Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Group Policy #1174

Closed
CarlGreenApps opened this issue Jun 18, 2020 · 38 comments
Closed

Group Policy #1174

CarlGreenApps opened this issue Jun 18, 2020 · 38 comments

Comments

@CarlGreenApps
Copy link

I see that TGS now supports Group Policy according to the readme page here but doesn't tell you how to use it. Can you advise if there is an ADMX file to download?

@deanoemcke
Copy link
Collaborator

The code was submitted by @marcospgp
I would also like a little more info on how to go about implementing group policy.

@CAPA14
Copy link

CAPA14 commented Jun 26, 2020

Hello!
Still no words about this?

This is a MUST because I need to implement this in VDI environments where a centralized management for all users is the ideal!
Imagine that I will deploy to 400 users and then we need to set some site to the White List... Informing the users to configure it will not work very well... so a GPO will be fantastic.

If not a GPO where the settings of the Great Suspender are stored? Would it be possible to copy the configuration file or registry keys from one users to another?

@marcospgp
Copy link
Contributor

The settings described in the readme should be set directly as registry values through the group policy.

When developing that feature I edited my computer's registry directly to test the effects.

https://theitbros.com/add-modify-and-delete-registry-keys-using-group-policy/

@CarlGreenApps
Copy link
Author

@marospgp, thanks for coming back to us but the answer is to vague. What is the starting point of the registry setting, ie.

HKCU\SOFTWARE\Google\Chrome\Extensions\klbibkeccnjlkjkiokjodocebajanakg
Multipart String named WHITELIST

WHITELIST contains per line sites to whitelist, ie:
www.bbc.co.uk
www.google.co.uk

I tried above on my pc but my whitelist remained the same.

What is the TAG version that includes support for GPO usage? I have v7.1.6

@marcospgp
Copy link
Contributor

Forgive me, it's been a while since I last looked at this.

You need to follow Chrome's instructions on setting group policy values for browser extensions: Check this https://support.google.com/chrome/a/answer/7532015?hl=en or this https://support.google.com/chrome/a/answer/7532015?hl=en for example

@CAPA14
Copy link

CAPA14 commented Jun 26, 2020

Thanks for answering.

I'm looking at this https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings

Which actually points template and to the following registry key:
Software\Policies\Google\Chrome\Recommended\ExtensionSettings

However this looks like just extensions permissions and where it's allowed to run and not "in extension" settings.
I'm confused :)

@CarlGreenApps
Copy link
Author

@marcospgp can you share a example json string which I can enter into the GPO setting named Extension management settings

@Simkonge
Copy link

Has anyone implemented this in a RDP environment?
We're looking into deploy TGS on our terminal servers, and I'd love to hear if anyones done it yet.

@jcrossplaza
Copy link

jcrossplaza commented Jun 30, 2020

I've tried adding json to ExtensionSettings in many different formats, but none of the code I use works because ExtensionSettings seems to apply only to settings outside of the extensions (like permissions, whitelists and install locations). I cannot, for example, get the json to adjust actual in-app settings. See example json code below (note I have tried this code in MANY different variations, the best I can get is for it to tell me that the parameter isn't valid).
{"klbibkeccnjlkjkiokjodocebajanakg":{"UNSUSPEND_ON_FOCUS": ["true"]}}
Error: Schema validation error at "klbibkeccnjlkjkiokjodocebajanakg": Unknown property: UNSUSPEND_ON_FOCUS

To help others figure this out:
{"this is the extensions ID":{"this is the extension's parameter": ["this is the setting"]}}

Here are some useful links:
https://support.google.com/chrome/a/answer/7532015?hl=en
https://mythic-byway-180716.appspot.com/

@CAPA14
Copy link

CAPA14 commented Jul 1, 2020

I've tried adding json to ExtensionSettings in many different formats, but none of the code I use works because ExtensionSettings seems to apply only to settings outside of the extensions (like permissions, whitelists and install locations). I cannot, for example, get the json to adjust actual in-app settings. See example json code below (note I have tried this code in MANY different variations, the best I can get is for it to tell me that the parameter isn't valid).
{"klbibkeccnjlkjkiokjodocebajanakg":{"UNSUSPEND_ON_FOCUS": ["true"]}}
Error: Schema validation error at "klbibkeccnjlkjkiokjodocebajanakg": Unknown property: UNSUSPEND_ON_FOCUS

To help others figure this out:
{"this is the extensions ID":{"this is the extension's parameter": ["this is the setting"]}}

Here are some useful links:
https://support.google.com/chrome/a/answer/7532015?hl=en
https://mythic-byway-180716.appspot.com/

Yeah as I suspected, these GPO settings are just Settings for the Extensions access permissions and urls allowed to run it.
Does not apply to settings inside the Extension itself.

