Installing the Extensions
GoGuardian can filter and monitor any user accounts that have the extensions installed. For this reason, it's important to be deliberate about which OUs are selected during the installation process.
As Chrome policies are automatically inherited from parent OUs, installing the extensions at the domain level will push the extensions out to all users in your domain. You may want to consider installing the extension in OUs that only contain student accounts and omit teacher or staff OUs during the installation process to avoid any unintentional filtering or monitoring.
Additionally, when installing the extensions, ensure that OUs containing user accounts are selected, rather than OUs containing devices. Installing the extensions in OUs that only contain devices will have no effect.
Apps & Extensions
After installing your two custom GoGuardian extensions, GoGuardian recommends the following settings to be configured:
Policy: Allow users to install other apps & extensions
Value: Block all other apps & extensions
Description: Some third-party apps and extensions can be used to bypass GoGuardian. This will prevent your users from installing unapproved apps and extensions from the Chrome Web Store. Ensure that your GoGuardian extensions and any approved apps are added to the "Allowed Apps and Extensions" section. GoGuardian can only filter apps and extensions installed from the Chrome Web Store
Policy: Allowed Types of Apps and Extensions (Click the Gear icon on the right)
Value: Extension - Must be Checked
Description: Disabling extensions will prevent your GoGuardian extensions from being pushed out to your users. Other types of apps and extensions are optional.
Policy: Permissions and URLs
Value: Block extensions by permission
Description: Both GoGuardian extensions require the following permissions, so please ensure the following are not blocked/checked:
- detect idle
- memory metadata
- web requests
- CPU metadata
- block web requests
- native messaging
This section can be skipped if not configured.
User & Browser Settings
In order to effectively monitor and filter your user accounts and devices, GoGuardian recommends configuring the following User Settings
Policy: Task Manager
Value: Block users from ending processes with the Chrome task manager
Policy: Incognito Mode
Value: Disallow Incognito Mode
Description: GoGuardian extensions will not run in Incognito Mode
Policy: SafeSearch and Restricted Mode
Value: Always Use Safe Search for Google Search Queries
Value: Allow users to take screenshots
Policy: Developer Tools
Value: Never allow the use of built-in developer tools
Policy: Safe Browsing
Value: Always Enable Safe Browsing
Policy: Sign-in to secondary accounts
Value: Block users from signing into or out of secondary Google Accounts
Description: Enable this setting to prevent users from signing into personal email accounts while signed into devices using domain-managed logins.
Example: Student@yourschool.com cannot visit gmail.com and add a personal gmail account to the account chooser to view personal emails.
Policy: Multiple Sign-In Access
Value: Block multiple sign-in access for users in this organization
Description: Enable this setting to prevent users from switching between multiple accounts on a Chrome device without having to sign out of their account and sign back into another. This will ensure that all Chrome policies always apply to your students.
Example: Student@yourschool.com cannot visit the Chrome settings on their device and sign into another account, even if it managed by your domain. This is particularly useful for preventing students from signing into other students' accounts that may have different filtering policies applying to them, after initially signing into a Chrome device with their own emails.
Policy: Browser Guest Mode
Value: Prevent guest browser logins (optional)
Description: Controls whether to allow users to sign in to Chrome Browser as a guest. If you select Allow guest browser logins (default), users can start guest browser sessions and all windows are in incognito mode. When users exit Guest mode, their browsing activity is deleted from the device.
When you have this setting enabled you can also Allow guest browser logins and profile logins (default). Users can sign in as a guest and use new and existing profiles. To prevent guest sessions and enforce profile logins, we recommend setting this setting to Prevent guest browser logins. That will prevent the Chrome Browser from allowing guest profiles to be started.
Note: If you have already disabled Guest mode in your Device Settings, that will prevent users from having the option to change this setting on their school-managed device.
Policy: Idle Settings
Policy: User management of installed CA certificates
Value: Disallow users from managing certificates.
In order to effectively monitor and filter your user accounts and devices, GoGuardian recommends configuring the following Device Settings for the OUs your devices are currently within.
Policy: Forced Re-enrollment
Value: Force device to re-enroll into this domain after wiping
Policy: Verified Mode
Value: Require verified mode boot for Verified Access
Description: Require verified boot to prevent users from booting in developer mode.
Policy: Allow Guest Mode
Value: Do not allow guest mode
Policy: Restrict Sign-in
Value: Restrict Sign-in to a list of users
Description: Restrict Sign-in to your approved domains, this will prevent students from signing in with personal email accounts. Add *@yourdomain.com (with the asterisk) to the necessary field (as seen below) to approve any user from your domain. Multiple domains can be added by separating each entry by a comma. *@yourdomain.com, *@anotherone.com, *@additionaldomain.com