Clean Chromebook Admin Controls

Summary

Workflow

Index

Settings Progress

Cost Calculator

Threat Summary

Mitigation Summary

User Mitigation Relationships

Requirements Summary

Device Mitigation Relationships

Threat Context

Assumptions List

Requirements List

Mitigation List

Threat List

Mitigation Process Considerations

Threat Context Comments

Threat Relationships

Information Stores

Threat to Info-Store Mapping

User Settings

Device Settings

User Settings - Comments

Device Settings - Comments

Public Session Settings

Settings - Mitigation

Settings - Threat

FAQ

Settings - Requirements

Glossary

Sources

TODO List


1
2	Welcome!
3	This content is provided for general informational and educational purposes only and are not a substitute for security advice or legal advice. The information available in these documents are made in good faith, without verifying their accuracy, utility or security validity, and should not be relied upon as the sole basis for making decisions. This was a personal project done in my free time and has, and will continue to have, gaps in its assessment based upon my level of interest in digging into those topics.
4	Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 International license.
5
6
7	Administering Chromebooks
8	Administering Chromebooks
9	For team's traveling to complex and hostile environments
10
11	What is this?
12
13	If you are traveling to hostile or complex environments the phrase "use a chromebook" has become the "use signal, use tor" of border crossing device security. Nearly all of the individuals who work in these environments knows that, as with everything, "it's more complex than that." I decided to document and share my exploration of the various options for configuring and administering Chromebooks for globally distributed team's operating in a range of complex and hostile environments.
14
15	This project started as my chromebook setup and configuration notes. Those notes then became this set of spreadsheets for a few reasons:
16
17	1.	It took a lot of time to consider each option and I wanted to save my colleagues from having to do their own setups from scratch.
18
19
20	2.	There are more than a few narrative summaries out there of Chrome security. But, didn't seem to be any source to look at the security implications for each specific configuration option.
21
22	3.	I have concerns about mitigation’s that promote the use of fake user accounts to fool border official who force travelers to login to their devices and online services. But, I had not put together any public analysis of an alternative. I used this project as an opportunity to explore an alternative mitigation.
23		See the Proof of Inaccess mitigation for more information.
24
25	4.	I wanted a chance to explore different methods for supporting risk management documentation using Google Sheets.
26
27	5.	It was fun! I like taxonomies. Deal with it.
28
29
30	Where do I Start?
31
32	The Index has suggestions for various ways to explore this project.
33
34	The Workflow page shows how to use this project to inform a Chromebook program.
35
36
37	What's the Project's Progress
38
39	Currently Explored Settings					Settings Not Explored
40			Total	Done	ToDo.		Planned?
41	Settings Page		338	288	50	Settings Page	2
42	User Settings		238	203	35	App Management	✔
43	Device settings		100	85	15	Mobile Device Management
44	Android Application Settings		9	5	4	Chromebooks and VPNs	✔
45	Public session settings		109	0	109	Manage Using Active Directory
46
47
48
49
50
51
52


1
2
3
4	Workflow
5	Workflow
6	How to use this project to inform your Chromebook program.
7
8	Prepare, Deploy, Contribute back....
9
10	Preparation					Supported By
11	Sections of this project that can help you as you evaluate and design a chromebook based travel program.
12
13		Needs Assessment	●		●	Cost Calculator
14		Does this fit your teams operational requirements?	●	●	●	Requirements List
15			●	●		Information Stores
16			●	●	●	Assumptions List
17		Risk Assessment	●	●	●	Mitigation List
18		Does this match the risk profile of your team?	●	●	●	Mitigation Process Considerations
19			●	●	●	Sources
20				●	●	Threat Context
21		Program Design		●	●	Threat List
22		Designing your teams chromebook travel program.		●	●	Threat Relationships
23
24
25	Deployment					Supported By
26	Sections of this project that can help you as you deploy your chromebook based travel program.
27
28		Device Configuration	●			Device Settings Overview
29		Configuring youir travel chromebook policies.	●	●	●	Device Settings Comments
30					●	User Settings Overview
31			●	●	●	User Settings Comments
32		G Suite Sub-Organization Configuration	●	●	●	Threat List
33		Configuring your travel Sub-Organization policies.	●	●	●	Threat Context
34			●	●	●	Threat Relationships
35			●	●	●	Requirements List
36		Account Configuration	●	●	●	Assumptions List
37		Configuring your travel account policies.	●	●	●	Mitigation List
38			●	●	●	Mitigation Process Considerations
39			●	●	●	Information Stores
40			●	●	●	Sources
41			●	●	●	Glossary
42
43	Contribute					Check Out
44	How you can contribute to this project.
45
46		Contribute Knoweledge			●	@SeamusTuohy
47		Add, correct, or update content to the project		●		TODO List
48			●	●		Sources
49						Contextual
50		Contribute Time	●			Requirements List
51		Help fix known issues and add desired enhancements	●			Assumptions List
52			●			Mitigation List
53			●			Mitigation Process Considerations
54		Contribute Comments	●			Threat List
55		Send comments, critiques, or thanks to me on twitter	●			Threat Relationships
56			●			Threat Context
57			●			Threat ⮕ Information Store
58			●			Information Stores
59						Technical
60			●			Device Settings Overview
61			●			User Settings Overview
62			●	●		Public Session Settings Overview
63			●	●		Glossary


1
2
3							Key
4							Symbol	Sheet Color
5							✎	●	Summary Information
6	Index						🔍	●	In-Depth Information
7							❓	●	Help & Meta-Data
8							👓	●	Raw Data
9							☐		Section In Progress
10
11	Settings Menus
12
13	☒	Settings Overview			☒	User Settings
14		This page shows the current coverage of the project for each settings menu.				Can be used to enforce settings and policies on your organization’s users, regardless of which Chrome device they’re using. For example, an IT administrator can pre-install apps for specific users, enforce Safe Browsing, set up Single Sign-On (SSO), block specific plugins, blacklist specific URLs, manage bookmarks, and apply dozens of other settings to users across your organization. It does not require Chromebook device licenses.
15		The G Suite main settings index can be found here.				The G Suite User Settings menu can be found here.
16
17	✎	☒ Overview			🔍	☒ Overview		🔍	☒ Comments
18
19
20	☒	Device Settings			☐	Public Session Settings
21		Can be used to enforce settings and policies on your organization's managed Chrome devices regardless of who signs in. For example, you can restrict sign-in to specific users, block guest mode, and configure auto-update settings. It requires licenses for every managed device.				Can be used to set up settings for shared devices in your domain. Public Sessions allows multiple users to share the same Chrome device without the need to sign in or authenticate. You can enforce settings, such as logging the user out after a specific amount of time or even launching the device as a Single App Kiosk. This option requires licenses for every managed device.
22		The G Suite Device Settings menu can be found here.				The G Suite Public Session Settings menu can be found here.
23
24	🔍	☒ Overview	🔍	☒ Comments	🔍	☐ Overview		🔍	☐ Comments
25
26
27	☐	App Management
28		This settings menu allows an administrator to manage team's settings on Chrome browsers and Chrome devices. The actual management of these apps occurs in user settings, but I am separating it out into a separate category for ease of reading. It does not require Chromebook device licenses.
29
30	🔍	☐ Overview	🔍	☐ Comments
31
32
33	Context & Response
34
35	☐	Assumptions			☒	Costs
36		This page explores some of the assumptions that were used to constrain the scope of this project.				This page includes a cost calculator for GSuite accounts & Device licenses for different setups.
37
38	🔍	☒ Assumptions List			✎	☒ Costs
39
40
41	☐	Threats			☐	Mitigations
42		These pages explore the rough set of threats that came up while I was conducting this research. I'm actively avoiding anything close to an exhaustive threat taxonomy to avoid getting distracted. So, there are huge holes here. And, I'm fine with that.				These pages explore a variety of possible mitigations that have a direct relevance to the chromebook configurations and this project. The mitigations that are included in this project do not describe a complete digital security program for a team. Nor are they aprropriate for every possible team.
43
44	✎	☒ Summary			✎	☒ Summary
45
46
47	🔍	☒ Threat List			🔍	☒ Mitigation List
48
49
50	✎	☒ Threat Context			👓	☐ Mitigation Process Considerations
51
52
53	👓	☐ Threat Context Comments			✎	☒ User Setting ⮕ Mitigation (Summary)
54
55
56	👓	☐ Threat Relationships			✎	☒ Device Setting ⮕ Mitigation (Summary)
57
58
59	👓	☐ Information Stores			👓	☐ Setting ⮕ Mitigation
60
61
62	👓	☐ Setting ⮕ Threat
63
64
65	👓	☐ Threat ⮕ Information Store
66
67
68	☐	Requirements
69		These pages explore the requirements I set to constrain the scope of this project.
70
71	✎	☒ Summary
72
73
74	🔍	☐ Requirements List
75
76
77	👓	☐ Setting ⮕ Requirements
78
79
80	MetaData
81
82	☐	Glossary			☐	Sources
83		This is just a glossary of terms found in this document.				This is a collection of various higher-level references and sources used in this project.
84
85	❓	☐ Glossary			❓	☐ Sources
86
87
88	∞	TODO List
89		This is an ongoing personal project. This page explores the various tasks that I want to complete, the various unaddressed issues I have with the format.
90
91	❓	∞ TODO List
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108


