- Deploying the GAT Shield Chrome Extension
- Deploying the GAT Shield Chrome Extension on Managed Guest Sessions (MGS)
Deploying the GAT Shield Chrome Extension #
In this document, we will cover the deployment steps of the GAT Shield extension.
To start off navigate and login into the Google Admin console
In the Admin Console click on Devices
From the menu on the left navigate down to Devices >Chrome >Apps & extensions > click on Users & browsers
A new page will be displayed.
Install #
To install the GAT Shield extension choose the root Org Unit or a sub-OU where you want to deploy Shield into.
On the bottom right side click on the Yellow + button
Select the Add the Chrome app or extension by ID option.
NOTE: A pop-up window will be displayed, select From a custom URL option.
Enter the Extension ID and URL of the Open User Interface or Closed User Interface extension, only one version required
NOTE: The ID and URL can be found in Shield under Help – Extensions deployment
Click Save.
The Shield Extension is now installed.
On the newly installed Extension hoover over the “Installation policy,” click on and select “Force install“
Click on the Extension again and a pop-up window will be shown on the right side.
Under the “Permissions and URL access” field click on and select “Allow all permissions”.
Click on the Save button on the top right.
Data Regions #
GATLabs uses the Google Cloud Platform (GCP) to store data and metadata. The primary default data region is the USA but if you wish to store your data in another region of GCP like the United Kingdom or EU (European Union) you will have to take additional steps in the deployment process for the GAT Shield extension.
Important: IF YOU WANT TO RUN GAT SHIELD IN UK or EU ENVIRONMENT PLEASE CONTACT US AT SUPPORT@GATLABS.COM BEFOREHAND
Available data regions
- USA – United States
- UK – United Kingdom
- EU – European Union
Under the heading Policy for Extension.
Enter the code below for the UK data region
{"region":{"Value":"UK"}}
Enter the code below for the EU data region
{"region":{"Value":"EU"}}
Managed Guest Sessions and Data Region #
If you are planning to use the GAT Shield extension on Managed Guest Session (MGS) and you wish to send data to the GCP region in the UK or EU.
You need to enter the following code:
Under the heading Policy for Extension.
Enter the code below for the UK data region
{"domain":{"Value":"my_own_domain_name.xyz"},"region":{"Value":"UK"}}
Enter the code below for the EU data region
{"domain":{"Value":"my_own_domain_name.xyz"},"region":{"Value":"EU"}}
Replace “my_own_domain_name.xyz” with your domain name “domain.com” for example
Deploying the GAT Shield Chrome Extension on Managed Guest Sessions (MGS) #
If you have Google Chromebooks that allow for guests to log in and Managed Guest Session is enabled. You can capture activity by these anonymous users and you can keep them safe from inappropriate content as they browse.
To learn more about deploying GAT Shield on Google Workspace Manage Guest Sessions please click on this post.
Deploying GAT Shield Extension using Microsoft Group Policy Objects (GPO) #
Apply the Chrome ADMX Group Policy: https://support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows
Then in the rules on chrome it is forced to add additives in principle:
Computer Configuration> Policies> Extension> Configure the list of force-installed apps and Extension
You then need to add the data you provided for the plugin to install. This can be either the Open or Closed extension.
See the ‘Two versions of GAT Shield Explained’ info below > on your GAT Shield Admin console for the details of the “extension id” and “URL”.
Choose the Open UI or Closed version (but not both).
You can then share it on a group of computers or users on which it is to be applied.
User & browsers settings #
We recommend enabling some settings on the domain to prevent Users (students) from interfering with Shield and any extensions
Enable these settings in Devices > Chrome > Settings > Users & browsers
Some of these settings are mandatory.
Apps and Extensions #
On the above-selected page scroll down and navigate to the Apps and Extensions area find the Task Manager settings and switch it to Block users from ending processes with the Chrome Task Manager.
Description: Task Manager can be used to tamper with the Chrome browser’s normal operations.
User experience #
On the same page scroll down to User Experience
User & Browser settings > User Experience
The following settings are highly recommended for schools using enrolled Chromebooks.
These settings prevent students from bypassing the network firewall and installing Android apps like VPNs and other web browsers on their Chromebooks.
- Multiple Sign in access – Block multiple sign-in access for users in this organization
- Sign in to secondary accounts – Block users from signing in to or out of secondary Google accounts
In User experience scroll also to Developer tools and set it to “Never allow use of built-in developer tools”
Description: Developer tools can be used to disable extensions. Google also recommends disabling these tools in most cases.
