How to override Google Chrome Cloud policies
Managed by somecompany.com? Is your organisation forcing extensions or specific Chrome settings in your work profile that are just getting in the way? NOT ANYMORE. Time to fight the cloud with machines policies!
It should be obvious, but you will need either full administrator or sudo rights to do this. Obviously if you are trying to do this on a managed machine controlled by your organisation, don't be a noob. If however you find some organisation policies creeping in on personal or non managed devices. RISE UP. Follow the guidance below, depending on your environment, the instructions and payload needed differ.
DISCLAIMER: If you get in trouble or your arse fired for subverting organisational policies, RIP, but these are just the tools required, you have to use them, so it is on you. BUT YOU WANT THAT SWEET INCOGNITO MODE THO RIGHT?
Why do organisations typically block incognito mode? Well... Because Google Chrome extensions can't track you because Google won't let extensions run in incognito mode by default IRONY LOL. Of course incognito mode still means your actual traffic is probably being slurrped by your ISP, GCHQ, FBI, NSA and your mum though. Better just turn the computer off now.
I was also 100% drunk while writing this. 60% of the time, it works every time.
Download and save the
google_chrome_overrides.reg file and run it (you'll need to be an administrator to write to the registry hive). The registry file will write various keys and values to the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome path. More details below.
With MacOS, you have to be a bit more creative, due to the default level being user level, this is not high enough in the chain to override existing cloud policies. Download and save the .mobileconfig file and then deploy with the following command:
cd ~/Downloads wget https://gist.githubusercontent.com/jamesmacwhite/c30a310e33e68842a6ab132aafd68be7/raw/4803dd1f26962ff04d13e805d36e38ee1aa7fcbd/google_chrome_overrides.mobileconfig sudo -s /usr/bin/profiles -I -F ~/Downloads/google_chrome_overrides.mobileconfig
Adjust the path to wherever you actually saved it locally if not the Downloads folder. Once this profile is installed, this will override Google Chrome policies locally. Nice. This payload isn't signed, but what you see in the .mobileconfig is what it is, a single payload for Google Chrome, not some malware or crypto mining software. Relax.
What policies are written by these example payloads?
- AllowDinosaurEasterEgg –
true(Why not, I like dinosaurs)
- ExtensionInstallForcelist -
Replaced with an empty array, to prevent the installation or enabling of any forced extensions.
- ForceGoogleSafeSearch –
- ForceYouTubeRestrict –
0(YouTube restriced mode is disabled)
- HomepageIsNewTabPage –
- HomepageLocation –
- IncognitoModeAvailablity –
0(Enables incognito mode)
- NewTabPageLocation –
- RestoreOnStartup –
5(Open new tab)
- RestoreOnStartupURLs -
Replaced with an empty array to avoid any URLs being forced to open on startup.
- SafeBrowsingEnabled -
- SafeSitesFilterBehaviour –
Supplying an empty array as the value for policies which use the array format is a quick way of basically cancelling out the existing policy being set. This is useful for policies like
You can find all Google Chrome policies that can be configured. The values I have used are for my own purposes, feel free to modify or add your own.
Did it work?
Open your Chrome profile and put
chrome://policy in the address bar. Click "Reload policies" if Chrome was already open when you applied the policy. You should see various policies as above either set or overriden by the local one's if an existing policy was present. Because these are system wide at the local level, they cancel out cloud policies because of the conflict. Mission accomplished.
Note: Because these policies are set at the machine level, they will apply to any Google Chrome profile for any user, be mindful of that.
WTF has this done to my computer?
For Windows, it will load specific keys and values into the Windows registry within the path outlined in
HKEY_LOCAL_MACHINE. This is a place that everyone tells you not to mess with, but that's because everyone makes it sound like only cool hackers should be touching it. Really anyone and their mum can change the Windows registry if they wanted (if you have admin rights), it's just if you do change something you shouldn't, your Windows machine isn't going to be happy and possibly not boot anymore, so don't be stupid. Ideally, just run the .reg file and it's all good. Don't go changing those one's and zero's you madman/madlass or mad non binary person (being inclusive).
For MacOS, overriding policies in Google Chrome is a bit more of a pain in the arse because of the levels in play. Windows allows you to override at the machine level quite easily, MacOS by default will be the user level and that's not high enough. BUGGER. So the solution is you need to GET ON MY LEVEL. We basically load in our own system profile configuration with a custom payload targeting Google Chrome. Normally this stuff happens in organisations with fancy deployment systems that sysadmins like to feel all important about, but here we are just downloading some .mobileconfig file and using command line to apply it. YEAH, WHERE IS YOUR SCM NOW?
My policy is better than yours.
- Some person on StackOverflow - KNOWS WHAT'S GOING DOWN IN MACOS LAND.
- Various people I work with - So I could look cool when giving them the power of incognito mode back on their devices. I have ascended.
- My mum and dad - For bringing me into this world.
- The ginger cat - That keeps breaking into my house, but keeps me alert at night.
- Me - For being motivated enough to figure this out and be that annoyed with policies in a web browser. TRIGGERED.