1	< Index

2
3		Settings Progress
4		Settings Progress
5		Sorted by configuration menu
6
7
8		User Setting Evaluation Status				Device Setting Evaluation Status
9			Done	ToDo	# N/A		Done	ToDo	# N/A
10		Settings Section	204	41	20	Settings Section	85	18	41
11		Mobile	1	1	1	Enrollment & Access	11	1	2
12		General	4	1	1	Sign-in Settings	20	1	1
13		Enrollment Controls	6	1	1	Device Update Settings	10	1	1
14		Apps and Extensions	13	1	1	Kiosk Settings	19	6	19
15		Chrome Web Store	6	3	1	User & Device Reporting	11	1	2
16		Android applications	5	4	1	Power & Shutdown	5	1	1
17		Security	28	9	1	Other	9	7	2
18		Session Settings	2	1	1
19		Network	8	5	1
20		Startup	7	1	1	Device Setting Evaluation Status
21		Content	65	1	1		Done	ToDo	# N/A
22		Printing	8	9	2	Settings Section	7	70	8
23		User Experience	29	0	2	General	1	6	1
24		Omnibox Search Provider	5	1	1	Apps and Extensions	1	5	1
25		Hardware	11	1	2	Security	1	9	1
26		Verified Access	2	1	1	Network	1	10	1
27		User Verification	4	1	1	Startup	1	8	1
28						Content	1	21	1
29						Printing	1	11	1
30						User Experience	1	18	1
31						Omnibox Search Provider
32						Hardware


1	< Index

2
3		Costs Calculator
4		Costs Calculator
5
6
7		Basic Pricing
8
9		G - Suite						Chrome licenses			Required for Device Settings
10		Type	Cost	Billed	per			Type	Cost	Billed	per
11		Basic	$5	Monthly	Account			License	$50	Yearly	License/Device
12		Business	$10	Monthly	Account
13		Enterprise	$26	Monthly	Account
14
15
16		Team Cost Calculator
17
18					Choose Account Type Here						How many team member's share 1 device
19		Account Costs with a			Business		Account. And, 1 Device per/				2	team member's
20					User Only		User + Device
21		traveler's / Month		Total devices	Monthly	Yearly	Monthly	Yearly
22			1	1	$10	$120	$14	$170
23			2	1	$20	$240	$24	$290
24			3	2	$30	$360	$38	$460
25			4	2	$40	$480	$48	$580
26			5	3	$50	$600	$62	$750
27			6	3	$60	$720	$72	$870
28			7	4	$70	$840	$86	$1,040
29			8	4	$80	$960	$96	$1,160
30			9	5	$90	$1,080	$110	$1,330
31			10	5	$100	$1,200	$120	$1,450
32			11	6	$110	$1,320	$134	$1,620
33			12	6	$120	$1,440	$144	$1,740
34			13	7	$130	$1,560	$158	$1,910
35			14	7	$140	$1,680	$168	$2,030
36			15	8	$150	$1,800	$182	$2,200
37
38


1	< Index

2
3		Threats / Chrome Setting
4		Threats / Chrome Setting
5		Interactions between settings and threats
6
7
8
9
10
11		User Settings					Device Settings
12			Impact ↥	Impact ↧	Likelihood ↥	Likelihood ↧		Impact ↥	Impact ↧	Likelihood ↥	Likelihood ↧
13		Threat Category	9	9	9	9	Threat Category	9	9	9	9
14		Confiscation	1	1	1	1	Confiscation	1	1	1	1
15		Detained	1	1	1	1	Detained	1	1	1	1
16		Forced Exposure	1	1	1	1	Forced Exposure	1	1	1	1
17		Legal	1	1	1	1	Legal	1	1	1	1
18		Login Forced	1	1	1	1	Login Forced	1	1	1	1
19		Obstruction	1	1	1	1	Obstruction	1	1	1	1
20		Surveillance	1	1	1	1	Surveillance	1	1	1	1
21		Deception	1	1	1	1	Deception	1	1	1	1
22		Insider Threat	1	1	1	1	Insider Threat	1	1	1	1
23
24
25


1	< Index

2
3		Mitigations / Chrome Setting
4		Mitigations / Chrome Setting
5		Interactions between settings and mitigations
6
7
8		User Settings					Device Settings
9			Both	Inhibits	Requires	Supports		Both	Inhibits	Requires	Supports
10		Mitigation	0	0	0	0	Mitigation	0	0	0	0
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49


1	< Index

2
3		Relationships between user settings and Mitigations
4		Relationships between user settings and Mitigations
5		How different categories in the user settings menu "inhibit", "support", and/or "require" specific mitigations
6
7		How are relationship calculated?
8
9		These charts show the number of times a specific mitigation (rows) is referenced by a user settings category (columns).
10
11
12
13		Settings that Inhibit Mitigations
14
15			Android applications	Apps and Extensions	Chrome Web Store	Content	Enrollment Controls	General	Hardware	Network	Security	Session Settings	Startup	User Experience	User Verification	Verified Access
16		Account Monitoring and Control					1
17		Appropriate Organizational Identifiers			2
18		Boundary Defense												2
19		Chrome Remote Desktop													1
20		Cohesive Security Tool Adoption	3
21		Controlled Access Based On Need to Know					1
22		Emergency Communication Practices														1
23		Encrypted External Storage devices							2
24		Encrypted online archive													1
25		External Enterprise Mobility Management Tool		1
26		In-Country Device Swapping				1			1							1
27		In-country alternative working software identification	2							2
28		Inventory of Authorized and Unauthorized Software	1	1	2
29		Inventory of Authorized and Unauthorized devices					2								1
30		Maintenance, Monitoring, and Analysis of Audit Logs												1
31		Multi-Factor Authentication						1
32		Private Apps			1
33		Proof Of Inaccess											1	4
34		Secure Traffic Tunneling								1				2	1
35		Security Awareness and Training									6	1
36		Traveler Sub-Organization(s)								2
37
38
39
40
41
42		Settings that Support Mitigations
43
44			Android applications	Apps and Extensions	Chrome Web Store	Content	Enrollment Controls	General	Hardware	Network	Security	Session Settings	Startup	User Experience	User Verification	Verified Access
45		Account Monitoring and Control				1
46		Appropriate Organizational Identifiers			2
47		Blacklist(s)	1
48		Chrome Remote Desktop		1	1										1	1
49		Cohesive Security Tool Adoption	1	1	2
50		Controlled Access Based On Need to Know					1
51		Device Wiping				1					3
52		Encrypted External Storage devices							2
53		Encrypted online archive													1	1
54		External Enterprise Mobility Management Tool		1							1
55		In-Country Device Swapping					1		2
56		In-country alternative working software identification	2
57		Inventory of Authorized and Unauthorized Software	2		1
58		Inventory of Authorized and Unauthorized devices					2								1	1
59		Multi-Factor Authentication						1
60		Proof Of Inaccess			1	1		2					3	3
61		Remote Access Management		1	1						1
62		Secure Traffic Tunneling								2					1	1
63		Security Awareness and Training		1							1	1
64		Whitelist(s)	1			1
65
66
67
68
69
70
71		Settings that Require Mitigations
72
73			Android applications	Apps and Extensions	Chrome Web Store	Content	Enrollment Controls	General	Hardware	Network	Omnibox Search Provider	Printing	Security	Startup	User Experience
74		Account Monitoring and Control					1
75		Appropriate Organizational Identifiers													1
76		Blacklist(s)		1		6
77		Custom Chrome Web Store Homepage			3
78		Desktop Virtualization											1
79		Enrollment Contact Policies					1
80		Inventory of Authorized and Unauthorized Software	1	8	1
81		Multi-Factor Authentication				1
82		Needs Assessment (Apps)	1	1		7						3			4
83		Private Apps			1
84		Proof Of Inaccess											1
85		Security Awareness and Training	3		2	15		1		1	2	1	8	3	9
86		Traveler Sub-Organization(s)											1
87		Webcam cover							1
88		Whitelist(s)		8		5
89
90
91
92
93
94
95
96
97
98
99


1	< Index

2
3		Requirements / Chrome Setting
4		Requirements / Chrome Setting
5		Interactions between settings and requirements
6
7
8		User Settings					Device Settings
9			Both	Inhibits	Requires	Supports		Both	Inhibits	Requires	Supports
10		Mitigation	0	0	0	0	Mitigation	0	0	0	0
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49


1	< Index

2
3		Relationships between Device Settings and Mitigations
4
5		How different categories in the Device Settings menu "inhibit", "support", and/or "require" specific mitigations
6
7		How are relationship calculated?
8
9		These charts show the number of times a specific mitigation (rows) is referenced by a Device Settings category (columns).
10
11
12
13		Settings that Inhibit Mitigations
14
15			Device Update Settings	Enrollment & Access	Other	Sign-in Settings	User & Device Reporting
16		Account Monitoring and Control				1
17		App Pinning				1
18		Appropriate Organizational Identifiers		1		6
19		Chrome Remote Desktop		1		1
20		Cohesive Security Tool Adoption				3
21		Custom Chrome Web Store Homepage				1
22		Desktop Virtualization				1
23		Emergency Communication Practices		1
24		Encrypted online archive		1
25		In-Country Device Swapping		1
26		Inventory of Authorized and Unauthorized devices	1	1			1
27		Private Apps				1
28		Project Specific GSuite Accounts				1
29		Proof Of Inaccess				4
30		Secure Traffic Tunneling		1	1	2
31		Temporary G Suite Accounts				1
32		Traveler Sub-Organization(s)		1		2
33		Whitelist(s)				1
34
35
36
37
38		Settings that Support Mitigations
39
40			Chrome Web Store	Device Update Settings	Enrollment & Access	Other	Power & Shutdown	Sign-in Settings	User & Device Reporting
41		Account Monitoring and Control						5	1
42		Appropriate Organizational Identifiers			1			6
43		Chrome Remote Desktop			2	1
44		Crisis Identification							4
45		Desktop Virtualization				1
46		Device Wiping				1	2	2
47		Encrypted online archive			2
48		In-country alternative working software identification						1
49		Inventory of Authorized and Unauthorized devices		1	3				2
50		Multi-Factor Authentication						1
51		Needs Assessment (Apps)							1
52		Proof Of Inaccess			1			5
53		Secure Traffic Tunneling			2	1
54		Traveler Sub-Organization(s)			1
55		Whitelist(s)	1
56
57
58
59
60
61
62
63		Settings that Require Mitigations
64
65			Device Update Settings	Enrollment & Access	Other	Power & Shutdown	Sign-in Settings	User & Device Reporting
66		In-country alternative working software identification	1
67		Security Awareness and Training		1	2	2	2	1
68		Traveler Sub-Organization(s)					2
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86


