Last active
December 5, 2020 09:44
-
-
Save jamesmacwhite/c30a310e33e68842a6ab132aafd68be7 to your computer and use it in GitHub Desktop.
Revisions
-
jamesmacwhite revised this gist
Dec 5, 2020 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,33 +30,33 @@ Adjust the path to wherever you actually saved it locally if not the Downloads f ## What policies are written by these example payloads? * AllowDinosaurEasterEgg – `true` (Why not, I like dinosaurs) * ExtensionInstallForcelist - `[]` Replaced with an empty array, to prevent the installation or enabling of any forced extensions. * ForceGoogleSafeSearch – `false` * ForceYouTubeRestrict – `0` (YouTube restriced mode is disabled) * HomepageIsNewTabPage – `true` * HomepageLocation – `https://www.google.co.uk` * IncognitoModeAvailablity – `0` (Enables incognito mode) * NewTabPageLocation – `https://www.google.co.uk` * RestoreOnStartup – `5` (Open new tab) * RestoreOnStartupURLs - `[]` Replaced with an empty array to avoid any URLs being forced to open on startup. * SafeBrowsingEnabled - `0` (Off) * SafeSitesFilterBehaviour – `0` (Off) Supplying an empty array as the value for policies which use the array format is a quick way of basically cancelling out the existing policy being set. This is useful for policies like `ExtensionInstallForcelist` and `ExtensionInstallBlocklist` You can find [all Google Chrome policies](https://cloud.google.com/docs/chrome-enterprise/policies) that can be configured. The values I have used are for my own purposes, feel free to modify or add your own. ## Did it work? Open your Chrome profile and put `chrome://policy` in the address bar. Click "Reload policies" if Chrome was already open when you applied the policy. You should see various policies as above either set or overriden by the local one's if an existing policy was present. Because these are system wide at the local level, they cancel out cloud policies because of the conflict. Mission accomplished. Note: Because these policies are set at the machine level, they will apply to any Google Chrome profile for any user, be mindful of that. ## WTF has this done to my computer? **For Windows**, it will load specific keys and values into the Windows registry within the path outlined in `HKEY_LOCAL_MACHINE`. This is a place that everyone tells you not to mess with, but that's because everyone makes it sound like only cool hackers should be touching it. Really anyone and their mum can change the Windows registry if they wanted (if you have admin rights), it's just if you do change something you shouldn't, your Windows machine isn't going to be happy and possibly not boot anymore, so don't be stupid. Ideally, just run the .reg file and it's all good. Don't go changing those one's and zero's you madman/madlass or mad non binary person (being inclusive). **For MacOS**, overriding policies in Google Chrome is a bit more of a pain in the arse because of the levels in play. Windows allows you to override at the machine level quite easily, MacOS by default will be the user level and that's not high enough. BUGGER. So the solution is you need to GET ON MY LEVEL. We basically load in our own system profile configuration with a custom payload targeting Google Chrome. Normally this stuff happens in organisations with fancy deployment systems that sysadmins like to feel all important about, but here we are just downloading some .mobileconfig file and using command line to apply it. YEAH, WHERE IS YOUR SCM NOW? **My policy is better than yours.** -
Dec 2, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -48,7 +48,7 @@ <key>PayloadIdentifier</key> <string>com.github.erikberglund.ProfileCreator.92D63217-6294-4CA3-A0F7-6F3A69C9D33F</string> <key>PayloadOrganization</key> <string>Not your IT department</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> -
Dec 1, 2020 . 