Chrome Pak - Tattooed

View previous topic View next topic Go down

Chrome Pak - Tattooed

Post  meanoldman on Fri Jan 03, 2014 6:57 pm

First, shouldn't settings revert back to neutral or at least be able to be user configured if I unlink a GPO from an OU? If so then something ain't right with the GPO I created using the Pak for Chrome 31 for Win7.

I created a GPO with the Chrome 31 Pak (user level), applied it to a OU that only my user belongs to and ran gpudate on a system I was logged onto (Win7 64bit). Opened Chrome and sure enough the setting I had configured were applied, grayed out and have a little diamond next to them that note the "setting is enforced by your administrator". So I unlinked the GPO from my test OU, ran gpupdate again on the same system and low and behold, the settings are still applied and grayed out with the little diamond. I tried rebooting, still no change. I tried reapplying the GPO back to that OU and then editing it to 'Delete all configured settings", ran gpupdate on the computer I was logged onto and still no love.

I had a similar issue with Flash that we concluded wasn't a Pak issue, but this appears more likely that it is.

Oh, and just to double check, I logged onto the same computer as a user who does not belong to the test OU and the GPO setting are NOT applied to Chrome, which is what I would hope to see.

Bits and Paks are 603.

meanoldman

Posts : 26
Join date : 2013-01-31
Location : Ohio

View user profile

Back to top Go down

"Revert this policy setting to the default value..."

Post  jeremym on Fri Jan 03, 2014 7:16 pm

In most cases, this needs to be applied on EACH setting you want to properly revert.

http://screencast.com/t/MB33nFBOK

This is to parallel the experience of the GPPrefs, which doesn't do anything when a setting falls out of scope.

Try that.. run GPupdate.. then whack the GPO / unlink and see if it reverts properly.
avatar
jeremym

Posts : 82
Join date : 2013-01-29
Location : Philadelphia

View user profile

Back to top Go down

Re: Chrome Pak - Tattooed

Post  meanoldman on Fri Jan 03, 2014 8:29 pm

jeremym wrote:In most cases, this needs to be applied on EACH setting you want to properly revert.

http://screencast.com/t/MB33nFBOK

This is to parallel the experience of the GPPrefs, which doesn't do anything when a setting falls out of scope.

Try that.. run GPupdate.. then whack the GPO / unlink and see if it reverts properly.

Hey Jeremy,

I usually set that option for every setting whenever I create a GPO. I think I had it set for most everything this time too. I'll go through the GPO in question again and check on Monday when I am back in the office and see what happens

meanoldman

Posts : 26
Join date : 2013-01-31
Location : Ohio

View user profile

Back to top Go down

Re: Chrome Pak - Tattooed

Post  meanoldman on Mon Jan 06, 2014 12:34 pm

1) I checked and made sure all the stuck settings were still configured in the Chrome 31 PP GPO and verified they were set to revert. Reapplied that GPO to my OU and checked the settings in Chrome and indeed they are applied as expected.

2) I unlinked the GPO from my OU, ran gpupdate on my test PC and checked the settings and they are STILL applied. So I rebooted and checked again, and they are all still applied with the little settings are enforced warning.

3) I run the RSoP mmc and looked to see if that policy is showing as applied still and it is not, as expected. Yet the settings are all still stuck.

Windows 7 64bit, standard user logon, McAfee VSE 8.8 which is not being triggered in any way.

Server 2003 and 2008 mixed DC basic network.

meanoldman

Posts : 26
Join date : 2013-01-31
Location : Ohio

View user profile

Back to top Go down

Okay. I got to the bottom of this.

Post  jeremym on Mon Jan 06, 2014 2:18 pm

There is no "perfect" answer here.

In short.. PolicyPak is trying to write a value for any given setting.

Take any checkbox.. say.. "Show Home Button".

For Chrome..
ON = CHECK THE BOX (and lock it down)
OFF = UN-CHECK THE BOX (and lock it down.)

So when you're "reverting"... the Pak is saying:

Make it OFF... UN-CHECK the box (and lock it down).

Because we're delivering a setting for EACH value: ON and OFF.

PolicyPak really doesn't have a way to represent THREE states in a checkbox:

Checked (on) - Check the box (and lock it down.)
Un-Checked (OFF) - Un-Check the box (and lock it down).
Delete - Un-check the box and delete the value.

Here's the "not wonderful" workaround:

1. See the values in the DS. Here's the example
http://screencast.com/t/gl9BESSSs5

When you Revert.. it's making the state CHECKED.. which will automatically deliver ShowHomeButton = 1.

Chrome SEES this and.. does it.. AND locks it down.

(That's Chrome doing that.)