1	< Index			Relevant Threat Context
2	Category	Threat	Directly Targets / Impacts	Pre	Incoming	In-Country	Outgoing	Post

3	Confiscation	Targeted Workplace Raids				X
4	Confiscation	In-Transit Robbery & Theft			X	X	X
5	Confiscation	Hotel Robbery & Theft				X
6	Detained	Traveler Detained	Traveler		X	X	X
7	Confiscation	Device Confiscation	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder; Physical Notes / Documents; Social Media; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services		X	X	X
8	Forced Exposure	Decryption Forced (Device)			X	X	X
9	Forced Exposure	Decryption Forced (Service)			X	X	X
10	Forced Exposure	Usernames Exposed	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups		X	X	X
11	Forced Exposure	Forced Disclosure of Travel Information			X	X	X
12	Legal	Encryption Regulated	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups			X		X
13	Legal	Circumvention Tech Regulated		X	X	X
14	Legal	Encrypted Comms Regulated	Email; Social Media; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups	X	X	X
15	Legal	In-Country Activities Regulated		X		X
16	Legal	In-Country Partners Targeted		X		X
17	Legal	Traveler/Partner Association Regulated			X	X	X
18	Legal	Traveler Mislead/Lie to Border Officials			X		X
19	Legal	Traveler Perceived to be Misleading/Lying to Border Officials			X		X
20	Legal	Topical/Information Censorship			X	X	X
21	Login Forced	Login Forced (Service)	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Travel PGP Key; Primary PGP Key		X	X	X
22	Login Forced	Login Forced (Device)	Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Physical Notes / Documents; Identity Cards (Passports); Camera; Video Recorder		X	X	X
23	Obstruction	Destruction (Device)			X	X	X
24	Obstruction	Application/Protocol Blocking		X	X	X	X
25	Obstruction	Endpoint/Route Disabling	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups	X	X	X	X
26	Obstruction	App Store App Blocking/Restriction			X	X	X
27	Obstruction	Full Internet Shutdown	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email	X		X
28	Obstruction	Satellite Comms Jamming				X
29	Obstruction	Mobile Data Shutdown	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email			X
30	Obstruction	Full Mobile Shutdown	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email			X
31	Obstruction	Power Outage	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder			X
32	Obstruction	Intermittent Connectivity	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email			X
33	Obstruction	Lacking/Intermittent Access to Broadband	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email			X
34	Obstruction	Limited/Throttled Connectivity	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email			X
35	Surveillance	In-Country Partners / Contacts Accounts and/or devices	Email; Social Media	X	X	X	X
36	Surveillance	Physical Stalking	Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Physical Notes / Documents; Identity Cards (Passports); Camera; Video Recorder			X
37	Surveillance	Passive Mobile Location Surveillance				X
38	Surveillance	Passive Internet Surveillance		X		X
39	Surveillance	Passive Mobile Data Surveillance		X		X
40	Surveillance	Passive Mobile Comms Surveillance		X		X
41	Surveillance	Data requests from online services			X	X	X	X
42	Surveillance	Passive Social Media Surveillance		X	X	X	X	X
43	Surveillance	Compromised Account		X	X	X	X	X
44	Surveillance	Compromised Device		X	X	X	X	X
45	Deception	Phishing		X	X	X	X	X
46	Deception	Pharming			X	X	X
47	Deception	Principal Spoof	Email; Social Media	X	X	X	X	X
48	Deception	Spoofed Access Point	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email		X	X	X
49	Deception	Certificate Spoofing			X	X	X
50	Insider Threat	Traveler Circumvent Mitigations		X	X	X	X	X
51
52
53
54
55
56
57
58
59


1	< Index
2	Title	Assumption

3	In-Country Access to Sensitive Information	Some team member's will need access to some sensitive data while they are in country.
4	What is Sensitive Changes	What constitutes sensitive data will change depending upon the traveler, the destination(s), who they are interacting with during their trip, the current political and/or social context in the region, and the type of work being conducted.
5	Forced Device Decryption will Occur	Team member's may be required to decrypt, and provide border officials access to, devices when crossing some borders.
6	Forced Access to Social Media Accounts will Occur	Team member's may be required to log into, and provide border officials access to, major social media accounts when crossing some borders.
7	Forced Email Access will Occur	Team member's may be required to log into, and provide border officials access to, email accounts when crossing some borders.
8	The risk of being caught in a lie is unacceptably high	The risks associated with unsuccessfully lying to border officials about not having access to social media accounts and/or getting caught when using "fake" social media accounts have impacts that are unacceptably high. Even the inaccurate perception of this by border officials can have the same impact as it being true.
9	Fake accounts are too much work for rarely working	The effort required to produce "fake" social media accounts that can withstand moderate scrutiny is far more than the effort required for ongoing sanitation and pre-travel preparation of a social media account.
10	Technical resources are limited	Technical support is limited and the people who provide that support will be overworked. I work in civil society. This document was written with average civil society capacity in mind.
11	Time for pre-trip preparation will be limited	Travelers will often not have much advanced notice before they travel. When they do, they will often forget to notify administrators until mere days before they leave.
12	traveler's will be tired and stressed	Travelers will be under increased levels of stress and fatigue while traveling.
13	traveler's will do what they must to get the work done	Team member's will circumvent security measures that disrupt their workflows. Their interest in "getting work done" will cause them to fail at, or disregard, overly onerous or complex practices if they interfere with them accomplishing their intended tasks.
14	Team member's won't use controls that seem arbitrary	Team member's will circumvent security measures that seem arbitrary.
15	Some team member's will have increased security and/or privacy requirements than what is provided	Some travelers will have their own increased requirements for privacy and/or security and their own tactics and technologies in place for implementing them. The tactics and technologies put in place under this process should aim to support these team member practices to the greatest extent possible with consideration given to the level of effort required to implement compatable tactics and technologies and the overall security impacts of providing the flexability required to accomidate them.
16	Sensitive information will be created in-country	Some team member's will create new sensitive information while they are in country that they will need after they have left the country.
17	Travelers will be traveling globally	Travelers will be traveling across borders between different countries.
18	Some sensitive contacts will be less secure than we want	Some (many) of the travelers in-country contacts will be unwilling/unable to use communication tools and techniques requested by the traveler.
19	Comprehensive adoption of moderately secure baselines is better than inconsistent adoption of very secure practices	Not knowing what your risk profile looks like means that you can't appropriately assess the risk that a user is taking when they travel.
20	All content in this project will be considered with respect to seperate phycological and physical security risk assessments	This project does not cover the threats and mitigations related to physical and/or psycological assaults. (i.e. Harassment, Threats (not including death threats), Death threats, Restriction on travel, Denial of right of return, Extortion, Murder, Injury, Abduction, Arrest or detention, or Torture) This project should not be taken as a complete threat assessment for complex and/or hostile environments. The threats that are explored that have serious associated physical and/or psycological risk (i.e. detention) do not attempt to explore the associated physical and/or psycological dimensions beyond their impact on the digital risks.