@marcospgp we need accurate examples of how to use the parameters, please.
Exs:
Change the following Registry Key (provide the registry key path and value)
Change the following File ( provide the file path and lines to change/add)

@CarlGreenApps
Copy link
Author

@marcospgp any progress been made on advising us what registry keys we need to use?

@CarlGreenApps
Copy link
Author

@deanoemcke is there an option to use a command URL to update settings?
for example:
chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/options.html?WHITELIST=website1.com,website2.com&SCREEN_CAPTURE=0&SCREEN_CAPTURE_FORCE=TRUE ...

I could then put this into shortcut for user and on opening Chrome the settings are updated?
..\chrome.exe chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/options.html?WHITELIST=website1.com,website2.com&SCREEN_CAPTURE=0&SCREEN_CAPTURE_FORCE=TRUE ... etc etc..

@JonathanPitre
Copy link

Here's a working GPO synthax, works fine for all reg keys except the WHITELIST one.

TGS_POLICIES

@marcospgp
Copy link
Contributor

@JonathanPitre try surrounding the items in the whitelist with quotes and separating multiple items with a comma, such as "google.com","youtube.com".

Also apologies for the lack of info, but it's been a long time since I was hired to work on this and I don't remember most of the details. Should have done a better job with documentation!

@JonathanPitre
Copy link

JonathanPitre commented Jul 30, 2020

Hi @marcospgp I have already tried with "google.com" and I still don't see the URL in the whitelist.

Also can you tell us if this would work for Microsoft Edge as well ? I have tried this reg key and it does not do anything.

HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\klbibkeccnjlkjkiokjodocebajanakg\policy
SUSPEND_TIME

@CAPA14
Copy link

CAPA14 commented Jul 30, 2020

@JonathanPitre I tried to using provided registry keys and it did nothing. Are the changes apparent in the TGS extension settings?
TGS_KeyTest

To be clear I tried both paths HKLM and HKCU:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\klbibkeccnjlkjkiokjodocebajanakg\policy
HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\klbibkeccnjlkjkiokjodocebajanakg\policy
SUSPEND_TIME REG_SZ 15
UNSUSPEND_ON_FOCUS REG_SZ true

Even tried to reinstall TGS to see if the settings would work only upon installing, but to no avail.

@JonathanPitre
Copy link

JonathanPitre commented Jul 30, 2020 via email

@CAPA14
Copy link

CAPA14 commented Jul 30, 2020

I tested manually in my machine, not via GPP.(Which would give the same result)
I wasalso closing the browser before every attempt.
Is there something else you are doing? Like installing the extension via Chrome Policy maybe?(if this makes any difference from installing manually)

@JonathanPitre
Copy link

Nothing special really, are you using a STRING value? yes in my case the extension is being installed by GPO as well

@CarlGreenApps
Copy link
Author

@JonathanPitre can you export your working registry settings to file and share so we can test with these?

Feels like we are getting close and it will make my day when we can get this working, Ultimately the two most important options I need to work are WHITELIST and SUSPEND_TIME.

@CAPA14
Copy link

CAPA14 commented Jul 31, 2020

Nothing special really, are you using a STRING value? yes in my case the extension is being installed by GPO as well

Yes i'm using string(REG_SZ) as type.

@carl039 have you tried what Jonathan did?

@CarlGreenApps
Copy link
Author

@JonathanPitre When you say you started with a new profile was that a new Chrome Profile or Windows Profile ?