1 changed file with 5 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +1,12 @@ # How to override Google Chrome Cloud policies Google Chrome `Managed by somecompany.com`? Is your organisation forcing extensions or specific Chrome settings in your work profile that are just getting in the way? NOT ANYMORE. Time to fight the cloud with machines policies! It should be obvious, but you will need either full administrator or sudo rights to do this. Obviously if you are trying to do this on a managed machine controlled by your organisation, don't be a noob. If however you find some organisation policies creeping in on personal or non managed devices. RISE UP. Follow the guidance below, depending on your environment, the instructions and payload needed differ. **DISCLAIMER:** If you get in trouble or your arse fired for subverting organisational policies, RIP, but these are just the tools required, you have to use them, so it is on you. BUT YOU WANT THAT SWEET INCOGNITO MODE THO RIGHT? Why do organisations typically block incognito mode? Well... Because Google Chrome extensions can't track you because Google won't let extensions run in incognito mode by default IRONY LOL. Of course incognito mode still means your actual traffic is probably being slurrped by your ISP, GCHQ, FBI, NSA and your mum though. Better just turn the computer off now. I was also 100% drunk while writing this. [60% of the time, it works every time](https://www.youtube.com/watch?v=IKiSPUc2Jck). -
Dec 1, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,7 +18,7 @@ With MacOS, you have to be a bit more creative, due to the default level being u ```zsh cd ~/Downloads wget https://gist.github.com/jamesmacwhite/c30a310e33e68842a6ab132aafd68be7/raw/4803dd1f26962ff04d13e805d36e38ee1aa7fcbd/google_chrome_overrides.mobileconfig sudo -s /usr/bin/profiles -I -F ~/Downloads/google_chrome_overrides.mobileconfig ``` -
Dec 1, 2020 . 1 changed file with 9 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,17 +27,18 @@ Adjust the path to wherever you actually saved it locally if not the Downloads f ## What policies are written by these example payloads? * AllowDinosaurEasterEgg – `true` (Why not, I like dinosaurs) * ExtensionInstallForcelist - `[]` Replaced with a blank key, to prevent the installation or enabling of any forced extensions * ForceGoogleSafeSearch – `false` * ForceYouTubeRestrict – `0` (YouTube restriced mode is disabled) * HomepageIsNewTabPage – `true` * HomepageLocation – `https://www.google.co.uk` * IncognitoModeAvailablity – `0` (Enables incognito mode) * NewTabPageLocation – `https://www.google.co.uk` * RestoreOnStartup – `5` (Open new tab) * RestoreOnStartupURLs - `[]` Replaced with a blank key to avoid any URLs being forced to open on startup * SafeBrowsingEnabled - `0` (Off) * SafeSitesFilterBehaviour – `0` (Off) Supplying an empty array for policies which use the array format is a shortcut way of basically zeroing the policy. @@ -51,16 +52,16 @@ Note: Because these policies are set at the machine level, they will apply to an ## WTF has this done to my computer? **For Windows**, it will load specific keys and values into the Windows registry within the path outlined in `HKEY_LOCAL_MACHINE`. This is a place that everyone tells you not to mess with, but that's because everyone makes it sound like only cool hackers should be touching it. Really anyone and their mum can change the Windows registry if they wanted (if you have admin rights), it's just if you do change something you shouldn't, your Windows machine isn't going to be happy and possibly not boot anymore, so don't be stupid. Ideally, just run the .reg file and it's all good. Don't go changing those one's and zero's you madman/madlass or mad non binary person (being inclusive). **For MacOS**, overriding policies in Google Chrome is a bit more of a pain in the arse because of the levels in play. Windows allows you to override the machine level, MacOS by default will be the user level and that's not high enough. BUGGER. So the solution is you need to GET ON MY LEVEL. We basically load in our own system profile configuration with a custom payload targeting Google Chrome. Normally this stuff happens in organisations with fancy deployment systems that sysadmins like to feel all important about, but here we are just downloading some .mobileconfig file and using command line to apply it. YEAH, WHERE IS YOUR SCM NOW? **My policy is better than yours.** ## Acknowledgements * [Some person on StackOverflow](https://stackoverflow.com/questions/38206916/mandatory-chrome-policies-on-mac) - KNOWS WHAT'S GOING DOWN IN MACOS LAND. * Various people I work with - So I could look cool when giving them the power of incognito mode back on their devices. I have ascended. * My mum and dad - For bringing me into this world. * The ginger cat - That keeps breaking into my house, but keeps me alert at night. * Me - For being motivated enough to figure this out and be that annoyed with policies in a web browser. TRIGGERED. -
