Managing Chrome browsers in educational environments can be challenging, especially when dealing with non-Chromebook devices. Schools widely use Chromebooks due to their ease of management through the Google Admin However, managing Chrome browsers on Windows and Mac devices can be more complex. This article provides a comprehensive guide on effectively managing Chrome browsers using the Google Admin console, ensuring a consistent and secure user experience across all devices.

In this article, you'll learn how to:

• Pre-configuration
• Setup managed browsers
• Manage user data
• Troubleshoot and unenroll browsers
• Manage and support users and browsers after enrollment

Pre-Configuration

Before you can manage Chrome browsers, signing up for Chrome Enterprise Core is essential. Chrome Enterprise Core is a free service included with Google Workspace for Education, which allows you to manage your Chrome browsers from the Admin console, just like managing Chromebooks. This step enables you to use the Google Admin console to manage Chrome browsers across various platforms, including Microsoft Windows, Apple Mac, Linux, iOS, and Android.

Steps to Sign Up for Chrome Enterprise Core:

1. In your Admin console, go to Billing > Subscriptions.
2. Click Add or upgrade a subscription.
3. Go to the Devices & Browser category.
4. Under Chrome Enterprise Core, click Get Started.
5. Review your selection and click Checkout.
6. Click Place Order.

Setting Up Managed Browsers 

Create a Managed Browsers OU

Configure the Organizational Unit (OU) structure to include a Managed Browsers OU, where all managed browsers will reside. You can think of this managed browser as being in the same place as a Chromebook OU.  We have recommendations for where those Chromebook OUs live in your OU structure. You can treat managed browsers the same way. When you create this OU, nothing is in there. You do not have management of this browser. If you wish to create sub-OUs to organize your managed browsers further, you may do so. When you start configuring policies for your managed browsers, policy inheritance works the same as it does for Chromebooks or users.

Next, You'll generate a token to enroll browsers.

Enroll Browsers

Using the Google Admin console to enroll Chrome browsers on non-Chromebook devices involves obtaining and installing a token on the machines to enroll them in the domain.

Caution: Admins need to generate an enrollment token for each Managed Browser OU, and if there are multiple OUs, then admins must generate multiple enrollment tokens. Admins can move managed browsers to different OUs after enrollment without changing the enrollment token. Still, the token defines which OU a browser will be placed in when initially enrolled.

1. In the Admin console, go to Managed Browsers.
   Chrome browser > Managed Browsers
2. Navigate to your Managed Browsers OU, or the OU where you want to place your managed browsers.
3. Click Enroll at the top of the page to get a token.
4. To download the token, click the download that matches your device’s operating system. If you use Group Policy, you can copy this token for use in the Group Policy Management Editor. For other deployment methods for mass browser enrollment, please see Google’s Help Center. 
   
5. Once browsers are enrolled, launch Chrome on each machine so that it can complete enrollment, sync, and download the necessary policies.
6. Go to the Managed Browsers OU to see your managed browsers, plus additional information, such as a number of extensions and policies.
   

Note: Generally, the Machine name is the host name on the device.

Configure Policies

Now, it is time to configure your browser policies just like you would a Chromebook. You will use the Google Admin console to force install extensions and configure browser settings to ensure a consistent user experience. This includes disabling incognito mode, preventing users from clearing browser history, and enforcing sign-in policies.  

1. In the Admin console, go to Chrome Browser Settings.
   Chrome browser > Settings
2. Be sure you are still in your Managed Browsers OU.
3. Click the User & browser settings tab.
   
4. Configure settings as necessary such as:
   • Incognito mode
   • Clear browser history
   • Default browser check
   • Profile picker availability on browser startup - recommended for shared machines.
   • Generative AI policy defaults
   • Policy precedence - Recommendation: Chrome profile > Machine cloud > Machine > OS user

Note: Filtering by Inheritance: Locally applied lets you see settings applied to OU.

Force Install 

You can use the Google Admin Console to force install extensions and configure browser settings for your Managed Browsers OU.

