Strengthening Highlights and preventing student loopholes Follow

The Google Chrome landscape is constantly changing. This page summarizes recent changes to the Highlights installation guide that can be used to strengthen your existing Highlights installation:

  

Disable Incognito Mode for Students

Hapara Highlights functions through a Google Chrome extension. When Chrome is in Incognito Mode, the browser does not load any extensions. We recommend preventing students from being able to launch Chrome in Incognito Mode to ensure the Highlights extension is always loaded:

admin.google.com > Device Management > Chrome Management > User Settings

Search for the Incognito Mode drop-down menu and select the Disallow incognito mode option. This option can be applied to only student OUs, allowing teachers to utilize Incognito Mode.

 

Block apps or extensions

Some apps and extensions can be used to stop Highlights and other extensions from working correctly. Such apps and extensions need to be blocked. Hapara strongly recommends blocking the following extensions:

The instructions on how to do this are here.
 

 

Prevent students using Task Manager to end processes

Students can use the Chrome Task Manager to end processes - including the Highlights extension. Hapara recommends disabling this ability via:

admin.google.com > Device Management > Chrome Management > User Settings

Search for Task Manager and set the policy to disable the ending of processes.

Turning on this setting for student domains will increase the robustness of Highlights in the face of student interventions. 

Screen_Shot_2018-09-25_at_11.44.06_AM.png

This policy became available in August 2016 and applies to Chromebook devices running version 52 and above. This policy does not apply to Windows, Mac devices using a Chrome Browser.

 

Prevent students using developer tools to end processes

Students can use the Chrome Developer Tools to inspect, break and end processes - including the Highlights extension. Hapara recommends disabling this ability via:

admin.google.com > Device Management > Chrome Management > User Settings

Search for Developer tools and set the policy to Never allow the use of built-in developer tools

Turning on this setting for student domains will increase the robustness of Highlights in the face of student interventions.

 

Prevent students using ChromeVox to access Incognito Mode

A vulnerability with ChromeVox allows students to access Incognito Mode even if Incognito mode has been disabled in the Google Admin Console. Hapara recommends blocking this weakness via:

admin.google.com > Device Management > Chrome Management > Device Settings

Search for Turn off accessibility settings on the sign-in screen upon logout and enable this setting.

Enabling this setting for student domains will increase the robustness of Highlights in the face of student interventions.

  

Prevent students from using multiple Google accounts on their Chrome Device

Please see the full Support Article here detailing how to prevent students from signing into other Google Accounts whilst signed into their School Google account.

 

Prevent Students from logging into multiple users within a Chrome Browser session

By default, students are able to log into other Google Accounts within the Chrome Browser. This can enable students to avoid visibility

Using the G-Suite Admin Console, and Administrator can set policy to restrict which domain accounts a student can log in with:

 admin.google.com > Device Management > Chrome Management > User Settings

  1. Search for the Sign-in Within the Browser heading
  2. Select Allow users to sign-in only to the G Suite domains set below
  3. Only specify the student domain if you would like students to only be allowed to login to School Accounts via the Chrome Browser

Screen_Shot_2018-09-25_at_11.30.54_AM.png

 

Disable Guest Mode

Students can log in via Guest Mode and avoid Highlights visibility if this option is enabled. Hapara recommends disabling Guest Mode for students via:

admin.google.com > Device Management > Chrome Management > Device Settings

Search for the Sign-in Settings heading, and under the Allow Guest Mode drop-down menu, select Do not allow guest mode.

 

 

Prevent students connecting to non-school networks

Hapara recommends IP restrictions when using Highlights, this allows visibility of student devices only while they're connected to the specified school networks.

However, if students connect to another network outside the specified IP ranges, like a guest network or personal Wi-Fi hotspot, they may bypass Highlights visibility.

In the Admin console, you can configure device policies to restrict network connectivity under Device Management > Network > General Settings.

Screen_Shot_2018-09-25_at_11.50.23_AM.png

Deploying Hapara Extension using Machine Policy

If your school/district is using Windows or Apple Machines with Chrome browsers rather than Chromebooks, the process to deploy the Highlights extension is slightly different.

Rather than use the Chrome Management settings in the Google Admin console, you can deploy the extension on a device basis using Chrome Browser policies on managed PCs.

Deploying the extension in this way overrides any user-level settings, so the extension will be installed on the device even if there are no users logged in to the Chrome browser.

To begin, open the template file containing the device policies – this file can be found using the instructions provided by Google and differs by operating system.

Once you have opened this file, add the following string depending on your configuration:

Windows (Windows clients):
Software\Policies\Google\Chrome\ExtensionInstallForcelist\1 = "kbohafcopfpigkjdimdcdgenlhkmhbnc;https://clients2.google.com/service/update2/crx"

Windows (Google Chrome OS clients):
Software\Policies\Google\ChromeOS\ExtensionInstallForcelist\1 = "kbohafcopfpigkjdimdcdgenlhkmhbnc;https://clients2.google.com/service/update2/crx"

Android/Linux:
["kbohafcopfpigkjdimdcdgenlhkmhbnc;https://clients2.google.com/service/update2/crx"]

Mac:
<array>
<string>kbohafcopfpigkjdimdcdgenlhkmhbnc;https://clients2.google.com/service/update2/crx</string>
</array>

Please see this Google Support Article here detailing how to restrict network connectivity.

Have more questions? Submit a request