1. Hapara Support
  2. For Hāpara administrators
  3. Managing Hāpara Highlights

Menu

Articles in this section

Strengthening Hāpara Highlights on Windows devices managed by Intune, GPO, or another MDM Follow

Carrie Whalen
  • Updated

Strengthening Hāpara Highlights on Windows devices managed by Intune, GPO, or another MDM

This article helps Hāpara administrators lock down Google Chrome on managed Windows devices so students stay signed in, keep the Hāpara Highlights extension installed, and use Chrome as the default browser.

Who this is for

Admins

Summary

Use Windows device management policies to force-install the Hāpara Highlights extension, require students to sign in to Chrome with their school Google Workspace account, restrict sign-in to your school domain, enable Chrome Sync, and set Chrome as the default browser. These settings help prevent students from removing the extension, killing its processes, or using an unmanaged browser session to bypass Hāpara Highlights.

This article is for schools using standard Hāpara with Google Workspace for Education on Windows 10 or Windows 11 devices managed by Microsoft Intune, Group Policy, or another MDM.

Before you begin

Make sure you have:

  1. Windows student devices enrolled in Intune, Active Directory Group Policy, or another MDM.
  2. Google Chrome installed on student devices.
  3. Access to configure Chrome Enterprise policies.
  4. The Hāpara Highlights extension details from your Hāpara setup documentation.
  5. A student test device and student test account.

Important: The deployment URL must include your specific student domain configured with Hāpara (e.g., @students.yourschool.edu) for the extension to route properly.

Recommended policy settings

Goal Chrome policy
Keep Hāpara Highlights installed ExtensionInstallForcelist
Require Chrome browser sign-in BrowserSignin
Restrict sign-in to school accounts RestrictSigninToPattern
Enable Chrome Sync (Required) SyncDisabled (Set to False/Disabled)
Disable Guest Browsing BrowserGuestModeEnabled (Set to False)
Prevent killing the extension process TaskManagerEndProcessEnabled (Set to False)
Restrict Developer Tools DeveloperToolsAvailability (Set to 2)
Set Chrome as default browser DefaultBrowserSettingEnabled and Windows default app policy
Confirm policies are active chrome://policy

Option 1: Configure Chrome policies with Microsoft Intune

Use this option if your district manages Windows devices with Microsoft Intune.

Step 1: Import Chrome ADMX templates into Intune

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices.
  3. Select Windows.
  4. Go to Configuration.
  5. Import the Google Chrome ADMX and ADML templates if the Chrome settings you need are not already available in the Settings Catalog.
  6. Create a configuration profile for student devices.

Step 2: Force-install the Hāpara Highlights extension

  1. In the student Chrome policy profile, find the policy named Configure the list of force-installed apps and extensions.
  2. Enable the policy.
  3. Add the Hāpara Highlights extension using this format:
extension_id;update_url

Example format:

aceopacgaepdcelohobicpffbbejnfac;https://extension.hapara.com/extension/updates/studentdomain
  1. Replace studentdomain with your school's actual student domain (e.g., students.school.edu).
  2. Assign the profile to student Windows devices or student user groups.
  3. Save the policy.
Screenshot 2026-04-30 at 1.13.59 PM.png

Step 3: Require students to sign in to Chrome

  1. In the same Chrome policy profile, find Browser sign-in settings.
  2. Enable the policy.
  3. Set the value to Force users to sign in to use the browser.

Step 4: Restrict Chrome sign-in to your school domain

  1. Find the policy Restrict which Google accounts can be set as browser primary accounts.
  2. Enable the policy.
  3. Enter a regular expression for your school domain.

Example:

.*@student\.district\.org

For multiple domains, use a pattern such as:

.*@(student\.district\.org|school\.org)

Step 5: Enable Chrome Sync (Crucial for Windows)

  1. Find the policy Disable synchronization of data with Google.
  2. Set this policy to Disabled to ensure Chrome Sync is allowed. Highlights will fail to track students reliably if sync is disabled.

Step 6: Prevent student loopholes

  1. Find the policy Enable guest mode in browser and set it to Disabled.
  2. Find the policy Enable ending processes in Task Manager and set it to Disabled.
  3. Find the policy Control where Developer Tools can be used and set it to Allow usage of the Developer Tools, except for force-installed extensions.

Step 7: Set Chrome as the default browser

  1. In Intune, configure the Chrome policy Set Google Chrome as default browser if available.
  2. Set the policy to Enabled.
  3. For Windows 10 and Windows 11, also deploy a Windows default app associations policy if your district requires Chrome to be the default browser for web links and HTML files.
  4. Assign the policy to student Windows devices.
  5. Restart a test device and confirm Chrome opens as the default browser.

Option 2: Configure Chrome policies with Group Policy

Use this option if your district manages Windows devices with Active Directory Group Policy.

Step 1: Add Chrome policy templates to Group Policy

  1. Download the Chrome Enterprise policy templates.
  2. Copy the Chrome ADMX and ADML files into your domain Central Store.
  3. Open Group Policy Management.
  4. Create or edit a GPO linked to the student device OU.
  5. Go to:
Computer Configuration > Policies > Administrative Templates > Google > Google Chrome

Step 2: Force-install the Hāpara Highlights extension

  1. In Group Policy, go to:
Google Chrome > Extensions
  1. Open Configure the list of force-installed apps and extensions.
  2. Set the policy to Enabled.
  3. Click Show.
  4. Add the Hāpara Highlights extension using this format:
extension_id;update_url

Example format:

aceopacgaepdcelohobicpffbbejnfac;https://extension.hapara.com/extension/updates/studentdomain
  1. Replace studentdomain with your school's actual student domain (e.g., students.school.edu).
  2. Save the policy.

