Implementing Strict Site Isolation in Google Chrome with Configuration Profiles

In today's digital landscape, security is paramount. One crucial aspect of web browser security is site isolation, which prevents malicious websites from accessing data from other sites. Google Chrome offers a feature called "Strict Site Isolation," also known as "SitePerProcess," to enhance security. This article delves into how to enable this feature using configuration profiles, specifically within a managed environment like Jamf Pro.

Understanding Site Isolation

Site isolation is a security mechanism that isolates websites into separate processes. This prevents a compromised website from accessing sensitive data from other websites open in the same browser session. The "SitePerProcess" flag in Chrome enforces this strict isolation.

The Challenge: Enabling SitePerProcess

Enabling SitePerProcess can be tricky. While Chrome offers a chrome://flags interface to "force" enable features, relying on this method for enterprise deployments is not recommended. These flags are primarily for experimental features and may change or disappear without notice.

The Solution: Configuration Profiles

The recommended approach for enabling Strict Site Isolation in a managed environment is through configuration profiles. These profiles allow administrators to enforce settings consistently across multiple devices.

Here's how to do it:

1. Create a Configuration Profile: In your management system (e.g., Jamf Pro), create a new configuration profile.
2. Custom Settings Payload: Add a Custom Settings payload to the profile. This payload allows you to deploy custom preference settings for applications like Google Chrome.
3. Upload the Chrome Plist: Upload a Property List (.plist) file containing the necessary configuration for the SitePerProcess flag.

Example Plist Content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>SitePerProcess</key>
    <true/>
</dict>
</plist>

This .plist file sets the SitePerProcess key to true, enabling Strict Site Isolation.

4. Scope the Profile: Define the scope of the configuration profile to target the specific devices or users that require this setting.
5. Deploy the Profile: Deploy the configuration profile to the targeted devices.

Verification

After deploying the configuration profile, it's essential to verify that the SitePerProcess policy is enabled. Do not rely on chrome://flags for verification, as it might not accurately reflect the managed policy state.

Instead, use chrome://policy to confirm the policy's status. This page displays all active Chrome policies, including those enforced through configuration profiles.

Additionally, Google provides a test website to verify if Strict Site Isolation is working correctly: https://support.google.com/chrome/a/answer/7581529.

Important Considerations

• Chrome Version: Ensure you are using a recent version of Google Chrome (63.x or later) that supports the SitePerProcess policy.
• User vs. Computer Level: Test the configuration profile at both the user and computer levels to determine the appropriate scope for your environment.
• Documentation: Always refer to the official Chromium policy list (http://www.chromium.org/administrators/policy-list-3#SitePerProcess) for the most up-to-date information on available policies and their expected behavior.

Why Configuration Profiles are Preferred

• Centralized Management: Configuration profiles allow administrators to manage Chrome settings from a central location, ensuring consistent configurations across all managed devices. This is especially important in enterprise environments where standardization is key.
• Immutability: Once a configuration profile is deployed, the settings it enforces become immutable to end-users. This prevents users from accidentally disabling critical security features.
• Best Practice: As stated by Google, configuration profiles are the recommended method to enable site isolation features over command-line flags.

Conclusion

By leveraging configuration profiles, administrators can effectively enable Strict Site Isolation in Google Chrome, enhancing the security posture of their managed environments. Remember to verify the policy status using chrome://policy and explore Google's test site to ensure the feature is functioning as expected. This approach provides a robust and manageable solution for protecting against potential security threats.