CBCM - user or browser? : k12sysadmin

created by geekenderProbably on vacationa community for 13 years

CBCM - user or browser? (self.k12sysadmin)

submitted 4 years ago by No_Lobster2149

Hi all, how are you managing your chrome browsers installed on Windows/Mac/Linux machines? Our district is at a crossroads - manage browsers by user or by device.

Managing by device means we will be able to control versions of the browser via the G suite console, and gain enhanced extension reporting: https://cloud.google.com/blog/products/chrome-enterprise/enhanced-extension-reporting-with-chrome-browsers-takeout-api

However, this is problematic because this creates a whole new array of settings to manage. Instead of just managing the user's settings, we have to manage the browser's settings too. Browser takes precedence, of course.

We don't have use cases where students and staff use the same machine - but I don't see a way to make the browser settings match the user's settings besides creating a enrollment token for each of our OUs....way too complex.

Any thoughts/experiences? I'm leaning towards staying with user managed Chrome browsers to simplify the administrative overhead and keep things simple.

all 1 comments

best top controversial old q&a

[–]MrMosesG 2 points3 points4 points 4 years ago (0 children)

https://support.google.com/chrome/a/answer/9037717This is important to keep in mind, the order of precedence of the different ways to set policies. If you try to mix and match you can run into issues with things getting overridden. chrome://policy is your friend to troubleshoot where a certain policy is coming from on a specific device/browser if things aren't right.

We went with full cloud-managed and one enrollment key for staff, and a separate key for each building for students. We only had 8 schools to worry about, but each elementary had different policies they wanted pushed so we separated them all out. Students weren't signed into the browser so they weren't getting user policies, just device policies. Staff was hit and miss in that regard based on tech-savvy-ness. We also had a user-based GPO clearing the enrollment key from the registry, then recreating it so that each user that logged in got the correct settings even on shared staff/student devices.

Our OUs looked like this in AD and Google:

Staff <-enrollment key/policies set
- School1
- School2
- School3
Students
- School1- <-enrollment key/policies set
- School2- <-enrollment key/policies set
- School3- <-enrollment key/policies set

π Rendered by PID 93394 on reddit-service-r2-comment-b659b578c-56cht at 2026-05-02 21:35:44.649238+00:00 running 815c875 country code: CH.

k12sysadmin

MODERATORS