Dec 1, 2020 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,14 +33,14 @@ <integer>0</integer> <key>NewTabPageLocation</key> <string>https://www.google.co.uk</string> <key>RestoreOnStartup</key> <integer>5</integer> <key>RestoreOnStartupURLs</key> <array/> <key>SafeBrowsingEnabled</key> <false/> <key>SafeSitesFilterBehavior</key> <integer>0</integer> </dict> </array> <key>PayloadDisplayName</key> -
Dec 1, 2020 . 1 changed file with 17 additions and 17 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,14 +5,6 @@ <key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>Google Chrome</string> <key>PayloadIdentifier</key> @@ -25,22 +17,30 @@ <string>0C466998-FB7E-4EB1-B958-7125EB716C60</string> <key>PayloadVersion</key> <integer>1</integer> <key>AllowDinosaurEasterEgg</key> <true/> <key>ExtensionInstallForcelist</key> <array/> <key>ForceGoogleSafeSearch</key> <false/> <key>ForceYouTubeRestrict</key> <integer>0</integer> <key>HomepageIsNewTabPage</key> <true/> <key>HomepageLocation</key> <string>https://www.google.co.uk</string> <key>IncognitoModeAvailability</key> <integer>0</integer> <key>NewTabPageLocation</key> <string>https://www.google.co.uk</string> <key>SafeBrowsingEnabled</key> <false/> <key>SafeSitesFilterBehavior</key> <integer>0</integer> <key>RestoreOnStartup</key> <integer>5</integer> <key>RestoreOnStartupURLs</key> <array/> </dict> </array> <key>PayloadDisplayName</key> -
Nov 30, 2020 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -47,6 +47,8 @@ You can find [all Google Chrome policies](https://cloud.google.com/docs/chrome-e Open your Chrome profile and put `chrome://policy` in the address bar. Click "Reload policies" if Chrome was already open when you applied the policy. You should see various policies as above either set or overriden by the local one's if an existing policy was present. Because these are system wide at the local level, they cancel out cloud policies because of the conflict. Mission accomplished. Note: Because these policies are set at the machine level, they will apply to any Google Chrome profile, be mindful of that. ## WTF has this done to my computer? For Windows, it will load specific keys and values into the Windows registry within the path outlined in `HKEY_LOCAL_MACHINE`. This is a place that everyone tells you not to mess with, but that's because everyone makes it sound like only 1337 hackers should be touching it. Really anyone and their mum can change the Windows registry if they wanted (if you have admin rights), it's just if you do change something you shouldn't, your Windows machine isn't going to be happy and possibly not boot anymore, so don't be stupid. Ideally, just run the .reg file and it's all good. Don't go changing those one's and zero's you madman/madlass or mad non binary person (being inclusive). -
Nov 30, 2020 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -57,8 +57,8 @@ For MacOS, overriding policies in Google Chrome is a bit more of a pain in the a ## Acknowledgements * [Some guy on StackOverflow](https://stackoverflow.com/questions/38206916/mandatory-chrome-policies-on-mac) - KNOWS WHAT'S GOING DOWN IN MAC LAND. * Various people I work with - So I could look cool when giving them the power of incognito mode back on their devices. * My mum and dad - For bringing me into this world * The ginger cat - That keeps breaking into my house, but keeps me alert at night. * Me - For being motivated enough to figure this out and be that annoyed with policies in a web browser. TRIGGERED. -
Nov 30, 2020 . 1 changed file with 16 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,21 +2,19 @@ Google Chrome `Managed by somecompany.com`? Is your organisation forcing extensions or specific Chrome settings in your work profile that are just getting in the way? NOT ANYMORE. Time to go nuclear. It should be obvious, but you will need either full administrator or sudo rights to do this. Obviously if you are trying to do this on a managed machine by your organisation, don't be a noob. If however you find some organisation policies creeping in on personal or non managed devices. RISE UP. Follow the guidance below, depending on your environment, the instructions and payload needed differ. **DISCLAIMER:** If you get in trouble or your arse fired for subverting organisational policies, RIP, but these are just the tools required, you have to use them, so it is on you. BUT YOU WANT THAT SWEET INCOGNITO MODE THO RIGHT? Why do organisations block this mode? Well... Because your organisations extensions can't track you because Google won't let extensions run in incognito mode by default IRONY LOL. Of course incognito mode still means your actual traffic is probably being slurrped by your