Deploy GAT Shield for Managed Guest Sessions

Managed Guest Sessions #

With managed guest sessions, multiple users can share the same device running Chrome OS without having to sign in to their Google Account.

For example:

Use managed guest sessions to configure Chrome devices as loaner devices, or shared computers.

With managed guest sessions, your users can have a full browsing experience and access multiple websites in windowed mode, not full-screen.

GAT Shield on Managed Guest Session #

GAT Shield can be set up and enabled for Managed Guest Session 

Prerequisite #

Chromebooks must be enrolled and the Managed Guest Session must be enabled for the chosen Device Org. Unit.

These settings can be found in the Google Workspace admin console

Go to Menu ""and then Devices > Chrome > Settings > Managed guest sessions settings

From the General tab > Managed guest session

In Configuration > select Allow managed guest sessions and enter the session name.

Session name to display on login screen*

Deploy GAT Shield on Managed Guest Session (MGS) #

Within Google’s Workspace admin console, navigate to Devices → Chrome → Apps and Extensions → Users & browsers 

Select the OU where you want to deploy the Managed Guest Session

Select the Organizational Unit and then click on the plus + button.

Enter ID and URL #

Select the option “Add Chrome app or Extension by ID”. 

Enter the ID and URL of the Open version or Closed version of GAT Shield.

Find the ID and URL #

You can find these values in the GAT Shield console under the setting “Extensions Deployment”

Pop up window will be displayed with Extension deployment details: Extension ID and URL

When the Extension ID and URL are added click on the “Save” button.

Enable extension on domain #

Click on the Extension and a pop-up side menu will be displayed:

  • Installation policy > Force install 
  • Permissions and URL access >Allow all permissions“.
  • Policy for extensions > {"domain":{"Value":""}}

For example, our domain is called so the policy would look like this:

Replace ‘’ with your own domain name.


Make sure to SAVE everything before leaving the section. 

Results  #

When Shield is enabled for Managed Guest Session, the users will be displayed in the Shield console as anonymous-ChromeOS serial”

Within the GAT Shield console, anonymous users on Managed Guest Sessions will appear without an email address and the text “anonymous-(serial. n)”.

The extensive reporting now available for MGS is described here.

We recommend completing the setup before returning to this specific use case.