How to Enforce Strict Site Isolation in Google Chrome with Configuration Profiles

In today's security landscape, protecting your organization from vulnerabilities like Spectre and Meltdown is crucial. One effective measure is enabling Strict Site Isolation in Google Chrome. This article dives into how to enforce the SitePerProcess flag, achieving robust site isolation using configuration profiles, specifically within environments managed by tools like Jamf Pro.

Understanding Strict Site Isolation

Strict Site Isolation is a security feature in Chrome that ensures websites from different origins are always put into different processes. This mitigates the risk of cross-site data leaks and enhances overall security. While Chrome offers flags to enable features, relying on these directly isn't the recommended approach for enterprise environments.

The Configuration Profile Advantage

Instead of using chrome://flags to "force" enable features, deploying a configuration profile offers a more reliable and manageable solution. As zachary_fisher pointed out in a Jamf Nation discussion, chrome://flags and chrome://policy represent different settings. Configuration profiles ensure the policy is consistently applied across your managed devices.

Creating a Configuration Profile

Here's how to create a configuration profile to enforce the SitePerProcess flag:

1. Create a PLIST File: A PLIST (Property List) file is used to define the configuration settings. Create a new file (e.g., com.google.Chrome.plist) with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>SitePerProcess</key>
    <true/>
</dict>
</plist>

2. Upload to Jamf Pro: In your Jamf Pro console:

   • Navigate to Computers > Configuration Profiles.
   • Create a new Configuration Profile.
   • Under the "Custom Settings" payload, upload the com.google.Chrome.plist file.
   • Define the scope of the profile to target the desired computers.

3. Verify the Policy: After deploying the configuration profile, verify its successful application by navigating to chrome://policy in Chrome on a managed device. The SitePerProcess policy should be listed as enabled.

Addressing Common Issues

Several users in the Jamf Nation forum encountered challenges initially:

• UI Misleading: The Chrome UI might not immediately reflect the managed setting. As mrowell mentioned, the UI might report that Strict Site Isolation is not enabled, even when the policy is active.
• Testing is Key: Before widespread deployment, thoroughly test the configuration on a subset of machines.

Verifying Site Isolation

Google provides a dedicated test site to confirm if Strict Site Isolation is working correctly:

• Google's Verification Steps: Follow the steps outlined on Google's support page to verify site isolation.

Why This Matters

Enforcing Strict Site Isolation is a proactive security measure that significantly reduces the attack surface of your Chrome deployments. By utilizing configuration profiles through systems like Jamf Pro, organizations can ensure consistent and reliable application of this critical security policy. Securing your Apple environment with Jamf's endpoint protection capabilities is essential in today's threat landscape. Consider exploring Jamf's other security solutions to create a comprehensive security posture.