ISP, GCHQ, FBI, NSA and your mum though. Better just turn the computer off now. I was also 100% drunk while writing this. [60% of the time, it works every time](https://www.youtube.com/watch?v=IKiSPUc2Jck). ### Windows Download and save the `google_chrome_overrides.reg` file and run it (you'll need to be an administrator to write to the registry hive). The registry file will write various keys and values to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome` path. More details below. ### MacOS With MacOS, you have to be a bit more creative, due to the default level being user level, this is not high enough in the chain to override existing cloud policies. Download and save the .mobileconfig file and then deploy with the following command: ```zsh cd ~/Downloads @@ -43,6 +41,8 @@ Adjust the path to wherever you actually saved it locally if not the Downloads f Supplying an empty array for policies which use the array format is a shortcut way of basically zeroing the policy. You can find [all Google Chrome policies](https://cloud.google.com/docs/chrome-enterprise/policies) that can be configured. The values I have used are for my own purposes, feel free to modify or add your own. ## Did it work? Open your Chrome profile and put `chrome://policy` in the address bar. Click "Reload policies" if Chrome was already open when you applied the policy. You should see various policies as above either set or overriden by the local one's if an existing policy was present. Because these are system wide at the local level, they cancel out cloud policies because of the conflict. Mission accomplished. @@ -53,4 +53,12 @@ For Windows, it will load specific keys and values into the Windows registry wit For MacOS, overriding policies in Google Chrome is a bit more of a pain in the arse because of the levels in play. Windows allows you to override the machine level, MacOS by default will be the user level and that's not high enough. BUGGER. So the solution is you need to GET ON MY LEVEL. We basically load in our own system profile configuration with a custom payload targeting Google Chrome. Normally this stuff happens in organisations with fancy deployment systems that sysadmins like to feel all important about, but here we are just downloading some .mobileconfig file and using command line to apply it. YEAH, WHERE IS YOUR SCM NOW? **My policy is better than yours.** ## Acknowledgements * [Someone on StackOverflow](https://stackoverflow.com/questions/38206916/mandatory-chrome-policies-on-mac) - Explaining why MacOS is a cheeky casual and makes it harder to set Mandatory policies. * Various people I work with - So I could look cool when giving them the power of incognito mode back on their devices. * My mum - For bringing me into this world * Me - For being motivated enough to figure this out and be that annoyed with policies in a web browser * The ginger cat - Keeps breaking into my house, but keeps me sharp. -
Nov 30, 2020 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,6 +19,7 @@ Download and save the `google_chrome_overrides.reg` file and run it (you'll need With MacOS, you have to be a bit more creative, due to the default level of policies being user level, these aren't high enough in the chain to override cloud policies. Download and save the .mobileconfig file and then deploy with the following command: ```zsh cd ~/Downloads wget https://gist.github.com/jamesmacwhite/c30a310e33e68842a6ab132aafd68be7/raw/b046257e1bb8d906b7375215df68d63a989a17b8/google_chrome_overrides.mobileconfig sudo -s /usr/bin/profiles -I -F ~/Downloads/google_chrome_overrides.mobileconfig -
Nov 30, 2020 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,6 +19,7 @@ Download and save the `google_chrome_overrides.reg` file and run it (you'll need With MacOS, you have to be a bit more creative, due to the default level of policies being user level, these aren't high enough in the chain to override cloud policies. Download and save the .mobileconfig file and then deploy with the following command: ```zsh wget https://gist.github.com/jamesmacwhite/c30a310e33e68842a6ab132aafd68be7/raw/b046257e1bb8d906b7375215df68d63a989a17b8/google_chrome_overrides.mobileconfig sudo -s /usr/bin/profiles -I -F ~/Downloads/google_chrome_overrides.mobileconfig ``` -
