Doesn't play nicely with Google Apps domains with synced passwords

[mjs510]

We use Google Apps to provide services for all of our users. We do not use single sign on, but instead use our provisioning system to manage the Google accounts and synchronise passwords to them. This means that all our Google Apps users use the same password to log in to Google as to our other enterprise systems. If our users install this extension, it informs them that they have compromised their account every time they log into our other enterprise systems.

The extension could do with a way of handling this situation. Maybe a domain should be allowed to block installation of the extension? Or is there any way of detecting usage of a Google Apps domain in this situation?

[semenko]

Hey cool -- if you're deploying the app to your enterprise, you should be able to whitelist your domains either via GPO or by Chrome policy.

For example, you can whitelist a domain by setting "whitelist_top_domains" in https://github.com/google/password-alert/blob/master/chrome/managed_policy_values.txt

There's a bit more on this in the deployment guide: https://docs.google.com/document/d/1bqbS6umRaNoRl2BZr4q9Q2YckmL-UHDcelkyPTy35AQ/preview

[mjs510]

We're not deploying to our enterprise as a large number of our users use their own devices (we're a university). The only users with this installed would be those that choose to install it themselves, on their own devices. We therefore don't have the ability to apply policies to their installations.

At the moment this isn't a huge issue, but if Google actively promote the extension it will become something of a support headache.

[semenko]

Oh whoops -- I missed your actual question (sorry!). You can block installation of any extension in the admin console (if users are signed into chrome) or via GPO.

[semenko]

Hm, I see. That's a tricky issue -- not sure there's a great workaround for that issue sans SSO or forced deployment.

[mjs510]

Okay, thanks for confirming that. In the meantime, being able to block extensions for those that sign in to Chrome is a good tip - thanks!

On 7 May 2015 at 17:33, Nick Semenkovich notifications@github.com wrote:

Hm, I see. That's a tricky issue -- not sure there's a great workaround for that issue sans SSO or forced deployment.

— Reply to this email directly or view it on GitHub https://github.com/google/password-alert/issues/36#issuecomment-99931361 .

[jkosslyn]

Also note that your users can simply click "always ignore for this website" when they get the interstitial for the first time.

[adhintz]

Another option for your situation is to configure the extension using Chrome App management, but not force installation. In Chrome App management for this extension, you can probably upload the configuration with just the whitelist_top_domains value and everything else deleted. Then you could leave "Allow installation" as True and leave "Force installation" as False.

This way your users signed into Chrome with your Google Apps domain accounts would be able to install Password Alert if they want to, but would not get warnings for the sites you've configured in whitelist_top_domains.