1. Hapara Support
  2. For Hāpara administrators
  3. Managing Hāpara Highlights

Menu

Articles in this section

Strengthening Highlights and preventing student loopholes Follow

Lisa Oosthuizen
  • Updated

This article helps Hāpara administrators strengthen Chrome and ChromeOS settings so students cannot bypass Highlights using Incognito mode, Guest mode, multiple accounts, DevTools, bookmarks, Chrome internal URLs, Google Lens or virtual desktops.

 

In this article:

Summary

To prevent students from bypassing Hāpara Highlights, apply the recommended Google Admin Console policies to student organizational units, force-install the Highlights extension and verify that each policy is active on a managed student device. Start with the diagnostic table below to identify the likely loophole, then apply the matching prevention setting.

 

Before you begin

You need:

  1. Google Admin Console access.
  2. Student organizational units set up in Google Admin.
  3. The Hāpara Highlights extension force-installed for student users.
  4. A managed student Chromebook or managed Chrome browser for testing.
  5. A test student account in the same OU as your students.

Apply these settings to student OUs first. Keep staff OUs separate so teachers and IT staff can retain tools such as DevTools or Incognito where needed.

 

Diagnostic table: identify and close common Highlights loopholes

Student behavior or report Likely loophole Admin setting to check Recommended action How to verify
Student opens a private window and Highlights does not show activity Incognito mode Incognito mode Set Incognito mode to Disallow incognito mode for student OUs Sign in as a student and confirm New Incognito Window is unavailable
Student uses Chrome without signing in Guest browser or device guest mode Browser guest mode and Device guest mode Prevent Guest browser logins and disallow Guest mode on ChromeOS sign-in screen Restart device and confirm Browse as Guest is unavailable
Student signs into a personal Gmail account Multiple or unmanaged account sign-in Browser sign-in settings and Restrict sign-in to pattern Force Chrome browser sign-in and restrict sign-in to your school domains Try signing in with a personal account and confirm it is blocked
Student uses more than one Google account on a Chromebook Multiple sign-in access Multiple sign-in access Block multiple sign-in access for users in your organization Sign in as a student and confirm additional account sign-in is blocked
Student ends or disables a Chrome process Chrome Task Manager Task manager Block users from ending processes with Chrome Task Manager Open Chrome Task Manager and confirm End process is unavailable
Student uses DevTools to inspect, modify or interfere with extensions Developer tools Developer tools Allow DevTools except for force-installed extensions, or block DevTools entirely if students do not need coding tools Open DevTools and confirm force-installed extensions cannot be inspected or modified
Student runs a bookmarklet or JavaScript bookmark Bookmarklets Bookmark bar, Bookmark editing and managed bookmarks Disable bookmark editing and bookmark bar for students; use managed bookmarks for approved resources Confirm students cannot create or edit bookmarks
Student opens chrome://extensions, chrome://flags or similar pages Chrome internal URLs Block sensitive internal Chrome URLs Enable Google’s built-in setting to block sensitive internal Chrome URLs Try opening chrome://extensions and confirm access is blocked
Student rapidly clicks saved bookmarks to interrupt a session Bookmark exploit Bookmark bar and Bookmark editing Disable bookmark bar and bookmark editing for student OUs Confirm the bookmark bar is hidden and students cannot edit bookmarks
Student searches answers using Google Lens during work or assessments Google Lens Google Lens settings Hide or disable Google Lens options for student OUs Open Chrome and confirm Lens entry points are unavailable
Student switches to another desktop or workspace Multiple desktops / virtual desks ChromeOS device and user experience controls Review virtual desk behavior and classroom supervision procedures; pair with screen monitoring expectations Ask student to switch desks during a test and confirm visibility expectations are met
Highlights is missing or not visible in Chrome Extension not installed or not pinned Apps & extensions Force-install Hāpara Highlights and pin it where available Open chrome://extensions or chrome://policy and confirm Highlights is installed and enforced
Settings appear correct but students can still bypass controls Policy not applied or wrong OU chrome://policy Reload policies and confirm each policy status is OK Test with a student account in the correct OU

 

 

Prevention playbook

1. Force-install Hāpara Highlights

Force-installing Highlights helps ensure the extension is present and cannot be removed by students.

  1. In Google Admin Console, go to Devices > Chrome > Apps & extensions.
  2. Select the student OU.
  3. Add or select Hāpara Highlights.
  4. Set the installation policy to Force install.
  5. Pin the extension to the browser toolbar if that option is available.
  6. Click Save.

 

2. Disallow Incognito mode

Incognito mode can prevent required extensions and policies from applying as expected.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to Security > Incognito mode.
  4. Select Disallow incognito mode.

Screen_Shot_2021-10-29_at_08.59.08.png

  1. Click Save.

 

3. Disable Guest browsing

Guest browsing allows students to use Chrome without their managed school profile.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to Security > Browser guest mode.
  4. Select Prevent guest browser logins

    Screen_Shot_2021-10-29_at_09.19.41.png
  5. Then go to Device settings > Sign-in settings > Guest mode.
  6. Select Disallow guest mode.
  7. Click Save.

4. Force Chrome browser sign-in

Forcing browser sign-in helps ensure students are using a managed browser profile where district policies apply.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to Sign-in settings > Browser sign-in settings.

  4. Select Force users to sign in to use the browser.

    Untitled drawing.jpg

     

  5. In Restrict sign-in to pattern, enter your school domain pattern.

Example:

.*@district\.org

       6. Click Save.

 

5. Block multiple Google account sign-in

Students may try to add a personal or secondary Google account to avoid school policies.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to User experience > Multiple sign-in access.

  4. Select Block multiple sign-in access for users in this organization.


    Screen_Shot_2020-01-31_at_16.28.35.png

  5. Click Save.

 

6. Prevent students from ending Chrome processes

Students may try to use Chrome Task Manager to end the Highlights process.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to Task manager.
  4. Select Block users from ending processes with the Chrome task manager.

    Screen_Shot_2021-10-29_at_09.06.01.png
     
  5. Click Save.

 

7. Limit Developer Tools

Developer Tools can be used to inspect or interfere with extensions.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to Developer tools.
  4. Choose one of the following:
    • Allow use of built-in developer tools except for force-installed extensions — recommended if students need DevTools for coding classes.
    • Don’t allow use of built-in developer tools — recommended if students do not need DevTools.

      Screen_Shot_2021-10-29_at_09.08.57.png
       
  5. Click Save.

 

8. Reduce bookmark and bookmarklet loopholes

Bookmarklets are browser bookmarks that contain JavaScript. Students may use them to interfere with browser behavior or classroom sessions.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to Bookmark bar.
  4. Select Disable Bookmark bar.
  5. Go to Bookmark editing.
  6. Select Disable Bookmark editing.
  7. Optional: Use Managed bookmarks to provide approved learning resources.
  8. Click Save.

 

9. Block sensitive internal Chrome URLs

Chrome internal URLs can expose settings or tools students should not access.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Go to Content > URL blocking.
  4. Enable Block sensitive internal Chrome URLs.
  5. Add only additional URLs your district has confirmed as a risk.
    Screenshot 2025-10-06 at 11.50.32 AM.png
  6. Click Save.

Use caution before manually blocking Chrome URLs. Blocking the wrong internal URL may interfere with normal Chrome or ChromeOS functionality.
 

10. Disable Google Lens for student OUs

Google Lens may allow students to search screen content, images or assessment questions.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the student OU.
  3. Search for Google Lens.
  4. Set the available Google Lens options to disabled or hidden, including:
    • New tab page Google Lens button: Do not show
    • Google Lens camera-assisted search: Disabled
    • Google Lens region search: Disabled
    • Google Lens overlay: Disabled
  5. Click Save.

For high-stakes assessments, remind staff that browser controls cannot prevent students from using a separate personal device.

 

11. Review multiple desktops or virtual desks

ChromeOS virtual desks may allow students to move activity out of immediate view during in-person supervision.

  1. Test virtual desk behavior using a student account.
  2. Confirm whether teachers can still see the active screen in Highlights.
  3. Set classroom expectations for virtual desk use.
  4. Consider pairing this with Focus or Filter sessions during assessments.
  5. Escalate to Hāpara Support if student activity appears hidden even when policies are applied correctly.

12. Use ephemeral mode on shared devices

Ephemeral mode clears local user data when the student signs out. This can reduce cached profile issues on shared carts, labs or library devices.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the shared-device student OU.
  3. Go to Security > Force ephemeral mode.
  4. Select Erase all local user data.
    Screen_Shot_2021-10-29_at_11.30.03.png
  5. Click Save.

Use this carefully. Do not apply it to staff OUs or users who need persistent local profiles.

 

Troubleshooting

The policy is set, but students can still access the setting

Check that the student is in the correct OU. Then open chrome://policy, reload policies and confirm the policy status is OK.

The student is using a personal device

These settings apply only to managed Chrome browsers or managed ChromeOS devices where the student signs in with a school account. For unmanaged personal devices, use your district’s device policy, network filtering and classroom procedures.

Teachers still see students as Offline or missing

This may not be a loophole issue. Check extension installation, student sign-in status, network access and Highlights connectivity.

A setting affects a class that needs coding tools

Apply the stricter policy to most student OUs, then create a separate OU or group for approved coding classes. For those students, allow DevTools except for force-installed extensions.

 



 

Related articles