2. What you *CAN DO* in the definition if you want to is this:
http://screencast.com/t/u9iEdkHe

By changing the Revert State to Unchecked *AND* the Off Value to Delete..  Chrome will then DELETE the value *WHEN* you revert.

But there's a catch: You LOSE the ability to deliver "UNCHECK Show Home Button and lock it down".. because that's now the same as Delete (Off).

Here's another example in the same Pak using Radio buttons:
http://screencast.com/t/3WVWZxTrsMv

Here, I've added another Radio button, defined *IT* as "Delete" and then set the Revert to that radio button. So, on REVERT .. it WILL Delete, and you'll get the behavior you want.

Okay.. So, why is Chrome different than other applications?

In these areas Chrome uses the proper Policies keys, and as such acts like Proper Group Policy. And its doing its OWN lockdown.
PolicyPak is just delivering the setting -- we're not involved in the lockdown process part.

We would need to update the engine itself to deal with this (rare) case... since PolicyPak's main job in life is to deal with applications which aren't using the proper locations in GP land AND those which dont do lockdown on their own.

Sorry this isn't great. We'll see what we can do.. but this is the state of affairs for now in this particular case.
avatar
jeremym

Posts : 82
Join date : 2013-01-29
Location : Philadelphia

View user profile

Back to top Go down

Re: Chrome Pak - Tattooed

Post  meanoldman on Mon Jan 06, 2014 2:37 pm

jeremym wrote:There is no "perfect" answer here.

In short.. PolicyPak is trying to write a value for any given setting.

Take any checkbox.. say.. "Show Home Button".

For Chrome..
ON = CHECK THE BOX (and lock it down)
OFF = UN-CHECK THE BOX (and lock it down.)

So when you're "reverting"... the Pak is saying:

Make it OFF... UN-CHECK the box (and lock it down).

Because we're delivering a setting for EACH value: ON and OFF.

PolicyPak really doesn't have a way to represent THREE states in a checkbox:

Checked (on) - Check the box (and lock it down.)
Un-Checked (OFF) - Un-Check the box (and lock it down).
Delete - Un-check the box and delete the value.

Here's the "not wonderful" workaround:

1. See the values in the DS. Here's the example
http://screencast.com/t/gl9BESSSs5

When you Revert.. it's making the state CHECKED.. which will automatically deliver ShowHomeButton = 1.

Chrome SEES this and.. does it.. AND locks it down.

(That's Chrome doing that.)

2. What you *CAN DO* in the definition if you want to is this:
http://screencast.com/t/u9iEdkHe

By changing the Revert State to Unchecked *AND* the Off Value to Delete..  Chrome will then DELETE the value *WHEN* you revert.

But there's a catch: You LOSE the ability to deliver "UNCHECK Show Home Button and lock it down".. because that's now the same as Delete (Off).

Here's another example in the same Pak using Radio buttons:
http://screencast.com/t/3WVWZxTrsMv

Here, I've added another Radio button, defined *IT* as "Delete" and then set the Revert to that radio button. So, on REVERT .. it WILL Delete, and you'll get the behavior you want.

Okay.. So, why is Chrome different than other applications?

In these areas Chrome uses the proper Policies keys, and as such acts like Proper Group Policy. And its doing its OWN lockdown.
PolicyPak is just delivering the setting -- we're not involved in the lockdown process part.

We would need to update the engine itself to deal with this (rare) case... since PolicyPak's main job in life is to deal with applications which aren't using the proper locations in GP land AND those which dont do lockdown on their own.

Sorry this isn't great. We'll see what we can do.. but this is the state of affairs for now in this particular case.

Thanks Jeremy.

I did find it odd and probably particular to Chrome since I wasn't seeing setting stuck when I applied other PP GPOs. I think I'll just avoid pushing the Chrome PP to my users for the time being. I don't mind the settings being stuck for my user on this particular PC for now since they were 'test' settings based on my particular preference anyway.

meanoldman

Posts : 26
Join date : 2013-01-31
Location : Ohio

View user profile

Back to top Go down

What we're doing...

Post  jeremym on Fri Mar 21, 2014 11:57 am

We've decided to have two versions:

1. The version as it is today will:

Deploy and Lockdown, but not revert.

We will keep this version, but not enhance it.

2. The next version will:

Deploy and Revert, but not lockdown.

More information when the Paks are released, but they're now officially in the pipeline to be created.
avatar
jeremym

Posts : 82
Join date : 2013-01-29
Location : Philadelphia

View user profile

Back to top Go down

Here's the final word on this.

Post  jeremym on Wed Mar 26, 2014 5:06 pm

avatar
jeremym

Posts : 82
Join date : 2013-01-29
Location : Philadelphia

View user profile

Back to top Go down

Re: Chrome Pak - Tattooed

Post  Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum