Installing the Extensions

GoGuardian can filter and monitor any user accounts that have the extensions installed. For this reason, it's important to be deliberate about which OUs are selected during the installation process.

As Chrome policies are automatically inherited from parent OUs, installing the extensions at the domain level will push the extensions out to all users in your domain. You may want to consider installing the extension in OUs that only contain student accounts and omit teacher or staff OUs during the installation process to avoid any unintentional filtering or monitoring.

Additionally, when installing the extensions, ensure that OUs containing user accounts are selected, rather than OUs containing devices. Installing the extensions in OUs that only contain devices will have no effect. 

User & Browser Settings

In order to effectively monitor and filter your user accounts and devices, GoGuardian recommends configuring the following User Settings. 

Policy: Allowed Types of Apps and Extensions
Value: Extension - Must be Checked
Description: Disabling extensions will prevent your GoGuardian extensions from being pushed out to your users. Other types of apps and extensions are optional. 

Policy: Force Installed Apps and Extensions
Value: Add both GoGuardian extensions here

Policy: Allow or Block All Apps and Extensions
Value: Block all apps and extensions except the ones I allow
Description: Some third-party apps and extensions can be used to bypass GoGuardian. This will prevent your users from installing unapproved apps and extensions from the Chrome Web Store. Ensure that your GoGuardian extensions and any approved apps are added to the "Allowed Apps and Extensions" section. GoGuardian can only filter apps and extensions installed from the Chrome Web Store

Policy: Allowed Apps and Extensions
Value: Add both GoGuardian extensions and any other approved apps here

Policy: Block Extensions by Permission
Value: Either value is optional, however, please see Description below
Description: Both GoGuardian extensions require the following permissions, so please ensure the following are not blocked: 

• alarms
• detect idle
• notifications
• memory metadata
• identity
• storage
• web requests
• geolocation
• CPU metadata
• block web requests
• native messaging

This section can be skipped if not configured.

Policy: Incognito Mode
Value: Disallow Incognito Mode
Description: GoGuardian extensions will not run in Incognito Mode

Policy: Idle Settings
Value: Logout

Policy: Sign-in to secondary accounts
Value: Allow users to sign-in only to the G Suite domains set below; enter all school/district-managed domains
Description: Enable this setting to prevent users from signing into personal email accounts while signed into devices using domain-managed logins. 

Example: Student@yourschool.com cannot visit gmail.com and add a personal gmail account to the account chooser to view personal emails.

Policy: Safe Browsing
Value: Always Enable Safe Browsing

Policy: Google Safe Search for Google Web Search Queries
Value: Always Use Safe Search...

Policy: Screenshot
Value: Enable Screenshot

Policy: Developer Tools
Value: Never Allow the use of built-in developer tools

Device Settings

In order to effectively monitor and filter your user accounts and devices, GoGuardian recommends configuring the following Device Settings for the OUs your devices are currently within.

Policy: Forced Re-enrollment
Value: Force device to re-enroll into this domain after wiping

Policy: Allow Guest Mode
Value: Do not allow guest mode

Policy: Restrict Sign-in 
Value: Restrict Sign-in to a list of users
Description: Restrict Sign-in to your approved domains, this will prevent students from signing in with personal email accounts. Add *@yourdomain.com (with the asterisk) to the whitelist field below to approve any user from your domain. Multiple domains can be added by separating each entry by a comma. *@yourdomain.com, *@anotherone.com, *@additionaldomain.com

 Policy: Verified Mode
Value: Require verified mode boot for Verified Access

Description: Require verified boot to prevent users from booting in developer mode.