DEPLOYING THE SHIELD EXTENSIONS
In this document, we will cover the deployment steps of the GAT Shield extension.
To start, navigate to Google Admin console
In Admin console click on Devices
Select Chrome – then Apps & extensions from the left-hand side of the screen.
Select and click on Users & Browsers
A new page will be displayed.
To install the GAT Shield extension choose the root Org Unit or a sub-OU.
On the right bottom side, Yellow button will be displayed
Click on and select Add the Chrome app or extension by ID.
NOTE: A pop up window will be displayed, select From a custom URL option.
Enter the Extension ID and URL of the Open User Interface or Closed User Interface extension, only one version required
The ID and URL can be found in Shield under Help – Extensions deployment – click here to see details
On the right-hand menu for your newly installed extension, click the drop-down menu for Permissions and URL access and select Allow all permissions.
Now make sure that the extension is Forced installed.
Then click on the Save on the top right
If you wish to capture webcam images when Shield rules are triggered then you will need to force install the webcam support extension using the same method as above.
The unique ID and URL of webcam extension are displayed in the GAT Shield Console.
CONFIGURE YOUR GOOGLE ADMIN CONSOLE SETTINGS
We recommend enabling these settings in Device Management > Chrome Management > User & Browser Settings.
Some of these settings are mandatory.
User & Browser settings > Apps and Extension
In the Apps and Extensions area find the Task Manager settings and switch it to Block users from ending processes with the Chrome Task Manager.
Description: Task Manager can be used to tamper with the Chrome browser’s normal operations.
User & Browser settings > User Experience
The following settings are highly recommended for schools using enrolled Chromebooks.
These settings prevent students from bypassing the network firewall and installing Android apps like VPNs and other web browsers on their Chromebooks.
Very Important for Schools with Enrolled Chromebooks
- Block Multiple Sign in access
- Block access to secondary accounts on the device
User & Browser settings > Security
The following three options are recommended for schools with enrolled Chromebooks. These settings prevent students from bypassing or tampering with the GAT Shield extension.
Find the setting for Incognito Mode and Disallow Incognito mode.
Description: In incognito mode extensions don’t work.
Find the setting Browser history and set it to Always save browser history.
Description: Saving browser history is recommended so when incidents occur there is an audit trail that can be investigated by staff members.
Find the setting Clear Browser History and change it to Do not allow clearing history in settings menu.
Description: Ability to clear browser history on the Chrome Browser may allow users to tamper with GAT Shield Browser reporting features.
User & Browser settings > User Experience
Find Developer tools and set it to Never allow use of built-in developer tools.
Description: Developer tools can be used to disable extensions. Google also recommends disabling these tools in most cases.
User & Browser settings > Content
Find Screenshot setting and set it to Allow users to take screenshots.
Description: Disabling screenshots will cause problems with GAT Shield Alerting functionality.
Once all of the settings are completed make sure to click on Save.
CONFIGURE DEVICE SETTINGS
We recommend that these options be configured on your domain for your Chrome devices. Not all of these options are mandatory.
From the Google Admin Home screen, click through
Devices > Chrome Management > Device settings
In the left sidebar, select the OU that contains your Chromebooks, then configure the following policies to match these values.
Device Setting > Enrollment
- Configure the Forced re-enrollment.
- Set Verified access to Enable for content protection.
- Set Verified mode to Require verified mode boot for verified access.
Device Settings > Sign-in settings
- Disable Guest Mode on Chromebooks. This is a required step. Under the heading Sign-in settings set this option to Disable guest mode.
- For Sign-in Restrictions set it to Restrict sign-in to a list of users and Allowlist your own domain and subdomains.
- This will prevent domains such as @gmail.com from signing into a Chromebook.
TWO VERSIONS OF GAT SHIELD EXTENSION EXPLAINED
The Open User Interface extension allows the chrome user to see their own activity information while using the Chrome browser,
This includes: where and how they are spending their time and other useful details about their Chrome environment.
This version is also a recommended way for parents to monitor their child’s online activity.
The Closed User Interface will only display a grey GAT Shield icon but the end-user can’t access it.
Once the Shield extension is deployed, every user who logs into their Chrome Browser with their domain credentials will have the extension automatically synced. The Chrome user cannot override this setting.
Important note: Only deploy either the Open or Closed version of GAT Shield extension, do not deploy both extensions within the same Org Units as this may cause some interference with Shield Console.
GAT SHIELD EXTENSION ID AND URL
The GAT Shield extension ID and URL information are displayed in the GAT Shield Console that is launched from GAT+
See instructions below
1. Launch GAT+ on the top left click on GAT+ icon, a menu will be displayed – then select GAT Shield
2. Under the Help section, select Extensions Deployment – the details such as ID and URL for the different Shield extensions will be displayed.
Allow GAT Shield Extension via Firewall
Note: Depending on your Firewall setup, there might be restrictions set up and not allowing traffic to Shield.
Please check your Firewall settings and allow the following URLs:
These URLs must be reachable and not blocked by your Firewall.
Force Install Extension Org Unit inheritance explained
Note: If you install Shield on Sub. OU makes sure it’s ‘Force install Inherited from the domain‘.
You can click on the extension ID, select “Force install” and save.
When it is set up as ‘Default – Inherited from Google default‘ – Shield might not be active on the selected OU.
Displaying Serial Numbers within GAT Shield Console is available only for licensed enterprise enrolled devices.
If you require any assistance please contact us at firstname.lastname@example.org