Nov 30, 2020 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,6 +19,7 @@ Download and save the `google_chrome_overrides.reg` file and run it (you'll need With MacOS, you have to be a bit more creative, due to the default level of policies being user level, these aren't high enough in the chain to override cloud policies. Download and save the .mobileconfig file and then deploy with the following command: ```zsh sudo -s /usr/bin/profiles -I -F ~/Downloads/google_chrome_overrides.mobileconfig ``` -
Nov 30, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,7 +24,7 @@ With MacOS, you have to be a bit more creative, due to the default level of poli Adjust the path to wherever you actually saved it locally if not the Downloads folder. Once this profile is installed, this will override Google Chrome policies locally. Nice. This payload isn't signed, but what you see in the .mobileconfig is what it is, a single payload for Google Chrome, not some malware or crypto mining software. Relax. ## What policies are written by these example payloads? * ExtensionInstallForcelist - `[]` Replaced with a blank key, to prevent the installation or enabling of any forced extensions * RestoreOnStartupURLs - `[]` Replaced with a blank key to avoid any URLs being forced to open on startup -
Nov 30, 2020 . 1 changed file with 5 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,14 +19,14 @@ Download and save the `google_chrome_overrides.reg` file and run it (you'll need With MacOS, you have to be a bit more creative, due to the default level of policies being user level, these aren't high enough in the chain to override cloud policies. Download and save the .mobileconfig file and then deploy with the following command: ```zsh /usr/bin/profiles -I -F ~/Downloads/google_chrome_overrides.mobileconfig ``` Adjust the path to wherever you actually saved it locally if not the Downloads folder. Once this profile is installed, this will override Google Chrome policies locally. Nice. This payload isn't signed, but what you see in the .mobileconfig is what it is, a single payload for Google Chrome, not some malware or crypto mining software. Relax. ## What policies are written by these payloads? * ExtensionInstallForcelist - `[]` Replaced with a blank key, to prevent the installation or enabling of any forced extensions * RestoreOnStartupURLs - `[]` Replaced with a blank key to avoid any URLs being forced to open on startup * AllowDinosaurEasterEgg – `true` (Why not, I like dinosaurs) * ForceGoogleSafeSearch – `false` @@ -38,6 +38,8 @@ Adjust the path to wherever you actually saved it locally if not the Downloads f * RestoreOnStartup – `5` (Open new tab) * SafeSitesFilterBehaviour – Set to `0` Supplying an empty array for policies which use the array format is a shortcut way of basically zeroing the policy. ## Did it work? Open your Chrome profile and put `chrome://policy` in the address bar. Click "Reload policies" if Chrome was already open when you applied the policy. You should see various policies as above either set or overriden by the local one's if an existing policy was present. Because these are system wide at the local level, they cancel out cloud policies because of the conflict. Mission accomplished. -
Nov 30, 2020 . No changes.There are no files selected for viewing
-
Nov 30, 2020 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,4 @@ # How to override Google Chrome Cloud policies Google Chrome `Managed by somecompany.com`? Is your organisation forcing extensions or specific Chrome settings in your work profile that are just getting in the way? NOT ANYMORE. Time to go nuclear. -
Nov 30, 2020 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ # How to override Google Chrome Cloud policies #### Examples for Windows and MacOS Google Chrome `Managed by somecompany.com`? Is your organisation forcing extensions or specific Chrome settings in your work profile that are just getting in the way? NOT ANYMORE. Time to go nuclear. @@ -11,11 +11,11 @@ You can find [all Google Chrome policies](https://cloud.google.com/docs/chrome-e I was also 100% drunk writing this. It works 60% of the time, every time. ### Windows Download and save the `google_chrome_overrides.reg` file and run it (you'll need to be an administrator to write to the registry hive). The registry file will write various keys and values to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome` path. ### MacOS With MacOS, you have to be a bit more creative, due to the default level of policies being user level, these aren't high enough in the chain to override cloud policies. Download and save the .mobileconfig file and then deploy with the following command: @@ -25,7 +25,7 @@ With MacOS, you have to be a bit more creative, due to the default level of