1	< Index
2	Title	Short Requirement	Comments	Sources

3	Civilian team's	Travelers are not expected to resist coercion and/or physical violence in the protection of sensitive information when traveling.
4	Multi-Environment Trips	System needs to be able to support travelers moving between different countries with varying threat profiles (low-risk -> high risk) in the same trip.
5	In-Country Access to Sensitive Information	traveler's need to be able to access sensitive information while they are in country.
6	In-Country Access to Sensitive Contacts	traveler's need to be able to access the contact information of sensitive contact while they are in country.
7	In-Country Communication with Sensitive Contacts	traveler's need to be able to communicate with sensitive contact while they are in country.
8	Communication with Uncooperative Sensitive Contacts	traveler's need to be able to communicate with sensitive contacts who are unwilling to use the communications tools we put in place.	Some (many) of the travelers in-country contacts will be unwilling/unable to use communication tools and techniques requested by traveler. traveler's need to be able to communicate with sensitive contacts who are unwilling to use the communications tools we put in place.
9	Traveler manages their own identity	The security practices must not force association with the team/organization onto the Traveler when they are travling.	The Traveler must be able to manage their own identity when they are travling. I will not attempt to cover practices for obsfucating the association of the individual with the team/org that is setting up the services, but I will include places where association can be forced and how to minimize it. In hostile and/or complex environments your team is going to be far more aware of their immediate needs than the administrator // security team was when they set up the systems. Comprehensive obsfucation would require a variety of other interventions and a separate obsfucated organization account. It can be done, but is out of scope for this project.
10	Allow for Greater Security	The mandated security practices should provide a secure baseline for your traveler's. It should not limit their ability to attain greater security.	When mitigations support other ends (i.e. privacy or other non-travel related risks) we should default to allowing the team member to choose to be more secure, but not force them one way or another. For these options, we should make sure that we have conducted proper security awareness training and have easy to digest information available to those team member's to guide them in understanding what about these choices may impact their risk model.
11	Only a traveler's Security System	The security practices should only attempt to create a travel device; never a permanent solution.	The temporal nature of these devices makes them less likely to be the device that a team member installs malicious extensions on, and we will be reviewing the applications and extensions that team member's wish to load on their devices. permanent devices have completely different needs and no attempt will be made to make a permanent solution. This means that some controls that would provide stronger security at a large usability cost can be left unimplemented because their likelihood of occurring is rather low on ephemeral devices. For more permanent chromebook implementations some of these options would need to be reconsidered.
12	Only the managed device will access secure information	A Traveler must be able to accomplish their task with only managed devices able to access secure information.	Challenges of additional devices [discuss the problems with team member's having to bring additional devices along]
13	Security must not make the traveler ineffective	Baseline security must be focused on allowing the Traveler to accomplish their work. If they can't accomplish their work either the security is wrong or they should never have traveled in the first place.	There are many individuals in the digital security space who are providing general digital security guidance right now to take advantage of this new-found agency. This can be valuable, if the right advice is taken. The effort that the member's of these groups go through to adopt the individual security practices and tools recommended now can be wasted effort if these do not respond the future threats that they actually face. And, taking action on inappropriate advice now can lead these newly activated groups to digital security exhaustion.	https://medium.com/@seamustuohy/choosing-strategy-over-tactics-77aec0c0a53c
14	Receptive and Trusted Admin/Security Team	A security team has to maintain a delicate balance between staff trusting that their security team is there to support them, even when they fail, and trusting that the security team is maintaining a hard enough line across the organization to keep them safe from the mistakes of others.	The team member's need to trust that the admins/security team will be receptive to hearing and seeking out alternatives to security systems put in place that they are finding get in the way of their work. If they are not telling you that their workflows are impacted because they think you don't care, won't work with them to find alternatives, or that they will be chastised you are opening up opportunities for team member's circumventing your other mitigations. Things that are seemingly unconsiquencial to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. It is not your team member's job to keep track of every reason for small security controls like this. But, unless the admin/sec team is receptive to their feedback and has built trust with them these types of interventions will be curcumvented. The risk assessments put in place based upon a security program that is being actively circumvented by its team member base is a flawed risk assessment. Things will go wrong. Processes will be fail. Team member's will have unique workflows. Team member's need to trust that you are there to support all of those.
15	Support Personal Computing Needs	Security practices must support a traveler's personal computing needs (calls with family, personal banking, relaxation, etc.) so that they are not unaware of the changes to the risk landscape brought by the Traveler accomplishing those tasks.	We do not want team member's adding additional personal accounts to the device for any reason. So, we have to provide mechanisms to support their personal needs with the travel devices.
16	Localizable & Internationalizable Practices	The team being supported are from a variety of regions.	This list is not only considering international travel, it is considering a diverse international team. Some of the choices I've made during this exercise go against traditional western security administration practices. (For example allowing team member's to install apps from unknown sources would rarely ever be acceptable practice for western security admins.) 1) International App Stores: If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.)
17	Self-Managed Considerations	This exercise should highlight considerations for self-managed team's wherever possible.
18	Low Resourced Administrator	This exercise is targeted at team's whose administrator(s) and/or security team have limited time and resources.
19	Widely Dispersed Team	The team being supported are globally Dispersed and unable to meet with the security team in person before traveling.	This list is not only considering international travel it is considering a globally Dispersed team. This means that device management will be more difficult, and the team member's need to be able to implement device wiping and preparation without in-person support.
20	Sensitive Information should be safe when border officials have full device access	Team member's must be able to have their logged in device confiscated at a border without leaking sensitive information.


