GAT Shield Extension – How to Deploy

Deploying the GAT Shield Chrome Extension #

In this document, we will cover the deployment steps of the GAT Shield extension.

To start navigate and login into the Google Admin console 

In the Admin Console click on Devices

From the menu on the left navigate down to Devices >Chrome >Apps & extensions > click on Users & browsers

A new page will be displayed.

Install #

To install the GAT Shield extension choose the root Org Unit or a sub-OU where you want to deploy Shield into. 

On the bottom right side click on the Yellow + button 

Select the Add the Chrome app or extension by ID option.

NOTE: A pop-up window will be displayed, select the From a custom URL option.

Enter the Extension ID and URL of the extension.

NOTE: The ID and URL  can be found in Shield under Help – Extensions deployment

Click Save.

The Shield Extension is now installed.

Click on the newly installed extension. You will see a pop-up window on the side. In the Installation policy click and select Force install.

Scroll down on the same window to the bottom of the page to find Policy for extensions.

Enter the Secret key – taken from  Shield under Help – Extensions deployment.

Under the Permissions and URL access field click on and select Allow all permissions (2).

After doing all the changes click the Save button on the top right.

Result of installation #

Shield will be installed for the users of the selected Org. Unit. It would depend on Google when the extension will appear on the end-user accounts.

Given that the users are logged in on Chrome browser with their Google Account – it should take few minutes to be propagated to the end users.

Deploying GAT Shield Extension using Microsoft Group Policy Objects (GPO) #

Apply the Chrome ADMX Group Policy: https://support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows

Then in the rules on Chrome, it is forced to add additives in principle:

Computer Configuration> Policies> Extension> Configure the list of force-installed apps and Extension

You then need to add the data you provided for the plugin to install.

On your GAT Shield Admin console for the details of the “extension id” and “URL“.

You can then share it on a group of computers or users on which it is to be applied.

Recommended settings #

User & Browsers settings

We recommend enabling some settings on the domain to prevent Users (students) from interfering with Shield and any extensions.

Enable these settings in Devices > Chrome  > Settings > Users & browsers

 

Some of these settings are mandatory.

Apps and Extensions #

On the above-selected page scroll down and navigate to the Apps and Extensions area find the Task Manager settings and switch it to Block users from ending processes with the Chrome Task Manager.

Description: Task Manager can be used to tamper with the Chrome browser’s normal operations.

User experience #

On the same page scroll down to User Experience 

User & Browser settings > User Experience

The following settings are highly recommended for schools using enrolled Chromebooks.

These settings prevent students from bypassing the network firewall and installing Android apps like VPNs and other web browsers on their Chromebooks.

• Multiple Sign in access – Block multiple sign-in access for users in this organization 
• Sign in to secondary accounts – Block users from signing in to or out of secondary Google accounts 

In User experience scroll also to Developer tools and set it to “Never allow use of built-in developer tools”

Description: Developer tools can be used to disable extensions. Google also recommends disabling these tools in most cases.

Security #

The following three options are recommended for schools with enrolled Chromebooks. These settings prevent students from bypassing or tampering with the GAT Shield extension.

Scroll down to the Security tab

Find and apply the settings

• Incognito Mode – Disallow Incognito mode.
  • Description: In incognito mode, the extensions do not work
• Browser history – Always save browser history.
  • Description: Saving browser history is recommended so when incidents occur there is an audit trail that can be investigated by staff members.
• Clear Browser History – Do not allow clearing history in the settings menu.
  • Description: The ability to clear browser history on the Chrome Browser may allow users to tamper with GAT Shield Browser reporting features.

Content #

Scroll down further to the Content tab

• Screenshot – set it to Allow users to take screenshots.

Description: Disabling screenshots will cause problems with the GAT Shield Alerting functionality.

When all of the settings are set up make sure they are saved by clicking on the “Save” button on the top right.

Configure Device Settings #

We recommend that these options be configured on your domain for your Chrome devices. Not all are mandatory.

From Google Admin console navigate to.

Devices > Chrome > Settings > Devices

In the left sidebar, select the OU that contains your Chromebooks, then configure the following policies to match these values.

Enrollment and access #

• Configure the Enrollment and access
• Set Forced re-enrollment – automatically re-enroll after a wipe
• Set Verified access to Enable for content protection.
• Set Verified mode to Require verified mode boot for verified access.

Sign-in settings #

On the same page scroll down to Sign-in settings

• Guest mode – Disable guest mode
• Sign-in restrictions – Restrict sign-in to a list of users
  • Add an allowed list

When done with the changes click on the “Save” button on the top right.

Shield deployed to all – but only ChromeOS devices seen? #

It could be a case where Shield is deployed domain-wide to all users and yet the data only on ChromeOS devices is shown. You can check this setting.

Adjust the settings for Chrome management for signed-in users

Navigate to Devices > Chrome > Settings > Users and browsers  > Chrome management for signed-in users 

Set it up to: Apply all user policies when users sign in to Chrome, and provide a managed Chrome experience.

Referring to: Manage user profiles on Chrome browser and View and configure apps and extensions

When the Shield extension is deployed, every user who logs into their Chrome Browser with their domain credentials will have the extension automatically synchronized.

The Chrome user cannot override this setting.

WebCam capture – Extension URL #

If you wish to capture webcam images when Shield rules are triggered then you will need to enable Video-input-allowed URLs and add the Shield URLs

This setting can be enabled in Devices > Chrome > Settings > Users & browsers 

Then scroll down and navigate to Hardware then to Video-input-allowed URLs

Add the WebCam URL then click Save on the top right.

The unique ID and URLs are displayed in the GAT Shield Console – see below (GAT Shield extension ID and URL)

Remove the old WebCam extension #

The old WebCam extension is no longer needed. Please remove 

• webcamID: lncmmomdcmcilmblgmnlinenbinjklgg

Find the extension above and remove

GAT Shield Extension ID and URL #

The GAT Shield extension ID and URL information are displayed in the GAT Shield Console that is launched from GAT+

See instructions below

Launch GAT+ on the top left click on the GAT+ icon, a menu will be displayed – then select GAT Shield

Next, under the Help section, select Extensions Deployment – the extension ID and URL and Webcam URL will be displayed.

Allow GAT Shield Extension via Firewall #

Note: Depending on your Firewall setup, there might be restrictions set up and not allowing traffic to Shield.
Please check your Firewall settings and allow the following URLs:

For US (Global) domains (no prefix) – US (default) environment

• https://alert-shield.generalaudittool.com
• https://urlaccess-shield.generalaudittool.com
• https://activeid.generalaudittool.com
• https://shield.generalaudittool.com

For EU domains (eu- prefix) – EU environment

• https://eu-alert-shield.generalaudittool.com
• https://eu-urlaccess-shield.generalaudittool.com
• https://eu-activeid.generalaudittool.com
• https://eu-shield.generalaudittool.com

Lastly, for UK domains (uk- prefix) – UK environment

• https://uk-alert-shield.generalaudittool.com
• https://uk-urlaccess-shield.generalaudittool.com
• https://uk-activeid.generalaudittool.com
• https://uk-shield.generalaudittool.com

These URLs must be reachable and not blocked by the Firewall.

Force Install Extension Org Unit inheritance explained #

Note: If you install Shield on “sub. ou” make sure it is –  ‘Force install Inherited from the domain‘.
You can click on the extension ID, select “Force install” and Save.

When it is set up as ‘Default – Inherited from Google default‘ – Shield might not be active on the selected OU.

Finally, displaying Serial Numbers within the GAT Shield Console is available only for licensed enterprise-enrolled devices.