poli Adjust the path to wherever you actually saved it locally if not the Downloads folder. Once this profile is installed, this will override Google Chrome policies locally. Nice. It is isn't signed, but what you see in the .mobileconfig is what it is, a single payload for Google Chrome, not some malware or crypto mining software. Relax. ## What policies are written by these payloads? * ExtensionInstallForceList - `[]` Replaced with a blank key, to prevent the installation or enabling of any forced extensions * RestoreOnStartupURLs - `[]` Replaced with a blank key to avoid any URLs being forced to open on startup @@ -39,11 +39,11 @@ Adjust the path to wherever you actually saved it locally if not the Downloads f * RestoreOnStartup – `5` (Open new tab) * SafeSitesFilterBehaviour – Set to `0` ## Did it work? Open your Chrome profile and put `chrome://policy` in the address bar. Click "Reload policies" if Chrome was already open when you applied the policy. You should see various policies as above either set or overriden by the local one's if an existing policy was present. Because these are system wide at the local level, they cancel out cloud policies because of the conflict. Mission accomplished. ## WTF has this done to my computer? For Windows, it will load specific keys and values into the Windows registry within the path outlined in `HKEY_LOCAL_MACHINE`. This is a place that everyone tells you not to mess with, but that's because everyone makes it sound like only 1337 hackers should be touching it. Really anyone and their mum can change the Windows registry if they wanted (if you have admin rights), it's just if you do change something you shouldn't, your Windows machine isn't going to be happy and possibly not boot anymore, so don't be stupid. Ideally, just run the .reg file and it's all good. Don't go changing those one's and zero's you madman/madlass or mad non binary person (being inclusive). -
Nov 30, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,52 @@ # How to override Google Chrome Cloud policies ##### Examples for Windows and MacOS Google Chrome `Managed by somecompany.com`? Is your organisation forcing extensions or specific Chrome settings in your work profile that are just getting in the way? NOT ANYMORE. Time to go nuclear. It should be obvious, but you will need either full administrator or sudo rights to do this. Obviously if you are trying to do this on a managed machine, don't be a noob. If however you find some organisation policies creeping in on personal or non managed devices. Tell them to do one and follow the guidance below, depending on your operating system, the instructions and payload needed differ. You can find [all Google Chrome policies](https://cloud.google.com/docs/chrome-enterprise/policies) that can be defined through the example methods shown. The values I have used are for my own purposes, feel free to modify or add your own. **DISCLAIMER:** If you get in trouble or your arse fired for subverting organisational policies, RIP, but these are just the tools required, you have to use them, so it is on you. BUT YOU WANT THAT SWEET INCOGNITO MODE THO RIGHT? Why do organisations block this mode? Because your organisations extensions can't track you because Google won't let extensions run in incognito mode by default IRONY LOL. Of course incognito mode still means your actual traffic is probably being slurrped by your ISP, GCHQ, FBI, NSA and your mum though. Better just turn the computer off now. I was also 100% drunk writing this. It works 60% of the time, every time. #### Windows Download and save the `google_chrome_overrides.reg` file and run it (you'll need to be an administrator to write to the registry hive). The registry file will write various keys and values to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome` path. #### MacOS With MacOS, you have to be a bit more creative, due to the default level of policies being user level, these aren't high enough in the chain to override cloud policies. Download and save the .mobileconfig file and then deploy with the following command: ```zsh /usr/bin/profiles -I -F ~/Downloads/Google\ Chrome.mobileconfig ``` Adjust the path to wherever you actually saved it locally if not the Downloads folder. Once this profile is installed, this will override Google Chrome policies locally. Nice. It is isn't signed, but what you see in the .mobileconfig is what it is, a single payload for Google Chrome, not some malware or crypto mining software. Relax. ### What policies are