I was hoping just doing this in the F12 Console view would have been enough to reset TSG back to factory default.
chrome.storage.sync.clear();location.reload();

image

Here is the registry setting I have for SUSPEND_TIME set to 30 but it doesn't work:
image

What am I missing?

@JonathanPitre
Copy link

@carl039 I meant Windows Profile

@CarlGreenApps
Copy link
Author

@JonathanPitre tried with new Windows profile and it didn't work. Seems to be overly complicated and even if that had worked the next hurdle to overcome would to make it work with existing Windows profile.

@fancyfiber
Copy link

Trying to get this working in our environment as well, and it's not functional. My basic question is, does this work with the version in the Chrome extension store or do I need to figure out how to build it manually?

I know people are saying they did nothing special to install it...I am running the version from the Chrome extension store, and when I put in chrome://policy it does not show the Great Suspender as supporting policies. Since the version I have (7.1.6 according to the About page) doesn't seem to support policies, the process above doesn't work.

Looking at this more, I see the extension files I installed on a new workstation today do not include the file:: managed-storage-schema.json

This file is responsible for the policies and is required....simply adding the file didn't work to get the policies working, so I assume it also needs to be loaded from somewhere.

Can the devs clarify this? @marcospgp @deanoemcke

@wizxon
Copy link

wizxon commented Aug 21, 2020

It seems to me the front page should be updated to remove mention of this functionality until someone can tell us how it actually works.

@CarlGreenApps
Copy link
Author

Just an idea if its time/money to get it fixed what is the cost to just to get it done?
Maybe the community would be willing to donate to this cause?

@aciidic
Copy link

aciidic commented Oct 22, 2020

For those of you wondering...

I've not worked on browser extensions before, but it looked to me the latest Chrome Web Store version of the extension was not "registering" on chrome://policy to be able to access managed storage - and neither were any of other releases which I tested from this Github repo.

Wasted hours blindly trying to amend the latest release, only to find that the latest repo code (showing as v7.1.8) already has the required code to get the extension to work with Chrome managed storage (manifest, JSON schema, etc) little bit of a shame that nobody here bothered to mention that in any of the replies above...!?

Anyway, to get this working...
(Local installation no longer required as Web Store version has now been updated)
- Download the latest source from this repository & extract the data
- Open chrome://extensions
- Enable Developer mode in top-right corner
- Click on "Load Unpacked" in top-left corner and select the src FOLDER from extracted data > click Open Folder
(Or you can try drag & drop the src folder in to your chrome://extensions window)
- Confirm The Great Suspender now appears in chrome://extensions AND in your chrome://policy

  • Copy the extension ID from chrome://extensions
  • Create required registry keys (pick either HKLM or HKCU) obviously add your own extension ID, at:
    \Software\Policies\Google\Chrome\3rdparty\extensions\EXTENSION_ID\policy
  • If you now go to chrome://policy and click "Reload policies" in top left, you should see your configuration listed
  • Worth noting that config changes don't seem to apply until Chrome is restarted, and I've seen extension settings page stuck on previous config until I closed/re-opened Chrome for a second time

As pointed out by someone above, documentation is missing basic information...

  • Use REG_SZ for string config values
  • Use REG_SZ for WHITELIST, split each domain with a space char. Extension doesn't care for www. but do not include http/s://
    domain1.com domain2.com www.domain3.com whatever.you.want.com
  • Use REG_DWORD for boolean config (1 for true, 0 for false)
    Config Example

Alas, after all this I won't be rolling out the extension as it hasn't yet been updated on the Chrome Web Store.... (edit: v7.1.8 is now live on Web Store! 👍)

#1240

@CarlGreenApps
Copy link
Author

@aciidic great job. TGS updated to v7.1.8 just now on my pc. When I have some spare time I am going to revisit this to see if its now working. Fingers crossed...

@CAPA14
Copy link

CAPA14 commented Oct 28, 2020

@aciidic now that's some consistent information! Thank you very much.

@CAPA14
Copy link

CAPA14 commented Oct 28, 2020

I found that at least UNSUSPEND_ON_FOCUS which is described as Bool true or false. Only shows up in policies when the registry is set to 0 or 1.
image

If I set to "true" it disappears
image

Also can confirm that the policy only really refreshes when Chrome is fully closed and opened again.

