Strengthening Highlights and preventing student loopholes Follow
The Google Chrome landscape is constantly changing. This page summarizes G-Suite Policies that can be utilized to strengthen your existing Highlights installation:
In this article
- Incognito mode
- Chrome task manager
- Chrome developer tools
- Force Chrome Browser login
- Browser Guest Mode
- Prevent students from using bookmarklets
- Block interfering URLs
- Shared Devices and Ephemeral Mode
- Multiple Google accounts
Disallow incognito mode for students
Hāpara Highlights functions through a Google Chrome extension. When Chrome is in incognito mode, the browser may not load extensions. We recommend disallowing students from being able to launch Chrome in Incognito Mode to ensure the Highlights extension always available.
admin.google.com > Devices > Chrome > Settings > Users & browsers > Incognito Mode
Search for Incognito Mode and select the Disallow incognito mode option. This option can be applied to only student OUs, allowing teachers to utilize incognito mode.
Prevent students from using Chrome task manager to end processes
Students can use the Chrome Task Manager to end processes - including the Highlights extension. Hāpara recommends disabling this ability via:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Task manager
Search for task manager and set the policy to Block users from ending processes with the Chrome task manager. This option can be applied to only student OUs, allowing teachers to utilize Chrome task manager.
This policy became available in August 2016 and applies to Chromebook devices running version 52 and above. This policy does not apply to Windows or Mac OS using a Chrome Browser.
Prevent students using developer tools to end processes
Students can use the Chrome Developer Tools to inspect, break and end processes - including the Highlights extension. This policy can be valuable to enable if you have Coding or Computer science courses, so disabling it completely may not be the best option for your school, so Hāpara recommends allowing use except for force-installed extensions, at the least:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Developer tools
Search for Developer tools and set the policy to Allow use of built-in developer tools except for force-installed extensions. This option can be applied to only student OUs, allowing teachers to utilize developer tools.
Force student Chrome Browser login by default
By default, students are able to log into other Google Accounts within the Chrome Browser. This can enable students to avoid visibility
Using the G Suite Admin Console, an administrator can set the policy to force students to log in to their browser:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Browser sign-in settings
-
To apply the setting to all users and enrolled browsers leave the top organizational unit selected. Otherwise, select a student organizational unit.
-
Locate Sign-in settings.
-
For Browser sign-in settings, select Force users to sign-in to use the browser.
-
Click Save.
Disable Browser Guest Mode
Students can log in via Guest Mode and avoid Highlights visibility if this option is enabled. Hāpara recommends disabling Guest Mode for students via:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Browser guest mode
Search for the Browser guest mode and set the policy to Prevent guest browser logins. This option can be applied to only student OUs, allowing teachers to utilize Browser guest mode.
Preventing students from using bookmarklets
Bookmarklets are bookmarks stored in a web browser that contain JavaScript commands that add new features to an existing browser. These can be configured to avoid Highlights extension detection.
admin.google.com > Devices > Chrome > Settings > Users & browsers > URL blocking
Google implemented this update in April 2018 for Chromebook devices running Chrome OS version 73 and above. This policy does not apply to Windows, Mac or other devices. To update a student's Chromebook, please see the instructions here.
Block interfering URLs
Some URLs can be used to stop Highlights and other extensions from working properly. Hāpara highly recommends blocking these URLs via:
admin.google.com > Devices > Chrome > Settings > Users & browsers > URL blocking
| URL | Reason to block |
|
*/html/crosh.html |
Crosh is a Chrome Command Shell environment similar to Command Prompt on Windows or Terminal in macOS devices, which allows the user to execute commands directly from ChromeOS. |
|
chrome://settings chrome://file-manager |
Allows the user to change or modify Chrome browser and extension config |
|
javascript://* |
Allows bookmarklets that contain JavaScript commands to manipulate Chrome Browser |
| www.holyubofficial.net |
Example of an in-browser proxy, which students can utilize to bypass Chrome browser config
|
Be sure to click SAVE in the top right corner.
Shared devices and Ephemeral mode
This policy config is really helpful if your school or district has shared devices. Ephemeral mode ensures that user data is not stored locally when the user logs out, preventing Chrome Browser caching overload, which can impact negatively on extension installation for new users logging in.
admin.google.com > Devices > Chrome > Settings > Users & browsers > Force ephemeral mode
Search for the Force ephemeral mode and set the policy to Erase all local user data. This option can be applied to only student OUs, ensuring teacher's local browser data remains stored upon logout.
How to prevent students from using multiple Google accounts
Select the Block multiple sign-in access for users in this organization option and click Save.
It is also possible to restrict users from logging in to non school related Google accounts on school-owned Chromebooks. Personal Gmail IDs can lead to evasion of filtering and auditing of the Chromebook.
Select the Restrict Sign-in to pattern and in the text box enter the domain you want to allow sign-ins from and click Save.
For example, *@school.hapara.com will restrict logins to only school.hapara.org and prevent users from signing into accounts outside of this configuration.
Additional Google device policies to consider
As an administrator, you also may want to prevent users from signing in to Google services using any accounts other than those you have provided them with (i.e. gmail.com). Please see the full Google article for more details, or read below:
To only allow users from specific domains to access Google services on devices running Chrome OS:
admin.google.com > Devices > Chrome > Settings > Users & browsers > Sign in to secondary accounts
Select the Edit in legacy view and then Block users from signing in to or out of secondary Google Accounts and click Save.
- Otherwise, select Allow users to sign-in only to the G Suite domains set below if you would like to specify multiple domains students can log in to.
(Optional) To see a list of your domains, click organization’s domains under the domain list box. - Enter the list of all of your organization’s domains. If you don’t, your users might not have access to Google services.
(Optional) To include other types of accounts, enter the following text in the list:- For consumer Google Accounts, such as @gmail.com and @googlemail.com, add consumer_accounts.
- For authenticated service accounts, add gserviceaccounts.com.
- Click Save.