Step 3: Force Chrome browser sign-in

  1. In Group Policy, go to:
Google Chrome > Browser sign-in settings
  1. Set the policy to Enabled.
  2. Select Force users to sign in to use the browser.

Step 4: Restrict sign-in to school Google accounts

  1. In Group Policy, find:
Restrict which Google accounts can be set as browser primary accounts
  1. Set the policy to Enabled.
  2. Add your school domain pattern.

Example:

.*@student\.district\.org
  1. Save the policy.

Step 5: Enable Chrome Sync (Crucial for Windows)

  1. In Group Policy, find Disable synchronization of data with Google.
  2. Set the policy to Disabled so synchronization is explicitly permitted.

Step 6: Prevent student loopholes

  1. In Group Policy, configure the following to prevent bypasses:
  2. Set Enable guest mode in browser to Disabled.
  3. Set Enable ending processes in Task Manager to Disabled.
  4. Set Control where Developer Tools can be used to Allow usage of the Developer Tools, except for force-installed extensions.

Step 7: Set Chrome as the default browser with GPO

  1. On a test Windows device, set Chrome as the default browser.
  2. Export the default app associations XML file.
  3. Place the XML file in a shared location that all student devices can access.
  4. In Group Policy, configure the Windows default associations policy.
  5. Link the GPO to the student device OU.
  6. Run the following command on a test device:
gpupdate /force
  1. Restart the device.
  2. Confirm Chrome is the default browser.

Screenshot to add: Windows default apps screen showing Google Chrome as the default browser.

Option 3: Configure Chrome policies with another MDM

Use this option if your district uses a Windows MDM other than Intune.

  1. Confirm your MDM can deploy Windows registry keys, ADMX-backed policies, or Chrome Enterprise policies.
  2. Deploy the Chrome ExtensionInstallForcelist policy.
  3. Add the Hāpara Highlights extension using this format:
aceopacgaepdcelohobicpffbbejnfac;https://extension.hapara.com/extension/updates/studentdomain
  1. Deploy the BrowserSignin policy and require browser sign-in.
  2. Deploy the RestrictSigninToPattern policy and allow only school Google accounts.
  3. Deploy the SyncDisabled policy and set it to False to ensure Chrome Sync is active.
  4. Deploy policies for BrowserGuestModeEnabled (False), TaskManagerEndProcessEnabled (False), and DeveloperToolsAvailability (2) to close common student loopholes.
  5. Deploy the DefaultBrowserSettingEnabled policy where supported.
  6. Use Windows default app controls to set Chrome as the default browser.
  7. Test on a small student pilot group before district-wide deployment.

Verify the setup

On a managed student Windows device:

  1. Open Chrome.
  2. Go to:
chrome://policy
  1. Click Reload policies.
  2. Confirm the following policies show with status OK:
    • ExtensionInstallForcelist
    • BrowserSignin
    • RestrictSigninToPattern
    • SyncDisabled (Value should confirm it is not disabled)
    • BrowserGuestModeEnabled (Value: false)
    • TaskManagerEndProcessEnabled (Value: false)
    • DefaultBrowserSettingEnabled, if used
  3. Go to:
chrome://extensions
  1. Confirm Hāpara Highlights is installed and marked as managed by your organization.
  2. Try to remove or disable the extension. Confirm the student cannot remove it.
  3. Sign out of Chrome and reopen Chrome. Confirm Chrome requires the student to sign in.
  4. Try signing in with a personal Gmail account. Confirm the sign-in is blocked.
  5. Press Shift+Esc to open Chrome Task Manager. Confirm the "End Process" button is greyed out.
  6. Open a web link from another app. Confirm the link opens in Google Chrome.

Troubleshooting

The Hāpara Highlights extension does not appear

  1. Confirm the extension ID and update URL match the correct Hāpara string (including the specific student domain).
  2. Confirm the policy is assigned to the correct student device or user group.
  3. Open chrome://policy and click Reload policies.
  4. Restart Chrome.
  5. Restart the Windows device.
  6. Confirm the device is receiving Intune, GPO, or MDM policies.

Students can remove or disable the extension

  1. Confirm the extension is deployed through ExtensionInstallForcelist, not installed manually.
  2. Confirm the policy status is OK in chrome://policy.
  3. Confirm the student is using the managed Chrome browser, not another browser.
  4. Confirm the policy is applied to the correct device or user scope.

Highlights is installed but not tracking

  1. Check that SyncDisabled is set to False/Disabled. Chrome Sync must be active on Windows devices.
  2. Ensure students are logging into the Chrome Browser profile itself, not just Google websites (like Gmail).

Students can sign in with personal Google accounts

  1. Confirm BrowserSignin is set to require Chrome sign-in.
  2. Confirm RestrictSigninToPattern is enabled.
  3. Check the regular expression for typos.
  4. Test with a student account and a personal Gmail account.

Chrome is not the default browser

  1. Confirm the Windows default app policy applied successfully.
  2. Restart the device.
  3. Confirm the default app associations XML is reachable by the device.
  4. Run gpupdate /force if using GPO.
  5. Check whether another policy is overriding the default browser setting.

Additional tips

  • Apply these policies to a pilot student group first.
  • Use separate policies for students and staff.
  • Keep the Google Admin Console force-install settings in place for student Google Workspace accounts.
  • Use Windows device policies to cover managed Windows devices even when students try to use Chrome without the expected Google profile.
  • Review Hāpara extension update instructions whenever Hāpara announces an extension URL or deployment change.
  • For shared Windows labs, consider clearing local profiles or enforcing Ephemeral Mode via policy to reduce stale Chrome profile issues.

Related articles

Related articles