1	< Index
2	Name	Description	Existing Source

3	Chromebook(s)	This entire exercise is focused on the use of Chromebooks and the Google Apps ecosystem for integration into the tactics and technologies used for secure travel in complex and/or hostile environments. Depending upon the configuration options you choose Chromebook's require local connectivity to work. If you have team member's who are going to areas with limited connectivity make sure you explore how to allow the chromebook to support offline access.
4	Proof Of Inaccess	The "proof of inaccess" mitigation is a set of smaller technical controls that are put in place to prove to a border official that the Traveler only has a specific level of access to sensitive information, devices, organizational services, and/or personal/social media accounts, that the reason they do not have access are legitimate and either imposed upon them by their organization or put in place for legitimate business reasons, and that they have no abiliity to regain access without an external party interveining. (Their organization's security team, etc.). There are unnacceptably high impacts for unsuccessfully lying to border officials about your level of access to online accounts or unsuccessfully attempting to provide "fake" device/social-media accounts when border officials request access. Even the inaccurate perception of either of these by a border officials can have the same impact on the Traveler as if it was true. This mitigation aims to be a viable alternative tothese two commonly encountered suggestions for securing sensitive accounts/information at borders: 1) "I'll just make fake accounts" I don't recommend lying in any situation where you're likely to go against people trained in detecting lies. The "Proof of Innaccess" mitigation aims to provide border officials with proof that you are being forthright about your level of access. (Also see the mitigation below about sanatizing your social media accounts. Because OSINT is not that hard and border officials can do it too.) 2) "I'll just leave my account information at home" When a request for greater access to information and/or accounts is enacted at a border it is essentially a "game of chicken" (in the game theory sense.) Each player (the border official and the Traveler) only benefits if the other player yields. If neither player yields, neither player benefits. The border official wants greater access to confirm that the Traveler is "safe" to enter the country. The Traveler wants to enter the country without providing access to sensitive information. If the border official fails to yield and the Traveler fails to yield then the conflict escilates. In situations where the border official is unwillling to yield a Traveler will want the ability to yield some greater level of access. In the context of the "proof of inaccess" mitigation they do this by contacting their secdurity team (which has the added effect of alerting their security team so that appropriate responses can happen from the organizational side.) This is also the reason why this mitigation may not be appropriate for an actor working on their own. Theoretically, an individual actor could also set up a Google Suite for themselves and leave the admin credentials offline when they travel. Their inability to yield, by providing access through an invested third party, puts them in a one sided game where the escilation of the game becomes entirely dependant on the willingness of the border official to yield.
5	In-Country Device Swapping	This set of mitigations supports contingency planning around device loss and/or confiscation while a Traveler is in-country. The general idea is that with proper preparation and processes in place a travler who has their device stolen, confiscated, and/or compromised can aquire a new/used device in-country and quickly have that device up to nearly the same level of functionality as the device that was lost/compromised. In the Chromebook example this would look something like the following. 0) The travler has their device compromised, lost, destroyed, etc. and informs the admin/security team 1) The admin can use G Suites device management controls to disable the team member's previous device, 2) The Traveler can purchase a clean chromebook, and 3) The Traveler enables the new device to work with their travel account.
6	Traveler Sub-Organization(s)	This "mitigation" is the creation of G Suite sub-organization(s) that are only used to create temporary accounts for your team members when they are traveling. If your team has created a seperate G Suite account or only uses a G Suite for travlers than this mitigation would only be used if you had different setups for different types/level of threats. (i.e low connectivity environments, high risk of detainment, high-risk of confiscation/attempted compromise without detainment, etc.) The sub-organization supports the overall travel security process in a few ways: * Ease & Consistancy of Setup: By creating sub-organizations within a G Suite account the admin is able to configure the device and user defaults of the sub-organization differently than the rest of the organization's defaults. This means that travel accounts and devices will be properly set up automatically upon being assigned to a user in this sub-organization. This will save the admin significant time they would have had to spend configuring each new device. * Isolation from Daily Accounts: See: "Temporary G Suite Accounts" * EXTRA PERK: Research Accounts: furthermore, If your team member's are doing investigative research where they must proceed to malicious sites a heavily locked down traveler sub organization account can be made for this type of research. These accounts, and the chromebooks they are associated with can be easily wiped after the research is complete. More, so through forced app installation and customization the researcher's toolkit can be easily provisioned.
7	Encrypted online archive	To mitigate against the search or long-term confiscation of travel devices sensitive information that will be needed when traveling can be stored in online archives and downloaded after the traveler has safely arrived at destination, synced while traveling, and removed from their devices before starting their travel out of the country. The basic workflow is for a google apps folder containing the sensitive information to be prepared by the traveler before their trip. Ownership of that folder to be passed to an administrator account. The travelers access to be removed from this account. The traveler to travel to their destination. The traveler to contact an external party to have them share the google apps folder with the travelers travel account. The Traveler to have optional pre scheduled check-ins with the administrator that, if missed, will lead the administrator to remove the traveler's access to the archives. The Traveler, and or administrator, to remove access to the sensitive archive folder before begining travel out of the country. The administrator to pass ownership of the folder back to the traveler's primary account.
8	Temporary PGP Keys	If a Traveler uses PGP in their communications they can create a "travel sub-key." This key will be signed by their primary key and attached to the "travel away message" on their primary email account. This away message will be signed by their primary key and notify anyone who e-mails that any PGP encrypted messages cannot be read until they return, but that they can send PGP encrypted messages to the travler using their secondary key if the message is urgent. (See: Traveler Away Message) While a travler could make a new "travel sub-key" for every trip this becomes unweildy for both the travler and others very quickly. I recommend creating a single travel sub-key and using that for all travel communications until a certain period of time has passed and/or you beleive that key may have been compromised. There are still considerations to be explored related to the process of moving all encrypted travel communications back to the primary account. The ideal situtation would have all travler email encrypted to the travlers primary key and moved over to that account. This would mean that the travler has access to all their historic emails using only their primary key and email address and that the travel PGP key only ever has access to emails that are being sent during travel. Sadly, I have yet to devise an easy to implement solution that accomplishes this.
9	Temporary G Suite Accounts	Traveler's will only use the temporary G Suite accounts for document storage, email, etc. instead of their primary organizational accounts when travling. This will remove their access to historic sensitive information that may be contained in their primary accounts. By making travlers use a sub-organization account (See: Traveler Sub-Organization(s))., and removing their access to their primary accounts, the travler is isolated from any historic sensitive information while they are travling. (i.e. they only receive emails forwarded to their sub-org during this period, they don't have access to any documents in their normal G Suite docs account, etc.) This requires more preparation on the part of the travler to make sure they have prepared all the information they will need ahead of time, but it dramatically reduces the impact of a compromised account when traveling. During this period access to any of their primary accounts that may contain sensitive information (email, document storage, etc.) will be disabled. Re-Enabling these accounts during travel will require that the Traveler contact an administrator. (See: Social Media Account sanitation for exceptions).
10	Social Media Account Sanitization	When traveling across borders where social media history is likely to be exposed, or where login may be forced, a travler will have to sanatize their social media account by hand. This may include deleting direct messages within the platform, temporarily leaving groups or deleting connections to individuals that may put them, or others, at risk when they are traveling, and/or deleting their previous posts that may lead to increased risks if exposed. This can be aided by using the open-source versions of the same type of "social media monitoring software" that is used to assess and search through a persons social media account and connections. (I'm not going to start listing all the tools here. Keywords to combine with "Social Media" when searching include things like "OSINT", "Mapping", "Marketing", "Analysis", etc.)
11	Traveler Away Message	Traveler's will enable a "travel away message" on their primary email account that informs anyone who e-mail that * the Traveler that the Traveler is currently traveling and is using their travel email (XXXXX-travel@YYYYY.ZZZZZ), * will not able to access their primary GPG key while traveling, * that any sender should re-encrypt the message (to the attached travel PGP key) and send it to their travel email address (If they use GPG keys), and * the dates that they will be traveling. This away message, and the travel PGP key, will be signed by their primary key.
12	Inventory of Authorized and Unauthorized devices	Have team member's confirm the number of enrolled devices that they have and un-enroll and investigate any non-confirmed devices. If it is a device in use the team member will contact the admins when it is disabled. [The risk of disconnecting a team member in a complex environment should always be weighed against enforcing a policy to the letter. If a team member cannot be gotten a hold of their devices should not be automatically shut down. Investigations of a devices activity can help determine if that device is malicious.]	SANS Critical Security Controls
13	Enrollment Contact Policies	Contact policies should be put in place that require a team member to contact the administrators within a certain period of time after they have enrolled a new device. These policies are put in place to allow for travler initiated "in-country device swapping" while also allowing for an up to date "inventory of authorized and unautorized devices." As with all contact policies for complex environments, the contact channel and practices that are put in place should consider adversaries who masquerade as a team member to enroll new devices and the possibility of team members being forced/coerced into providing confirmation.
14	Possible Credential Disclosure Practices	Incident response policies for cases of possible credential disclosure. These policies should be consistant with your normal incident reponse practices. Depending upon the type of account that was compromised these policies may also include emergency contact procedures for possibly at-risk partners/in-country contacts, or disabling and/or locking the travler out of their unmanaged professional and/or personal accounts. * Dealing with professional and personal accounts that are not directly managed by your administrator (social media, non G Suite email accounts, etc.) Disabling a travlers unmanaged professional or personal accounts can be done by contacting the company directly. (There are a variety of civil society focused rapid response groups that can help with this). But, in these cases the users account is completely locked, and can be difficult to unlock once the traveler is back to safety. The other option is to lock the travler out of any accounts they have access to. A security team can lock travlers out of accounts they have access to without fully disabling them if the travlers has provided them with access to their primary "account creation" email address and given them one or more two-factor authentication recovery codes. The traveler can do this by using a password manager to share all account passwords with an "traveler incident" password account kept by the security team. They then can print out recovery codes for their unmanaged professional and personal accounts that use two-factor and provide the Security team with a small set of these codes for each account in a sealed envelope. In the case that the traveler's credentials may have been exposed all of these accounts can be locked down by the security team. Once the traveler has returned they can revoke the "traveler incident" access to those passwords and the security team can return the travelers envelope. (The workflow for this still needs to be worked out and it requires a LOT of trust since these may include personal accounts.) * How will team members will know if a device may be compromised (in the non obvious circumstances). Team member's will be taught to consider a device compromised if it is confiscated for any significant length of time. With a proper needs assessment and ongoing communication with users these devices should be less likely to be compromised because a team member has decided to install an unapproved (and also malicious) extensions/app on the device. But, in cases where a user determines that they do need an application and/or extension that the security team has not evaluated while they are traveling they should inform the security team so that the team can evaluate that software remotely and monitor their accounts more closely until the evaluation is complete.
15	Needs Assessment (Apps)	The security team needs to create a map of their staffs travel workflow and digital footprint. This should provide them with an understanding of what software, services, and data staff need to have access to do their jobs when traveling, meet their personal computing needs when traveling ( see: Requirements - Support Personal Computing Needs), and which of these store sensitive information that will need to be isoluated and/or otherwise protected when traveling. This is a very large project that requires time and trust from staff and security team alike. One possible strategy is to start your program allowing everything (see: app management: "allow all except blocked") when you start your transition to this program. The security team can use this initial period of active use of travel devices to survey your travelers for what services, software, and data they used, and what they wish they had access to. This will allow you to develop a list of services, software, and data that are used / desired by your team member's. Once you have a list of all of these you can add a range of supported apps as forced and/or recommended on your travel devices. You can use the next period to identify any software and/or services that were missing. Finally you can implement a whitelist only model ("block all except whitelisted"). The start of the whitelist phase will have to be accompanied by an overly responsive security team to catch the few services, software, and accounts that were not brought to the teams attention ahead of time.
16	Remote Access Management	We will be using the G Suites built in tools and account management to deal with remote mangement of devices. If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp
21	Multi-Factor Authentication	I'm not even going to go into the importance of multi-raptor authentication except to say two things. It has additional perks for this setup [1] and that it's not just U2F and Google Auth [2]. [1] Travel G Suite sub organizations should required its users to use multi-factor auth. By doing this their Chromebook will also require multi-factor auth for logging in. [2] Client certs: Client certs will only allow a device with a valid certificate installed on it to connect to a service. I'm not going to go in depth about it here. But, it means that if a travel team member's username and password are compromised for any account the attacker will also need to have access to a device with that team member's certs installed.
