Endpoint security with Chrome Enterprise and Jamf
Learn about how Chrome Enterprise and Jamf can work together to create a new endpoint security standard.
Every day, more organizations are moving from their legacy clients toward an SaaS environment or a cloud environment. They are accessing their applications through a web browser. This is turning web browsers into important endpoint security tools.
In fact, Gartner has released a report on the future of enterprise browsers that says, in part: “By 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software on managed and unmanaged devices for a seamless hybrid work experience.”
Alex Bauer, Deployment Success Engineer for Chrome Enterprise Premium, led attendees to his JNUC session through an exploration of how Chrome is functioning more and more as a productivity and security tool, and how Apple admins can use Jamf Pro and Chrome Enterprise to improve productivity and endpoint security.
Bad agents are busier than ever.
Phishing and malware extensions become risky overnight and even more aggressive with the data they capture from end-user devices. Unfortunately, the way some employees use Chrome might contribute to the problem. Some sign up with their personal Gmail accounts, sync up their passwords and their history, and then not only get hacked themselves, but open the door for their company networks to become compromised, as well.
The problem? Not enough data.
Part of the issue is a lack of visibility into extensions in end-user environments. What data is available to hackers from end-user browsing history or phished from a user profile?
Until recently, it wasn’t possible to see this information. Now, Chrome offers secure browsing.
Since Jamf has joined the Beyond Corporate Enterprise Consortium, it has been able to work more closely with Google so that the two organizations can offer a premier experience for managed devices answering these questions.
The answer: Chrome Enterprise Core.
Chrome Enterprise Core allows IT to enroll browsers and then configure and manage:
- Browser policies
- Settings and controls
- Apps
- Extensions
This service allows IT admins to support multiple OS devices from a single console, offering a cohesive browser experience for users regardless of OS. Admins configure one set of policies and deploy them to all enrolled browsers.
Chrome Enterprise Core also makes it easy for IT to control extensions, and allows for increased visibility. Admins can see:
- Extension name
- Risk score
- What data the extension collects
These developments have made it possible for admins to expand the functionality of Chrome. In the browser, natively, Chrome Enterprise Core offers:
- DLP controls
- Context or access controls
- VPN-less access to all applications
Chrome Enterprise Premium
Chrome Enterprise Premium offers even more. With the DLP integration/ functionality, admins can:
- Analyze all copy, print, upload and download actions in the browser
- Analyze real-time data to protect private information
- Investigate anything that is PII for a company
Each organization defines these rules according to their needs, blocking or auditing whatever information they would like from extensions that might cause trouble.
This includes:
- Social Security numbers
- Credit card numbers
- Account numbers
- Health record IDs
When an admin detects extensions or apps that use these type of datas, they can set up actions based on each type such as:
- Blocking or auditing traffic
- Putting a watermark on them
- Serving notifications to users using information in a risky manner how to make better choices
- Filtering based on individual URLs or on categories such as gambling sites or sites that contain certain keywords
Real-time malware and phishing protection
With Chrome Enterprise Premium, any time a user uploads or downloads a file, the browser will intercept and sandbox that file. Then, Chrome analyzes it with its total virus solution: an aggregate of about 30 different security tools. Only then, when Chrome has ensured that the upload or download isn’t malicious, will the file continue its upload or download.
All of the PII documents end users were trying to download or upload can be now securely stored in an "evidence locker."
This allows a security admin to look into what the user was doing and what kind of data they were attempting to upload, download or print. This allows for greater information on user behavior, which can assist IT in determining what training or discussion the user needs or the general employee pool needs to keep data secure.
Chrome Enterprise Premium can also review over 30 different device signals and use them in conjunction with end-user identities to gate risky applications or control which user or group of users can access those applications. And, when integrated with various security providers, Chrome can offer even more security.
How Jamf and Chrome work together
Jamf and Chrome go hand-in-hand to increase browser security for end users.
The process:
- An admin enrolls devices with a Jamf MDM such as Jamf Pro.
- Jamf then sends a device record back to the Google admin console.
- Jamf deploys the Chrome browser with an enrollment token that brings it into management.
- This activates Chrome Enterprise Premium on the browser.
- Chrome collects details from the device itself.
- Jamf and Chrome aggregate their information to inform security decisions such as what to gate and how to prevent data loss.
Chrome can then see whether the device is Jamf-managed, whether it is compliant based on the rules set by the admin’s organization, whether it is compromised and more.
Chrome Enterprise Core offers many reports, such as:
- All extensions used in the Chrome environment
- Which extensions are ready for Manifest V3
- The extensions’ risk scores
Blocking contagion between corporate and personal data
One of the ways an end user can accidentally (or maliciously) compromise data is by attempting to copy information from their corporate email to their personal Gmail.
Chrome Enterprise can block the ability to copy or print this information to a personal Google account. This forces the user to use better security protocols and also prevents organizational data leakage.
Chrome Enterprise has similar integrations with ID providers such as Okta, Salesforce, and Ping to protect data leakage based on user ID and ensure control of a work profile without impacting personal profiles.
SaaS applications
SaaS applications in the cloud can also be managed through Chrome Core. Admins can access their applications and add conditional access policies to them.
Google Enterprise Premium also offers:
- CEP web access through App Connector
- Access to a global load balancer with an identity or a proxy that is enabled
- IPsec tunneling
- Reverse proxy
- Forward proxy
Bauer also ran through demos of most of these processes, with in-depth discussion of the architecture of Chrome Enterprise Premium as it interacts with partners; this presentation is well-worth reviewing when it becomes available.
Visit the Jamf blog for JNUC updates, session recaps and more!