@aciidic
Copy link

aciidic commented Oct 28, 2020

I found that at least UNSUSPEND_ON_FOCUS which is described as Bool true or false. Only shows up in policies when the registry is set to 0 or 1.

Not sure if it matters, but I use REG_DWORD insead of REG_SZ for the boolean options, and yes either 1 or 0 for true or false.

Check in your chrome://policy to see if it's listed?

@CarlGreenApps
Copy link
Author

CarlGreenApps commented Oct 28, 2020

Just the small issue now that settings take a couple of attempts to be reflected in TGS settings.
I just concentrated on the SUSPEND_TIME and here are my results:

  1. Close Chrome

  2. Edit Registry and set as follows:
    [HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\klbibkeccnjlkjkiokjodocebajanakg\policy]
    Name: SUSPEND_TIME
    Type: REG_SZ
    Value: 5

  3. Open Chrome, check chrome://policy and value is there.

  4. Open TGS Settings and SUSPEND_TIME not updated.

  5. Close and Reopen Chrome.

  6. Open TGS Settings and SUSPEND_TIME updated.

  7. Amend registry SUSPEND_TIME to 15

  8. Close and Reopen Chrome.

  9. Open TGS Settings and SUSPEND_TIME not updated.

  10. Close and Reopen Chrome.

  11. Open TGS Settings and SUSPEND_TIME updated.

Just read @aciidic original comments and it was reported the same as me with settings only taking on 2nd chrome reload.

@CarlGreenApps
Copy link
Author

Here are the registry default registry settings for HKCU, copy paste into file and then import the .reg file.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\klbibkeccnjlkjkiokjodocebajanakg\policy]
"SUSPEND_TIME"="60"
"SCREEN_CAPTURE"="0"
"SCREEN_CAPTURE_FORCE"=dword:00000000
"SUSPEND_IN_PLACE_OF_DISCARD"=dword:00000000
"DISCARD_IN_PLACE_OF_SUSPEND"=dword:00000000
"USE_ALT_SCREEN_CAPTURE_LIB"=dword:00000000
"DISCARD_AFTER_SUSPEND"=dword:00000000
"IGNORE_WHEN_OFFLINE"=dword:00000000
"IGNORE_WHEN_CHARGING"=dword:00000000
"UNSUSPEND_ON_FOCUS"=dword:00000000
"IGNORE_PINNED"=dword:00000001
"IGNORE_FORMS"=dword:00000001
"IGNORE_AUDIO"=dword:00000001
"IGNORE_ACTIVE_TABS"=dword:00000001
"IGNORE_CACHE"=dword:00000000
"ADD_CONTEXT"=dword:00000001
"SYNC_SETTINGS"=dword:00000001
"NO_NAG"=dword:00000000
"THEME"="light"
"WHITELIST"=""

@aciidic
Copy link

aciidic commented Oct 28, 2020

@carl039 Same behaviour that I experienced, however regarding SUSPEND_TIME this does need to be a string (REG_SZ)

The only times to use REG_DWORD is for the boolean options - I haven't personally tested if REG_SZ and REG_DWORD can be used interchangeably - as the settings I found in post #1174 (comment) worked as intended

@CarlGreenApps
Copy link
Author

Any ideas how to get Group Policy to update TGS extension as users are currently on 7.1.0 and only method I have found to get them to upgrade to 7.1.9 is to force manual update in Chrome using this method:
https://gadgets.ndtv.com/apps/features/how-to-manually-update-google-chrome-extensions-661907

I am using the Chrome GPO user setting: Configure the list of force-installed apps and extensions to force the TGS extension onto users chrome. This has been live for a few years and turns out its not been updating itself for some time.

I was hoping Chrome would have just done it but seems not in our RDS environment.

Also is anyone working on a ADM or ADMX template?

@aciidic
Copy link

aciidic commented Dec 16, 2020

My attempt to remove tracking, notifications & permissions from the latest v7.1.8, for those interested in testing a privacy-preserving version of this plugin.

https://github.com/aciidic/thegreatsuspender-notrack

@CarlGreenApps
Copy link
Author

Abandoned TGS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants