Setting Google Workspace for Education policies: Step 3 (best practices) Follow
Block interfering URLs
Some URLs can be used to stop Highlights and other extensions from working properly. Hāpara highly recommends blocking these URLs via:
admin.google.com > Devices > Chrome > Settings > User and browser settings > Content > URL blocking > Blocked URLs
URL | Reason to block |
*/html/crosh.html |
Crosh is a Chrome Command Shell environment similar to Command Prompt on Windows or Terminal in macOS devices, which allows the user to execute commands directly from ChromeOS. |
chrome://settings chrome://file-manager |
Allows the user to change or modify Chrome browser and extension config |
javascript://* |
Allows bookmarklets that contain JavaScript commands to manipulate Chrome Browser |
www.holyubofficial.net |
Example of an in-browser proxy, which students can utilize to bypass Chrome browser config
|
Be sure to click SAVE in the top right corner.
Prevent students using Task Manager to end processes
Students can use the Chrome Task Manager to end processes — including the Highlights extension. Hāpara recommends disabling this ability via:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Task manager
Search for Task Manager and set the policy to Block users from ending processes with the Chrome Task Manager. This policy does not apply to Windows or Mac devices using a Chrome Browser.
Turning on this setting for student domains will increase the robustness of the Highlights product in the face of student interventions.
Prevent students using Developer Tools to end processes
Students can use the Chrome Developer Tools to inspect, break and end processes — including the Highlights extension. Hāpara recommends disabling this ability via:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Developer tools
Search for Developer tools and set the policy to Allow use of built-in developer tools except for force-installed extensions.
Turning on this setting for student domains will increase the robustness of the Highlights product in the face of student interventions.
Prevent students using ChromeVox to access Incognito Mode
A weakness in ChromeVox allows students to access Incognito Mode even if this mode has been disabled. Hāpara recommends blocking this weakness via:
admin.google.com > Device > Chrome > Device Settings
Search for Turn off accessibility settings on sign-in screen upon logout and enable this setting.
Enabling this setting for student domains will increase the robustness of Highlights in the face of student interventions.
Preventing students from using Bookmarklets
Bookmarklets are bookmarks stored in a web browser that contains JavaScript commands that add new features to an existing browser.
admin.google.com > Devices > Chrome > Settings > Users & browsers > URL blocking
Google implemented this update in April 2018 for Chromebook devices running Chrome OS version 73 and above. This policy does not apply to Windows, Mac or other devices. To update a student's Chromebook, please see the instructions here.
Prevent students from using multiple Google accounts
To provide a consistent and positive Hāpara experience, it's important that policies set in the Google Admin Console apply to all students. Preventing students from signing into multiple Google accounts at once on their Chromebook will decrease avoidance of these set policies.
See the full article detailing how to prevent students from using multiple Google accounts.
Force student Chrome Browser login by default
By default, students are able to log into other Google Accounts within the Chrome Browser. This can enable students to avoid visibility.
Using the G Suite Admin Console, a technical administrator can set the policy to force students to log in to their browser:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Browser sign-in settings
- Search for the Browser sign-in settings
- Select Force users to sign-in to use the browser:
Prevent students from connecting to non-school networks
Hāpara recommends IP restrictions when using Highlights, this allows visibility of student devices only while they're connected to the specified school networks.
However, if students connect to another network outside the specified IP ranges, like a guest network or personal Wi-Fi hotspot, they may bypass Highlights visibility.
In the G Suite Admin console, you can configure your device policies to restrict network connectivity under Device > Network > General Settings.
See the full Google Restrict networks and network interfaces Support Article here
◀ Step 2 | ◉ ◉ ◉ | Next ▶ |
Highlights Installation Guide | |
1. Setting G Suite for Education policies (viewing) | 6. Shared device best practices (optional) → |
2. Pushing out the student extension → | 7. Privacy: time/IP restrictions → |
3. Verifying student extension connectivity → | 8. Enabling Highlights → |
4. Network access/whitelisting → | 9. Highlights browser compatibility → |
5. Strengthening Highlights and preventing student loopholes → |