apply to students rather than teachers.

 

Allowing only specific Chrome extensions

By default, students can install any extensions onto their browsers. This means they can download VPN extensions allowing access to blocked content. We recommend that you permit specific apps and extensions while blocking all others.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Additional settings.
  2. Search for Allow/block mode.
  3. Select Edit.
  4. Under Play Store and Chrome Web Store, select Block all apps, admin manages allowlist.
  5. Select Save.

 

Disallowing incognito mode

By default, students can use incognito mode. The browser may not load all the extensions, including Connect for Chrome. We recommend that you disable incognito mode.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Incognito mode.
  2. Search for Incognito mode.
  3. Select Disallow incognito mode.
  4. Select Save.

 

Preventing Chrome task manager from ending processes

Students can use the Chrome Task Manager to end processes, including the Connect for Chrome extension. We recommend that you block the ability to end processes.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Task manager.
  2. Search for Task manager.
  3. Set the policy to Block users from ending processes with the Chrome task manager.
  4. Select Save.

 

Preventing developer tools from ending processes

Students can use the Developer Tools to inspect and end processes, including the Connect for Chrome extension. It’s important to note that this tool may be valuable to your school's Coding or Computer Science classes. We recommend that you disable the use of Developer Tools for force-installed extensions, and you may want to consider never allowing the use of Developer Tools.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Developer tools.
  2. Search for Developer tools.
  3. Set the policy to Allow use of built-in developer tools except for forced-installed extensions and component extensions.
  4. Select Save.

 

Forcing users to log in to the Chrome Browser by default

By default, students don’t have to log in to use the Chrome browser, which may bypass the monitoring of their internet use. We recommend that you force users to log in.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Browser sign-in settings.
  2. Search for Sign-in settings.
  3. For Browser sign-on settings, select Force users to sign in to use the Browse.
  4. Select Save.

 

Disabling multiple sign-in access

By default, students can log in to the Chrome Browser using multiple accounts without signing out and signing back in. This can prevent the Connect from Chrome extension from syncing correctly. We recommend that you block the ability to sign in to multiple accounts.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > User experience.
  2. Search for Multiple sign-in access.
  3. Select Block multiple sign-in access for users in this organization.
  4. Select Save.

 

Restricting users from logging in to non-school-related Google accounts on school-owned devices

Allowing student access to their personal email addresses can lead to possible misuse or may allow them to bypass the monitoring of their internet use. We recommend that you restrict users from logging in to non-school-related Google accounts on school-owned devices.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Browser sign-settings.
  2. Search for Sign-in settings.
  3. Select Restrict sign-in to pattern.
  4. In the text field, enter the domains you want to allow sign-ins from. For example, *@your.school.com will restrict logins to only your.school.com and prevent users from signing into accounts outside of this configuration.
  5. Select Save.

 

Disabling Browser Guest Mode

Students can log in via Guest Mode, which may bypass the monitoring of their internet use. We recommend that you disable the ability to use Guest Mode.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Browser guest mode.
  2. Search for Browser guest mode.
  3. Set the policy to Prevent guest browser logins.
  4. Select Save.

 

Preventing the use of bookmarklets and URLs

Bookmarklets are bookmarks stored in a web browser that contains JavaScript commands that add new features to an existing browser. Students can configure the Bookmarklets to hinder the proper functioning of the Connect for Chrome extension. Students can also use URLs such as chrome://kill, chrome://hang and chrome://serviceworker-internals/ to quit or hang the Connect for Chrome extension. We recommend that you block students from using the bookmarklets and URLs.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > URL blocking.
  2. Search for URL blocking.
  3. Block the following:
    • javascript://*
    • chrome://kill
    • chrome://hang
    • chrome://serviceworker-internals/
  4. Select Save.

 

Using Ephemeral Mode for Shared Devices

Ephemeral mode ensures that user data is not stored locally when the user logs out. This prevents Chrome caching overload, which can negatively impact extension installation for new users logging in. We recommend you erase all local user data if your school has shared devices.

  1. Go to admin.google.com > Devices > Chrome > Settings > Users & browsers > Force ephemeral mode.
  2. Search for Ephemeral mode.
  3. Set the policy to Erase all local user data.
  4. Select Save.

 

Removing Connect for Chrome from Suspended Google Users

Users and groups synced from Google have only two states visible to the School Manager: Active or Archived. When a user is marked Suspended in Google Admin, School Manager will show them as Active and you may receive data from their Chrome profile since the extension is still active. To prevent this, you will need to mark users as archived.

Info

You need a Google Workspace subscription with an Archived User (AU) license to archive users.

If your school does not have the AU license, we recommend creating a suspended user group (Option 1) or deleting the user (Option 2).

Option 1 - Create a Suspended Users Group and Block Extension

  1. Go to admin.google.com, create a new group named Suspended Users and add all suspended users to this group.
  2. Go to Devices > Chrome > Apps & extensions > Users & browsers
    1. Select Groups.
    2. Select the Suspended Users group to which you want to apply the setting.
  3. Find the Connect for Chrome extension you want to configure policies for.
  4. Under Installation policy, choose Block.
  5. Select Save.

Option 2 - Delete the user from Google Workspace

Removing the user from Google Workspace will prevent them from being synced back into School Manager.

 

Was this article helpful?
1 out of 2 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.