1. In the Admin console, go to Apps & Extensions.
   Chrome browser > Apps & extensions
2. Be sure you are still in your Managed Browsers OU.
3. For any app in the list, select Force install or Force install + pin to browser toolbar.
   

Managing User Data

Erase Local User Data When Browser Closes 

You can enable ephemeral mode to erase all local user data when the browser is closed. This is particularly useful for shared machines in computer labs, ensuring that devices do not retain user data. When enabled, users must sign in each time to access the browser.

Setting: Security > Force ephemeral mode

Restrict Personal Account Login

Configure domain restrictions to prevent users from signing into personal accounts on school devices. This enhances security by ensuring that only authorized accounts can access the browser. 

• To configure this, use the Restrict sign-in to pattern policy to specify which domain(s) are allowed to sign into your managed browsers.

Profile Separation

If you wish to allow users to sign into their personal Google accounts in  your managed browsers but want to force users to create separate profiles for personal and school accounts, use the Enterprise profiles separation and Separate profile for managed Google Identity policies. Careful testing of these policies may be needed before deployment. Profile separation will ensure that your users cannot access personal Google accounts through a school profile and vice versa.

Note: A Chrome profile includes saved data such as bookmarks, history, passwords, cookies, extensions and settings—and in the case of managed accounts, policies. Ensuring profiles are separated is a good security practice.

Troubleshooting and Unenrolling Browsers

Unenrolling Browsers

• To unmanage a browser, delete it from the Google Admin console and remove the enrollment token from the machine's registry. If you do not remove the token from the device, it will typically re-enroll itself the next time it is launched.
• The location of the enrollment token on the machine varies depending on the operating system. Please see Google’s Help Center for information on where these tokens are located.
• Understand the difference between enrollment tokens and device tokens and manage them accordingly to ensure proper unenrollment: 
  • An enrollment token is used during the initial enrollment process of a device into a management system.
  • A device token is a unique identifier for a device that allows it to interact with the management system after enrollment. 

Policy Precedence

• Set policy precedence to ensure that cloud policies take priority over machine and OS policies. This helps maintain a consistent user experience. 
  Recommendation: Chrome profile > Machine cloud > Machine > OS user
  • Chrome profile = policies assigned to the user in Google Admin
  • Machine cloud = policies assigned to the browser in Google Admin
  • Machine = policies set at the machine level through Group Policy, an MDM, Google Admin for ChromeOS, or MacOS managed preferences
  • OS user = policies set for the user through Group Policy, an MDM, or MacOS managed preferences
  • For more information on policy precedence, please see Google’s Help Center.
    • Suppose you previously managed Chrome through Group Policy or an MDM and are transitioning to Chrome Enterprise Core. In that case, deleting any policy settings from these management platforms if you are configuring them in the Admin console is recommended. This will help prevent conflicting policies and browser behavior issues. 

Managing and Supporting Users and Browsers

Browser Reporting

• Once your managed browsers are up and running, they will start reporting data to the Admin console. You can review these reports under Chrome browser > Reports. 
• To ensure data is reported to your Admin console, check the Managed browser reporting and Managed profile reporting policies in Chrome browser > Settings > User & browser settings. 
• By default, managed browsers report their status once every 24 hours. You can change this frequency by going to the Managed browser reporting upload frequency policy and entering a value between 3 and 24 hours.

Remotely Clearing Cache/Cookies

One of the first troubleshooting steps in Chrome is usually clearing the browser cache and cookies. If the user does not know how to perform this task or if you wish to do it remotely, you can do this from the Admin console with managed Chrome browsers.

To remotely clear a user’s cache and cookies,:

1. Locate the browser under Chrome browser > Managed browsers. 
2. In the browser’s information page, scroll down to Browsers & Profiles and open the list of profiles saved to that browser. 
3. Click the three dots menu at the right of the profile in need of support, and click Clear cache, Clear cookies, or Clear cache and cookies. 
   

By following these steps, you can effectively manage Chrome browsers in your educational environment, ensuring a secure and consistent experience for all users. Leveraging the Google Admin Console for browser management simplifies the process and provides greater control over user data and browser settings.