22	Inventory of Authorized and Unauthorized Software	"An organization without the ability to inventory and control its computers' installed programs makes its systems more vulnerable to attack. Furthermore, poorly controlled machines are more likely to be running software that is unneeded for business purposes, introducing potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this potential threat, an organization should scan a network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications, pulling information about the patch level of each installed program. This ensures that it is the latest version and that it leverages standardized application names, like those found in the Common Platform Enumeration (CPE) specification. In addition to inventory checks, tools that implement whitelists (allow) and blacklists (deny) of programs are included in many modern endpoint security suites. To evaluate the implementation of Control 2 on a periodic basis, the team must move a benign software test program that is not included in the authorized software list on 10 systems on the network. The team must then verify that the software is blocked and unable to run."	SANS Critical Security Controls
23	Account Monitoring and Control	"Attackers frequently impersonate legitimate team member's through inactive team member accounts. This method makes it difficult for network watchers to identify attackers' behavior. Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Security personnel can configure systems to record more detailed information about account access and utilize homegrown scripts or third-party log analysis tools to analyze this information. The system must be capable of identifying unauthorized team member accounts when they exist on the system. To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed daily."	SANS Critical Security Controls
24	Controlled Access Based On Need to Know	"Some organization's do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal team member's have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built-in separation of administrator accounts from non-administrator accounts. The system must be able to detect all attempts by team member's to access files without the appropriate privileges and must generate an alert or email for administrative personnel. This includes information on local systems or network accessible file shares. To evaluate the implementation of Control 14 on a periodic basis, the evaluation team must create test accounts with limited access and verify that the account is unable to access controlled information."	SANS Critical Security Controls
25	Security Awareness and Training	Administrators and/or security professionals will be conducting security awareness building and risk assessment activities with travelers.
26	Chrome Remote Desktop	Set up specific desktops that will allow team member's to remotely use services that they cannot otherwise use on chrome while traveling. This can also be done for team member's that are doing investigative research and want to use a chromebook to proceed to malicious sites. They should likely not be using their primary device to do this work. If they wish to use chromebooks for these use cases instead of their primary browser then an admin can set up desposable VM's that they can remote into from their travel chromebook. If you want your travelers to be able to do this you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp	https://support.google.com/chrome/a/answer/2799701?hl=en
27	Desktop Virtualization	If you still need to use legacy applications from Windows, Max, and/or Linux, Chrome devices support a variety of desktop virtualization solutions such as VMware and Citrix. Why would we do this when we have the option of remote desktop? If travlers need to use non-chromebook supported applications when traveling in areas with limited/intermittant/etc. internet connectivity. This, as with remote desktop, will requre that admins make virtualization app(s) [1] available. This can be done in the recommended app or through forced install. [1] https://chrome.google.com/webstore/detail/horizon-client-for-chrome/pckbpdplfajmgaipljfamclkinbjdnma?hl=en	https://cloud.googleblog.com/2014/02/vmware-to-bring-traditional-windows.html
28	External Enterprise Mobility Management Tool	External Enterprise mobility management tool (remote-management/wiping/control applications) were included in the mitigation list for the benefit of those who already use a service. This document almost entirely focuses on a threat model that only includes the G Suites built in EMM tools and permission management to deal with travel device management. I made this choice to limit the scope and cost of this project. But, there are configurations that impact these products so it stays in the mitigations.
29	Appropriate Organizational Identifiers	A travelers device and accounts should impact the travelers identity upon casual inspection. This mitigation is about the admin/security-team not providing a traveler with a device that innappropriately forces identificaticication. If the Traveler's organization is regulated and/or known to do activities that are regulated in the country the traveler may not want to broadcast it to every official they meet. That aspect of their identity will increase the risk of an interaction escilating negatively. As such, if the device and/or accounts that have been put in place identify the organization the device belongs to upon casual inspection it will uncessecarily force the traveler into a more volitile environment. If a device is plastered with identifiers that cry out for border officials to instigate more intensive screening of the traveler you are putting your traveler at greater risk. For example, If your organizations name is "The Commission for Free Government Information by All Means Necessary" then it might not be a great idea to have your device ID tags have that displayed in large lettering. (This is also why I don't rock dozens of hacker stickers on my laptop.) At the same time, there are many contexts when properly used identifiers can de-escilate a situation. In environments where the organizational affiliation is positive (for example humanitarian and/or aid organizations with good reputations) then a well placed logo on your devices ID tags can help thwart the initial sparks that would escilate an interaction. The use of informal organizational identifiers (like device ID tags, and stickers) is the equivilant of an American student wearing a canadian flag on their backpack. It can only help reduce initial stresses from escilating. Any situation that does escilate will require more official proof of identity and tact on the part of the traveler. But, that does not mean that it cannot be used strategically. I had/have concerns about including this as a mitigation. There is a likelihood that the reader misinterpretes what I said as "you should conceil your affiliations from border officers" or "you should put your aid organziations stickers on your things." This is not what I just said. On the former: As someone who taught me a lot about civil society security once said: "I don't recommend lying in any situation where you're likely to go against people trained in detecting lies." On the latter: Humanitarian and aid workers get targeted for sanction and violence far too frequently. [1] One of the above mitigations that supports this process is the G Suite sub-organization through its inclusion or isolated from organizationally identifying domains. A sub-organization can have a completely different domain than the organziations primary domain. A separate sub-organization and/or GSuite Account that is non-identifying can be useful for environments where you want the Traveler to have near complete control over how they present their identity and affiliations. In environments where organizational identity is desired ensuring that your sub-organization uses the same domain will help provide the desired association depending upon the settings you choose. [1] http://www.insecurityinsight.org/aidindanger/digests/
30	In-country alternative working software identification	When software or services are censored or otherwise unavailable to a traveler in-country you should have mechanisms in place to support them in identifying alternative apps that serve the same need. This can be as simple as having 1st,2nd, and 3rd choices in your organizations recommended apps section. It can also be as complex as having incident response process in place specifically for identifying alternative applications and testing their availability. This mitigation often requires existing networks with technically adapt people who are from, or frequently travel to, the country in question.
31	Device Wiping	This is a general term for all the smaller mitigations that aim to clear all user data from a device. This can range from having a user sign-out of the device on lock, to not saving local data on the device, to the user completing a full device reset. Implementing mitigations in this category should be considered carefully because they can be very inconvienent. This is especially true in areas with limited/intermittant connectivity where local data and applications are the only ones available to a user. It is also important to ensure that users understand the implications of these mitigations. Having all the applications and windows one had open wiped every time the have to walk away from their computer can become frustrating very quickly.
32	Secure Traffic Tunneling	Provide your team member's with a secure way to tunnel their online traffic out of the in-country network. This can be done using built-in proxies and/or through applications that are provided to the traveler. Built in (secure) proxies offer greater user ease but come with a lack of control. This can be useful for travelers who are traveling to primarily well connected regions. Traveler control over when a proxy is used becomes more critical in low connectivity areas where their ability to prioritize access over security can allow them to accomplish non-sensitive tasks without the delays caused by a forced proxy. If there are concerns about passive surveillance than the use of a proxy that is only configured to proxy non-TLS (HTTP) connections can provide a greater level of security against surveillance of for non-secured connections without impacting connections that already have TLS. If you are using a PAC file make sure that you are using a secure connection to your proxy. https://www.chromium.org/developers/design-documents/secure-web-proxy
33	Whitelist(s)	Whitelists come with a range of problems. By codifying their inventories of authroized software and services into strict access rules an admin team will gain complete control over what is added to their environments. But, if they are too slow to respond to user needs, or are overly restrictive in what they allow they will push their users outside of the managed information ecosystem. This will lead to a "secure" IT infrastructure that has no bearing on the actual information security of the team. This can be accomplished by conducting an extensive needs assessment before whitelisting, being responsive to users needs, and generally by having your teams respect and trust.
34	Blacklist(s)	Blacklists also come with a range of problems. By codifying their inventories of unauthorized software and services into strict access rules an admin team will be able to limit known-malicious sotware and services. But, anything that is blacklist based will only catch known signatures/behaviors/etc., will require constant updating with the latest content, and will miss much. But, this is not to say you should not do it. There are many ways to optimize your blacklist creation and update process to allow an admin to reduce the ease-of-compromise of their users. This process is out of scope for this document.
35	Maintenance, Monitoring, and Analysis of Audit Logs	"At times, audit logs provide the only evidence of a successful attack. Many organization's keep audit records for compliance purposes but rarely review them. When audit logs are not reviewed, organization's do not know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-based systems. To evaluate the implementation of Control 6 on a periodic basis, an evaluation team must review the security logs of various network devices, servers, and hosts."	SANS Critical Security Controls
36	Boundary Defense	"By attacking Internet-facing systems, attackers can create a relay point to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi-layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-based intrusion prevention systems and intrusion detection systems. organization's should regularly test these sensors by launching vulnerability-scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted. To evaluate the implementation of Control 12 on a periodic basis, an evaluation team must test boundary devices. This is done by sending packets from outside a trusted network, which ensures that only authorized packets are allowed through the boundary. All other packets must be dropped."	SANS Critical Security Controls
37	Encrypted External Storage devices	Storing sensitive information and credentials in encrypted volumes on external storage devices in case the primary device is stolen, confiscated, or targeted. This mitigation also provides greater storage capacity for local data in cases where the traveler has limited access to the Internet. This is a mitigation that I have seen used in a variety of ways. These devices can be mailed to a location before travel, they can be carried on the person to avoid casual inspection or in case a device get's confiscated/stolen, and they can be filled and transported out of the country seperately from the traveler.
38	Webcam Cover	Reading through the very cool options available for disabling internal audio on ChromeBooks forced me to include a conversation about hardware on/off switches for sensors. So, it was only appropriate to talk about the "hardware switch" for disabling video. Compared to the expertiese and effort required to disable the internal camera [1] a webcam cover it is far more logical. It only costs about $3 and is almost [2] immediately intuitive to use for most users. [1] https://twitter.com/n8fr8/status/584552388117143554 [2] On more than one occation I have sat on a video conference where someone could not get the camera to work, only to realize that they had their webcam cover on.
39	Emergency Communication Practices	Set up practices for how your traveler's will contact you during any emergency. (Not just info-sec emergencies. This is around every emergency) The information security mitigations that are put in place need to balance the risks of insecure communications with the risks of a traveler not being able to get ahold of support during an emergency. Travelers should be taught how to "ratchet down" security as needed until they are able to connect with someone who can help them.
40	Project Specific GSuite Accounts	There are times when a traveler may need to access an entirely seperate G Suite account while they are in country. For instance, if the traveler has created a secondary G Suite account to communicate to local contacts in order to limit the risk that they will be associated with the travelers organziation if they are forced to reveal the contents of their e-mail. In cases such as this, a traveler may need to be able to manage multiple accounts while in country, or may need to have multiple accounts forwarded to the same travel account while in country.
41	Crisis Identification	The monitoring that an admin/security team does on it's travelers devices can also be incorporated into their crisis identification processes. While traditional check-in's, etc. cannot be replaced with monitoring user behavior on their accounts abnormal behavior can be used as an indicator that a crisis may have occured (i.e. if they have not been logged in for an unusual period of time). These indicators can be used to initiate check-in procedures that might otherwise not be initiated until later. Any oppourtunity to get a started with crisis management earlier is a useful one. Setting this up to limit false positives will be a difficult task, and should be prioritized appropriately. There are also tools that are built for this purpose. The cost of setting up monitoring and tweaking the settings to make the alerts useful might be more than the cost of purchasing a preexisting tool that does this and more.
42	Cohesive Security Tool Adoption	In distributed and/or largely independent team's there is a tendency for splits in tool usage that are often caused by ad-hoc adoption of security tools by staff. A cohesive "baseline" set of tools used across your organization/team for specific purposes is important for a sustainable security program. The more varied the application landscape within your team, the more complex your risk assessments will have to be and the less likely that there will be a shared secure channel between different individuals.
43	Personal Device Preparation	Preparing personal devices for travel by removing apps, updating them, etc. If a traveler brings along a personal device they also handle sensitive information with than that device would negate the security of the chromebook setup described in this project. As such, training, guidance, and support should be provided to users who are bringing their personal devices to sanatize them on sensitive information and access to privlaged services and systems before they travel.
44	Password Manger	Using a password manager that allows sharing allows the security team to be able to share and revoke access to the secured archive and other services thrroughout the travlers trip. This can be done in response to specific conditions or user requests/actions. This will allow the user to travl through borders without access to the secure archive or even any indication that they have a secure archive at all. So, under some of the most compromising situations (the user is asked to open their password manager) the secure archive is not compromised.