written by these payloads? * ExtensionInstallForceList - `[]` Replaced with a blank key, to prevent the installation or enabling of any forced extensions * RestoreOnStartupURLs - `[]` Replaced with a blank key to avoid any URLs being forced to open on startup * AllowDinosaurEasterEgg – `true` (Why not, I like dinosaurs) * ForceGoogleSafeSearch – `false` * ForceYouTubeRestrict – `0` (YouTube restriced mode is disabled) * HomepageIsNewTabPage – `true` * HomepageLocation – `https://www.google.co.uk` * IncognitoModeAvailablity – `0` (Enables incognito mode) * NewTabPageLocation – `https://www.google.co.uk` * RestoreOnStartup – `5` (Open new tab) * SafeSitesFilterBehaviour – Set to `0` ### Did it work? Open your Chrome profile and put `chrome://policy` in the address bar. Click "Reload policies" if Chrome was already open when you applied the policy. You should see various policies as above either set or overriden by the local one's if an existing policy was present. Because these are system wide at the local level, they cancel out cloud policies because of the conflict. Mission accomplished. ### WTF has this done to my computer? For Windows, it will load specific keys and values into the Windows registry within the path outlined in `HKEY_LOCAL_MACHINE`. This is a place that everyone tells you not to mess with, but that's because everyone makes it sound like only 1337 hackers should be touching it. Really anyone and their mum can change the Windows registry if they wanted (if you have admin rights), it's just if you do change something you shouldn't, your Windows machine isn't going to be happy and possibly not boot anymore, so don't be stupid. Ideally, just run the .reg file and it's all good. Don't go changing those one's and zero's you madman/madlass or mad non binary person (being inclusive). For MacOS, overriding policies in Google Chrome is a bit more of a pain in the arse because of the levels in play. Windows allows you to override the machine level, MacOS by default will be the user level and that's not high enough. BUGGER. So the solution is you need to GET ON MY LEVEL. We basically load in our own system profile configuration with a custom payload targeting Google Chrome. Normally this stuff happens in organisations with fancy deployment systems that sysadmins like to feel all important about, but here we are just downloading some .mobileconfig file and using command line to apply it. YEAH, WHERE IS YOUR SCM NOW? **My policy is better than yours.** This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,61 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>ExtensionInstallForcelist</key> <array/> <key>HomepageIsNewTabPage</key> <true/> <key>HomepageLocation</key> <string>https://www.google.co.uk</string> <key>NewTabPageLocation</key> <string>https://www.google.co.uk</string> <key>PayloadDisplayName</key> <string>Google Chrome</string> <key>PayloadIdentifier</key> <string>com.github.erikberglund.ProfileCreator.92D63217-6294-4CA3-A0F7-6F3A69C9D33F.com.google.Chrome.0C466998-FB7E-4EB1-B958-7125EB716C60</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.google.Chrome</string> <key>PayloadUUID</key> <string>0C466998-FB7E-4EB1-B958-7125EB716C60</string> <key>PayloadVersion</key> <integer>1</integer> <key>RestoreOnStartup</key> <integer>5</integer> <key>RestoreOnStartupURLs</key> <array/> <key>ForceGoogleSafeSearch</key> <false/> <key>SafeBrowsingEnabled</key> <false/> <key>IncognitoModeAvailability</key> <integer>0</integer> <key>ForceYouTubeRestrict</key> <integer>0</integer> <key>SafeSitesFilterBehavior</key> <integer>0</integer> <key>AllowDinosaurEasterEgg</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Google Chrome Overrides</string> <key>PayloadIdentifier</key> <string>com.github.erikberglund.ProfileCreator.92D63217-6294-4CA3-A0F7-6F3A69C9D33F</string> <key>PayloadOrganization</key> <string>Not Nottingham College</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>92D63217-6294-4CA3-A0F7-6F3A69C9D33F</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,17 @@ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "IncognitoModeAvailability"=dword:00000000 "NewTabPageLocation"="https://www.google.co.uk" "HomepageIsNewTabPage"=dword:00000001 "RestoreOnStartup"=dword:00000005 "HomepageLocation"="https://www.google.co.uk" "ForceYouTubeRestrict"=dword:00000000 "ForceGoogleSafeSearch"=dword:00000000 "SafeSitesFilterBehavior"=dword:00000000 "AllowDinosaurEasterEgg"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\RestoreOnStartupURLs]