Getting more from Chrome Browser Cloud Management with Google Cloud Identity
Alex Bauer
Chrome Browser Customer Engineer
Learn more about Chrome Enterprise Core
Powerful and flexible management capabilities both in the cloud and on premises, at no additional cost.
Learn moreAt Google we strongly believe that enterprise security starts at the browser - a secure browser helps lower an enterprises’ risk. That’s why we built Chrome to protect against malicious transfers and have native features around data loss prevention that reduce the workload that other security tools need to take on.
Security is becoming a primary focus for more IT teams. Now that they are able to centrally manage their browsers with Chrome Browser Cloud Management, they are turning their focus to how they can increase overall enterprise security. Chrome Browser Cloud Management allows IT to configure and manage browser policies, settings, apps and extensions across your browsers, and do it all from a single console—even if your workforce uses multiple operating systems and devices.
During our conversations with enterprises, we noticed that companies take two very different approaches to managing Chrome profile sign in behavior:
On one side, companies completely lock down the browser and block all Chrome profile sign-ins. While this does not block users from checking their personal Gmail for example, it does block all Google Sync functionality. This increases user frustration and administrator workload. For a user, not being able to sync browser data means that their bookmarks, history and favorite extensions are at risk of being lost in the case of a device breakdown. With this approach, administrators have to come up with complex workloads to back up a users’ profile. Especially in VDI environments, this becomes even more important and difficult.
Other companies implement no controls to profile sign-in, which allows users to sign in with any Google account and sync all of their data. But the challenge is that approach mixes their corporate data with their personal data. This can be seen as a risk. For example, if an employee leaves the company, they can take their synced corporate data with them, which could include passwords, history, bookmarks, and more. If their personal account ever gets compromised, the attacker now gains insights into the corporate data and can use that to possibly stage an attack on enterprise resources.
The two approaches offer either too much security at the expense of a users’ experience, or too little security. What if there was a way to offer both a streamlined user experience across corporate Chrome browsers, while also offering a higher level of enterprise security?
Enabling Google Sync for Corporate Accounts
Google offers two kinds of corporate Google hosted accounts. From a Chrome perspective, both offer Google Sync and both can integrate with various corporate SSOs.
The process of getting Google Cloud Identity is simple:
Verify your domain in the Google Admin Console.
Under subscriptions in the Admin Console, sign up for the desired Cloud Identity SKU
Enforcing Profile Separation via Policies
We strongly recommend that you enable policies related to profile separation. In the Admin Console navigate to Devices > Chrome > Settings > User and browsers and make sure you enable the following policies:
Signin interception > Enable signin interception
Separate profile for managed Google Identity > Force separate profile
SSO Integration
Most major SSOs offer integration with the Google Admin Console that allows for automated account provisioning.
Here are some links to come of the most popular SSO/IdPs:
Integrating your SSO provider directly into Google Admin Console allows all your enterprise accounts to be automatically generated in Google Admin Console and secured by your SSO. This allows your Google accounts to follow the same MFA rules you currently use for all other enterprise services.
Once you have all your accounts generated in the Google ecosystem, all you need to do is to inform your users to use their corporate account instead of a personal Gmail account.
Chrome Browser Cloud Management with Cloud Identity
Chrome Browser Cloud Management is the foundation to offering a secure browsing experience in your enterprise. When you deploy the enrollment token for Chrome Browser Cloud Management, all enterprise Chrome browsers are managed by the Google Admin Console, allowing you to enforce policies and extension settings. When you add Cloud Identity into the mix, your capabilities grow exponentially.
You can deploy the enrollment token and apply your common controls onto your browsers - one of those being limiting your employees to only sign into a corporate Google account at the profile layer (they are still able to check their personal Gmail, but they can not sync any data to that account). Depending on the user that signs into the browser, the configuration can dynamically change. For example, if a developer signs in, all developer tools are enabled in Chrome. If a regular user signs into the browser on the same machine, developer tools are disabled. You are now able to have a simple configuration for all machines, and only focus on the user that signs in instead.
Another benefit of combining Chrome Browser Cloud Management and Google Cloud Identity is related to BYOD. You can enforce various conditional access policies either via your SSO or via Google’s BeyondCorp Enterprise and allow your employees to add a corporate managed Chrome profile on their personal device and access a limited subset of web applications. If a users’ corporate device gets damaged, with the right network configuration, they are still able to sign into Chrome on their personal device. They can access the internal ticketing system to open a case to request a device repair or replacement and also access some cloud-based web applications secured by the same SSO.
Azure Cloud Authentication Simplified
With Chrome 111, we now offer a new policy that significantly improves the user experience for customers that are Microsoft Azure domain joined for their Windows 10/11 machines. When the Azure Cloud Authentication policy is enabled, Chrome securely sends the OS credentials to resources secured by Microsoft Azure without the end-user having to re-enter their credentials or having to deal with MFA challenges. All Azure conditional policies are also enforced.
For customers that are Azure enabled, this policy also brings another benefit. We’ve talked above about offering Google Cloud Identity accounts to all your employees. When you integrate your Google accounts with Microsoft Azure for SSO and enable this policy, all that your users have to do in Chrome when launching the first time is to enter their email address. The rest of the steps are automated. Sign In redirects to Azure where Windows PRT automatically authenticates in the Azure page, which then redirects back to Google with a successful login. The user then just clicks once to enable Google Sync and they are off to the races to use their favorite browser in a secure way!
Chrome is always looking at ways to improve the sign on experience and give enterprises the security capabilities they need, whether customers chose to use Google Cloud Identity, Microsoft Azure, or other identity providers. See how you can take advantage of Chrome Browser Cloud Management in your environment here.