1	< Index
2	Category	Name	Description	Source(s)	Related huri_code's

3	Confiscation	Targeted Workplace Raids	Raids and illegal searches of the travlers workplace during the trip. This could be a rented workplace for the travler, that of a partner organization, or even a raid that simply occurs during the travlers work-day (i.e. the location of meetings and/or interviews). The important difference between this threat and in-transit and hotel-robbery confiscation threats is that the travler is likely to have their device logged in to sensitive content when the raid occurs.		40101000000, 120102000000
4	Confiscation	In-Transit Robbery & Theft	Theft of a device when the travler is in-transit. This could be theft of the travlers device during travel to/from the coutnry but also includes theft during daily in-country travel (i.e. when walking down the street, on public transit, etc.)		130101000000
5	Confiscation	Hotel Robbery & Theft	Theft of a device from a travlers hotel and/or temporary place of residence when travling. This includes both theft of a device when it is left in the room/safe unattended as well as theft of the device from the room when the travler is sleeping, showering, or otherwise unaware of the break-in. The latter is often also used as a form of harrasment.	https://capec.mitre.org/data/definitions/507.html	40101000000
6	Detained	Traveler Detained	The travler is temporarily detained and/or arrested. This threat is not directly connected to any specific settings beign evaluated, but it is a requirement for a variety of other threats that do have security implications (i.e. forced logins, forced decryption, etc.) We only look at temporary detainment in this project and not prolonged detention/imprisonment because the information security risks related to those threats are the same and they have far more complex physical and psycological risks that we will not be covering as a part of this project. (See: Assumptions - "All content in this project will be considered with respect to seperate phycological and physical security risk assessments")		30101000000,30102000000, 30102010000, 30104000000
7	Confiscation	Device Confiscation	"An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time."	https://capec.mitre.org/data/definitions/507.html	130107000000
8	Forced Exposure	Decryption Forced (Device)	The travler is forced to decrypt files, encrypted volumes, and/or their device and hand it over to an adversary for inspection. This is different than forced device login in that the travler may not be forced to log in to the user account. The least dangerous version of this is seen when border officials are attempting to acertain if a laptop contains explosives (instead of a battery) and want the user to proove that it is a fully functional laptop. This includes decryption of the primary hard-drive, encrypted volumes on external media brought with the user, and/or encrypted files on the users device. The distinction between this and service decryption is that this type of decryption directly exposes sensitive information to the adversary, whereas the forced service decryption indirectly exposes sensitive information by the adversary gaining access to key/login material.		40100000000
9	Forced Exposure	Decryption Forced (Service)	The traveler is forced to decrypt content provided tp/by a service on their device. This includes password managers, PGP keys, the secure archive described in the mitigations section, the key material for any encrypted messagining applications, the key material for online encrypted backups, etc. This does not include forced decryption of the primary hard-drive, and encrypted volumes on external media brought with the user, or encrypted files that are not used in protecting a service. The distinction between this and device decryption is that tdevice decryption directly exposes sensitive information, whereas this type of forced decryption indirectly exposes sensitive information by the adversary gaining access to key/login material.		40100000000
10	Forced Exposure	Usernames Exposed	The travler is forced to expose the user-names they use to communicate online. This includes, but is not limited to, social media account names and email addresses.	https://www.federalregister.gov/documents/2016/06/23/2016-14848/agency-information-collection-activities-arrival-and-departure-record-forms-i-94-and-i-94w-and#h-11
11	Forced Exposure	Forced Disclosure of Travel Information	Any direct actions which violate the travlers right to privacy including interrogation about the travlers activities in country and/or association in country, forced proof of travel plans, etc.
12	Legal	Encryption Regulated	Laws exist that prohit the use of encryption software, require that the government be given access to encryption keys, and/or require the use of insecure encryption algorithms?		42100000000, 40000000000, 42101000000
13	Legal	Circumvention Tech Regulated	Laws exist that prohibit the use of censorship circumvention and/or online (pseudo)anonymity providing software. (i.e. VPN's, Tor, etc.)
14	Legal	Encrypted Comms Regulated	Laws exist that require that communications intermediaries (messaging apps, etc.) are able to reveal the content of a communication upon request.	- http://www.telegraph.co.uk/technology/2017/07/14/malcolm-turnbull-says-laws-australia-trump-laws-mathematics/	42100000000, 40000000000, 42101000000
15	Legal	In-Country Activities Regulated	Threats related to the project working on themes and/or conducting activities that are unwelcome by the host-nations government (i.e. democracy and governance, gender equality, women’s rights, free press, ethnic minority or religious rights, etc).	- http://fatfplatform.org/wp-content/uploads/2015/02/DCS_Report_Second_Edition_English.pdf
16	Legal	In-Country Partners Targeted	Threats related to the project's involvement with populations that are targeted by the host-nations government? (i.e. advocacy groups and activists, LGBTI populations, women’s groups, journalists, human rights observers, ethnic minority or religious groups, etc)
17	Legal	Traveler/Partner Association Regulated	Laws are in place to prevent or stifle the free exchange of contact, communication, partnership, or the development of financial relationships between local partners and the travlers organization.	- http://fatfplatform.org/wp-content/uploads/2015/02/DCS_Report_Second_Edition_English.pdf - Illustrative List Of Overregulation Of Non Profit Organizations (IV. Limitation To The Right To Communication And Cooperation) : http://fatfplatform.org/wp-content/uploads/2015/10/Catalogue-of-government-overregulation-July-2015_final-.pdf#page=6	120000000000
18	Legal	Traveler Mislead/Lie to Border Officials	The threat that a travler will be caught attempting to mislead and/or lie to border officials. (See: Assumptions List - "The risk of being caught in a lie is unacceptably high")
19	Legal	Traveler Perceived to be Misleading/Lying to Border Officials	The threat of a border official perveiving the travler as attempting to mislead and/or lie to them. (See: Assumptions List - "The risk of being caught in a lie is unacceptably high")
20	Legal	Topical/Information Censorship	Laws are in place to restrict individuals from engaging in the full range of free expression and public policy advocacy around specific topics. This is especially relevant if the travler's work is focused on those topics. For our purposes this threat includes threats related to anti-defamation laws, restirctions against "unofficial sources" reporting on specific topics, or "unofficial" restrictions, and possible retaliation, for speaking about contentious issues (i.e. official corruption, the role of the armed forces or the political opposition, human rights, or religion)	https://freedomhouse.org/report/freedom-press-2017-methodology	100101000000
21	Login Forced	Login Forced (Service)	The travler is forced to login to a user account on their device and hand it over to an adversary for inspection. This is different than forced device decryptionin that the travler is forced to log in to the user account, not just decrypt the harddrive. (This distinction blurs a bit when we start talking about chromebooks)		40100000000
22	Login Forced	Login Forced (Device)	"there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense." - https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model		40100000000
23	Obstruction	Destruction (Device)	"An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended."	https://capec.mitre.org/data/definitions/547.html	130103000000
24	Obstruction	Application/Protocol Blocking	The adversary blocks or otherwise obstructs a specific application and/or protocol. This is often done to secure protocols/applications to force users onto less secure protocols/applications.	https://capec.mitre.org/data/definitions/595.html https://capec.mitre.org/data/definitions/596.html	100101000000
25	Obstruction	Endpoint/Route Disabling	The adversary denies the availability of specific services or content to users by blocking a specific enpoint or route. This may be as targeted as a single website and/or application or as broad as all major social media websites.	https://capec.mitre.org/data/definitions/582.html https://capec.mitre.org/data/definitions/603.html https://capec.mitre.org/data/definitions/589.html https://capec.mitre.org/data/definitions/590.html http://www.mfwa.org/opposition-demonstration-eclipsed-by-social-media-blackout/	100101000000
26	Obstruction	App Store App Blocking/Restriction	The number of countries who are having Google restrict the applications that are available in their app store is increasing. If there are applications that your team member's will require that may not be available from Google Play when the team member is setting up their device in their origin country, or when setting up a new device in-country because their other device was lost/compromised/stolen they will need to be able to install from unknown sources. This can also increase the attack surface considerably.		100101000000
27	Obstruction	Full Internet Shutdown	Intentional disruption of the internet in response to political or social events, whether temporary or long term.	https://www.accessnow.org/keepiton-shutdown-tracker/ https://freedomhouse.org/report/freedom-net-methodology
28	Obstruction	Satellite Comms Jamming	In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a target and a satellite. This includes both orbital and terrestrial techniques for satellite jamming.	https://capec.mitre.org/data/definitions/599.html https://capec.mitre.org/data/definitions/559.html
29	Obstruction	Mobile Data Shutdown	Intentional disruption of cellphone data networks in response to political or social events, whether temporary or long term.	https://freedomhouse.org/report/freedom-net-methodology
30	Obstruction	Full Mobile Shutdown	Intentional disruption of cellphone networks in response to political or social events, whether temporary or long term.	https://freedomhouse.org/report/freedom-net-methodology
31	Obstruction	Power Outage	Threats related to intentional and/or unintentional power outages. This includes both short term, but frequent "brown outs" or long-term "black-outs".
32	Obstruction	Intermittent Connectivity	Intermittent connectivity inlcudes non-malicious "spotty" connectivity that causes short interruppted sessions as well time delimited access. Time delimited access is when an adversary drops a targets traffic streams after a specified period of time. The attacker is therefore able to frustrate the target and reduce their ability to use the targeted protocol or service in order to discourage its use. For example, in May of 2013 all unknown, and encrypted, traffic streams in Iran were dropped after a period of 60 seconds.	https://mailman.stanford.edu/pipermail/liberationtech/2013-May/008334.html
33	Obstruction	Lacking/Intermittent Access to Broadband	Threats related to lacking and/or intermittent access to broadband connectivity. This threat is especially focused on the low bandwith, and high costs associated with uploading/downloading content in these environments. This is especially important to this project because of the high-reliance on online services and storage.
34	Obstruction	Limited/Throttled Connectivity	This threat includes non-malicious limited connectivity as well as when an adversary intentionally slows the internet service of the target by limiting the total transfer capacity of the target. In the latter case the attacker is able to limit communication, frustrate the target, or reduce the quality of a specific protocol or service in order to discourage its use.	https://github.com/seamustuohy/CAPEC_censorship/blob/master/manipulate_resources.md#throttling
35	Surveillance	In-Country Partners / Contacts Accounts and/or devices	Threat of malicious activities and/or social engineering type attacks that make use of trusted email, social media, or other online accounts belonging to in-country partners and/or contacts.		120104000000
36	Surveillance	Physical Stalking	An adversary physically surveills the travler in an attempt to gain access to sensitive information. This can be done by overhearing conversations, observing behavior and/or meetings, and "shoulder surfing" to observe digital activities that occur on a users devices, or those devices usernames and/or passwords		20103040000
37	Surveillance	Passive Mobile Location Surveillance	The disclosure of a travlers location to the cell provider they use when travling. This is somewhat dependant on the existance of "real-id laws" in the country for sim cards, and how stringently those laws are enforced. (The technology being evaluated in this project does not really have much/any impact on this threat. I'll likely remove it at some point as I have done with others.		120104000000
38	Surveillance	Passive Internet Surveillance	"An adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information. The adversary doesn't prevent reception or change content but simply observes and reads the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information."	https://capec.mitre.org/data/definitions/158.html	120104000000
39	Surveillance	Passive Mobile Data Surveillance	"Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted."	https://capec.mitre.org/data/definitions/609.html	120104000000
40	Surveillance	Passive Mobile Comms Surveillance	"Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted."	https://capec.mitre.org/data/definitions/609.html	120104000000
41	Surveillance	Data requests from online services	Laws or regulations might require online companies to share information about a travler and/or might prohibit or discourage the company from disclosing what user information they shared. In some instances extra-judicial information sharing has been also seen between a company and government and/or non-governmental actors.	- https://blog.fox-it.com/2017/09/13/fox-it-debunks-report-on-bylock-app-that-landed-75000-people-in-jail-in-turkey/amp/ - https://www.theguardian.com/technology/2016/aug/03/turkey-coup-gulen-movement-bylock-messaging-app - https://www.theguardian.com/world/2017/sep/11/turks-detained-encrypted-bylock-messaging-app-human-rights-breached	120104000000
42	Surveillance	Passive Social Media Surveillance	The covert monitoring, collection, and analysis of the travler's and/or their in-country partner's social media accounts with "social media monitoring software" in order to gather information on their activities and relationships with others.		120104000000
43	Surveillance	Compromised Account	The client has lost access to, suspects or has confirmed malicious activity might be taking place through their account.
44	Surveillance	Compromised Device	"This is essentially the same situation as with physically-local attacks. The attacker's code, when it runs as your user account on your machine, can do anything you can do." - https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-compromised_infected-machines-in-Chromes-threat-model
45	Deception	Phishing	"Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information."	https://capec.mitre.org/data/definitions/98.html
46	Deception	Pharming	"A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to his site rather than the originally intended one."	https://capec.mitre.org/data/definitions/89.html
47	Deception	Principal Spoof	"A Principle Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principle Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity."	https://capec.mitre.org/data/definitions/195.html
48	Deception	Spoofed Access Point	"An adversary provides a malicious [Access Point] at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource."	https://capec.mitre.org/data/definitions/616.html
49	Deception	Certificate Spoofing	Threat of use of rogue certificates for man in the middle/session hijacking and/or signed malware in social engineering.
50	Insider Threat	Traveler Circumvent Mitigations	Security threats that come to pass because of unauthorised use of approved devices and systems by the travler or the use of unauthorized devices and systems. While this threat can be enacted by a travler who has malicious intent, it is most often seen because one or more of the "Requirements" of a security program are not met. (See: Requirements)