Security #
The following three options are recommended for schools with enrolled Chromebooks. These settings prevent students from bypassing or tampering with the GAT Shield extension.
Scroll down to the Security tab
Find and apply the settings
- Incognito Mode – Disallow Incognito mode.
- Description: In incognito mode, the extensions do not work
- Browser history – Always save browser history.
- Description: Saving browser history is recommended so when incidents occur there is an audit trail that can be investigated by staff members.
- Clear Browser History – Do not allow clearing history in the settings menu.
- Description: The ability to clear browser history on the Chrome Browser may allow users to tamper with GAT Shield Browser reporting features.
Content #
Scroll down further to the Content tab
- Screenshot – set it to Allow users to take screenshots.
Description: Disabling screenshots will cause problems with GAT Shield Alerting functionality.
When all of the settings are set up make sure they are saved by clicking on the “Save” button on the top right.
Configure Device Settings #
We recommend that these options be configured on your domain for your Chrome devices. Not all are mandatory.
From Google Admin console navigate to.
Devices > Chrome > Settings > Devices
In the left sidebar, select the OU that contains your Chromebooks, then configure the following policies to match these values.
Enrollment and access #
- Configure the Enrollment and access
- Set Forced re-enrollment – automatically re-enroll after a wipe
- Set Verified access to Enable for content protection.
- Set Verified mode to Require verified mode boot for verified access.
Sign-in settings #
On the same page scroll down to Sign-in settings
- Guest mode – Disable guest mode
- Sign-in restrictions – Restrict sign-in to a list of users
- Add an allowed list
When done with the changes click on the “Save” button on the top right.
Two versions of GAT Shield Explained #
The Open User Interface extension allows the chrome user to see their own activity information while using the Chrome browser,
This includes: where and how they are spending their time and other useful details about their Chrome environment.
This version is also a recommended way for Teachers to monitor their student’s online activity.
The Closed User Interface will only display a grey GAT Shield icon but the end-user can’t access it.
When the Shield extension is deployed, every user who logs into their Chrome Browser with their domain credentials will have the extension automatically synchronized.
The Chrome user cannot override this setting.
Important note: Deploy only one of the Shield extensions Closed or Opened UI. Do not deploy both extensions within the same Org Units as this may cause some interferences.
WebCam capture – Extension URL #
If you wish to capture webcam images when Shield rules are triggered then you will need to enable Video-input-allowed URLs and add the Shield URLs
This setting can be enabled in Devices > Chrome > Settings > Users & browsers
Then scroll down and navigate to Hardware then to Video-input-allowed URLs
Add the WebCam URL then click Save on the top right.
The unique ID and URLs are displayed in the GAT Shield Console – see below (GAT Shield extension ID and URL)
Remove old WebCam extension #
The old WebCam extension is no longer needed. Please remove
- webcamID: lncmmomdcmcilmblgmnlinenbinjklgg
Find the extension above and remove
GAT Shield Extension ID and URL #
The GAT Shield extension ID and URL information are displayed in the GAT Shield Console that is launched from GAT+
See instructions below
Launch GAT+ on the top left click on the GAT+ icon, a menu will be displayed – then select GAT Shield
Under the Help section, select Extensions Deployment – the extension ID and URL and Webcam URL will be displayed.
Allow GAT Shield Extension via Firewall #
Note: Depending on your Firewall setup, there might be restrictions set up and not allowing traffic to Shield.
Please check your Firewall settings and allow the following URLs:
For US (Global) domains (no prefix) – US (default) environment
- https://alert-shield.generalaudittool.com
- https://urlaccess-shield.generalaudittool.com
- https://activeid.generalaudittool.com
- https://shield.generalaudittool.com
For EU domains (eu- prefix) – EU environment
- https://eu-alert-shield.generalaudittool.com
- https://eu-urlaccess-shield.generalaudittool.com
- https://eu-activeid.generalaudittool.com
- https://eu-shield.generalaudittool.com
For UK domains (uk- prefix) – UK environment
- https://uk-alert-shield.generalaudittool.com
- https://uk-urlaccess-shield.generalaudittool.com
- https://uk-activeid.generalaudittool.com
- https://uk-shield.generalaudittool.com
These URLs must be reachable and not blocked by the Firewall.
Force Install Extension Org Unit inheritance explained #
Note: If you install Shield on “sub. ou” make sure it is – ‘Force install Inherited from the domain‘.
You can click on the extension ID, select “Force install” and Save.
When it is set up as ‘Default – Inherited from Google default‘ – Shield might not be active on the selected OU.
Displaying Serial Numbers within GAT Shield Console is available only for licensed enterprise enrolled devices.