This post has been authored by Kirk Quinn, Browsium’s client engagement manager (and SE extraordinaire). He spends the bulk of his time working with our enterprise customers on their deployment strategies for Browsium software.
Browsers are getting more and more complicated to manage in the enterprise. As the various browsers continue to fragment, and legacy applications ultimately break, organizations are increasingly implementing multi-browser strategies. However, managing the multiple browsers (typically Internet Explorer, Chrome and Firefox) in the enterprise can cause headaches for your IT helpdesk and your network administrators.
By developing a sound strategy to tackle this challenge using tools available from the various browser vendors in conjunction with Browsium Catalyst, you can pair each web application with the most compatible browser, without your end users having to make the decision. Also, you can “lock down” your environment with Group Policies through the use of GPOs to ensure that the end users do not take it upon themselves to blow up your well thought out strategy.
The first part of your strategy is to understand what applications are affected by which browsers and define how you are going utilize the multi-browser approach to solve your particular situation. For example, in our experience is it very common that an organization has standardized on IE8 when they migrated to Windows 7. Then one of the Lines of Business discovers they need an application that requires HTML5. This scenario is increasingly common as new SaaS applications are built to the latest web standards. An excellent approach to dealing with this challenge is to keep IE8 as the enterprise standard and add Google Chrome, which is HTML5 compliant, for the LOB application.
The dilemma now is how to restrict the proliferation of Chrome and still keep IE8 as a standard. The answer is the combination of Browsium Catalyst and Group Policy. Catalyst allows you to quickly create “rules” that open a specific browser based on the URL, IP address or a range of IP addresses that the HTML5 application requires. You can also specify IE 8 as the default browser for all of your other browser requirements. So, now how do you prevent the users from changing these settings? Group Policy.
The Group Policy templates that Microsoft provides for Internet Explorer are the most comprehensive and allow the most flexibility, followed by Google Chrome and then Mozilla Firefox. This article focuses on these three companies offerings because they share the largest installed base in the enterprise today.
Without getting too far into the weeds, there are two primary areas the templates address, Per user configuration and Computer configuration. These settings are designed to be set by the network administrator and propagated through Active Directory to the end users or the devices. This Microsoft web page goes into great detail about using Group Policy in the enterprise.
For Internet Explorer there are many policies that are helpful in locking down your configuration and preventing end users from changing your desired settings. Recent versions of Internet Explorer require user confirmation before any new add-on (or extension) is enabled, unless that add-on is set to ‘enabled’ during the deployment process.
Administrators can control the use of specific add-ons through the ‘Add-On List Policy’ which can be found in Administrative Templates\Windows Components\Internet Explorer\Security Features. Administrators can choose to enable or disable an add-on as well as prevent a specific add-on to be managed by the user. This will require you to use the GUID of the add-on within the policy to identify the add-on and a value to enable it.
In the Value field you need to enter a number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
Starting with IE9 Microsoft has added even more choices to manage add-ons. One such policy is ‘Automatically activate newly installed add-ons’.
In addition to managing add-ons, you will want to suppress the request from IE to be the default browser. When using Catalyst to determine which browser to use, it becomes the default browser so that it can direct the traffic based on the rules you have implemented. In the templates for IE5 to IE9 this policy is called ‘Tell me if Internet Explorer is not the default web browser’. For IE10 the policy name is changed to ‘Notify users if Internet Explorer is not the default web browser’ and is only found in the User Configuration Node.
For Google Chrome, you can download the templates for Group Policy here. One thing to note is that starting with Chrome 28, policies are loaded directly from the Group Policy API on Windows. While IE policies can be written to the registry manually, policies for Chrome that are manually written to the Windows registry are ignored.
By default, Chrome automatically disables all extensions that are side-loaded (installed by a 3rd party program, like the Catalyst Client installation package), requiring users to enable them manually. The policy ‘Configure the list of force-installed extensions’ (a.k.a. ExtensionInstallForcelist) allows you to specify a list of extensions that will be installed silently and enabled by default, without user interaction. A by-product of this policy is that managed extensions are silently installed in Chrome, enabled by default, and users will not be able to disable or remove them. This is exactly what you want for enterprise deployment of Catalyst.
If this policy is ‘Not Configured’, users can delete any extension in Chrome, including Catalyst, from the Extensions page. This is not what you want, as side-loaded extensions that are deleted are automatically blacklisted and re-enabling them is tricky (but achievable).
For all users running Catalyst, the ‘Set Chrome as Default Browser’ setting (a.k.a. DefaultBrowserSettingEnabled) should be “Disabled” in your Group Policy editor. The path for this setting is Local Computer Policy\Administrative Templates\Classic Administrative Templates (ADM)\Google\Google Chrome.
If you ‘Enable’ this setting, Chrome will always check on startup whether it is the default browser and automatically register itself if possible. If this setting is ‘Disabled’, Chrome will never check if it is the default browser and will disable user controls for setting this option (the desired state when using Catalyst). If this setting is ‘Not Configured’, Chrome will allow the user to control whether it is the default browser and whether user notifications should be shown when it isn’t.
Google Chrome includes a predictive network capability, called ‘predict network actions’, and designed to improve page load performance. This feature pre-fetches pages based on URLs entered into the address bar by the user or instructions coded into a webpage by a website.
When enabled, the predict network actions feature instructs the Chrome browser to download the targeted pages on the user’s behalf, without their explicit interaction or having instantiated a navigation event. As a result this feature may cause Catalyst to see phantom navigation requests coming from Chrome for pages already in the Chrome history that match a Catalyst Rule. This can result in navigation to a site that the end user did not intend to go to.
To prevent this behavior we recommend that you disable the ‘Enable network prediction’ policy in the Google Chrome GPO.
Finally, to deal with Mozilla Firefox you must download an add-on for it to use the GPO templates which can be found on Sourceforge.net. Once you have downloaded the add-on and imported the templates you will want to ‘Disable Firefox Default Browser Check’ so that the user is not prompted to make a decision since you already have done that for them.
We hope that you’ve found this post informative. You will find additional detail on Group Policy management for Catalyst, as well as other helpful hints about using Catalyst, in the Browsium Catalyst Administration Guide. Sections 5 and 6 are particularly helpful as they go into intricate detail on managing the browser extensions for Internet Explorer, Chrome, and Firefox, as well as options for deploying Catalyst configurations throughout the enterprise via Flat Files or Group Policy.