1	< Index	Level of [X] required to implement correctly.												Extra [X] required if implemented incorrectly.
2		Traveler			Admin			In-Country Partners			Out-Of-Country Partners			Traveler			Admin			In-Country Partners			Out-Of-Country Partners
3		Effort	Cost	Expertise	Effort	Cost	Expertise	Effort	Cost	Expertise	Effort	Cost	Expertise	Effort	Cost	Expertise	Effort	Cost	Expertise	Effort	Cost	Expertise	Effort	Cost	Expertise

4	Proof Of Inaccess	0	0	0	3	0	3	0	0	0	0	0	0				3
5	In-Country Device Swapping	1	0	3	1	0	2	0	0	0	0	0	0
6	Traveler Sub-Organization(s)
7	Encrypted online archive
8	Temporary PGP Keys
9	Temporary G Suite Accounts
10	Social Media Account Sanitization
11	Traveler Away Message
12	Inventory of Authorized and Unauthorized devices
13	Enrollment Contact Policies
14	Possible Credential Disclosure Practices
15	Needs Assessment (Apps)
16	Remote Access Management
17	App Pinning
18	Custom Chrome Web Store Homepage
19	org-specific services (App store)
20	Private Apps
21	Multi-Factor Authentication
22	Inventory of Authorized and Unauthorized Software
23	Account Monitoring and Control
24	Controlled Access Based On Need to Know
25	Security Awareness and Training
26	Chrome Remote Desktop
27	Desktop Virtualization
28	External Enterprise Mobility Management Tool
29	Appropriate Organizational Identifiers
30	In-country alternative working software identification
31	Device Wiping
32	Secure Traffic Tunneling
33	Whitelist(s)
34	Blacklist(s)
35	Maintenance, Monitoring, and Analysis of Audit Logs
36	Boundary Defense
37	Encrypted External Storage devices
38	Webcam Cover
39	Emergency Communication Practices
40	Project Specific GSuite Accounts
41	Crisis Identification
42	Cohesive Security Tool Adoption
43	Personal Device Preparation
44	Password Manger
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002


1	< Index	Relevant Threat Context
2	Threat	Threat Context	Comment

3	App Store App Blocking/Restriction	Incoming
4	App Store App Blocking/Restriction	In-Country
5	App Store App Blocking/Restriction	Outgoing
6	Application/Protocol Blocking	Pre	Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc)
7	Application/Protocol Blocking	Incoming
8	Application/Protocol Blocking	In-Country
9	Application/Protocol Blocking	Outgoing
10	Certificate Spoofing	Incoming
11	Certificate Spoofing	In-Country
12	Certificate Spoofing	Outgoing
13	Circumvention Tech Regulated	Pre	Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc)
14	Circumvention Tech Regulated	Incoming
15	Circumvention Tech Regulated	In-Country
16	Compromised Account	Pre	Exposes all communication with the compromised project contacts (partners, fixers, etc) that used this account
17	Compromised Account	Pre	If the primary communications account it exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless.
18	Compromised Account	Incoming
19	Compromised Account	In-Country
20	Compromised Account	Outgoing
21	Compromised Account	Post
22	Compromised Device	Pre	Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless.
23	Compromised Device	Incoming	Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless.
24	Compromised Device	In-Country	Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless.
25	Compromised Device	Outgoing	Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless.
26	Compromised Device	Post	Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless.
27	Data requests from online services	Incoming	Both targeting of travler and ability to leverage legal data requests are likely limited until the traveler is headed into the country.
28	Data requests from online services	In-Country
29	Data requests from online services	Outgoing
30	Data requests from online services	Post
31	Decryption Forced (Device)	Incoming
32	Decryption Forced (Device)	In-Country
33	Decryption Forced (Device)	Outgoing
34	Decryption Forced (Service)	Incoming
35	Decryption Forced (Service)	In-Country
36	Decryption Forced (Service)	Outgoing
37	Device Confiscation	Incoming
38	Device Confiscation	In-Country
39	Device Confiscation	Outgoing
40	Encrypted Comms Regulated	Pre	Can hamper ability to securely communicate with project contacts (partners, fixers, etc)
41	Encrypted Comms Regulated	Incoming
42	Encrypted Comms Regulated	In-Country
43	Encryption Regulated	In-Country
44	Encryption Regulated	Post
45	Endpoint/Route Disabling	Pre	Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc)
46	Endpoint/Route Disabling	Incoming
47	Endpoint/Route Disabling	In-Country
48	Endpoint/Route Disabling	Outgoing
49	Forced Disclosure of Travel Information	Incoming
50	Forced Disclosure of Travel Information	In-Country
51	Forced Disclosure of Travel Information	Outgoing
52	Full Internet Shutdown	Pre	Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc) and make/confirm travel arrangements.
53	Full Internet Shutdown	In-Country
54	Full Mobile Shutdown	In-Country
55	Hotel Robbery & Theft	In-Country
56	In-Country Activities Regulated	Pre	Communications with project partners that contains planning info can get travler flagged if exposed
57	In-Country Activities Regulated	In-Country
58	In-Country Partners Targeted	Pre	Any communications with project partners can get travler flagged if exposed
59	In-Country Partners Targeted	In-Country
60	In-Country Partners / Contacts Accounts and/or devices	Pre	Exposes all communication with the compromised project contacts (partners, fixers, etc)
61	In-Country Partners / Contacts Accounts and/or devices	Incoming
62	In-Country Partners / Contacts Accounts and/or devices	In-Country
63	In-Country Partners / Contacts Accounts and/or devices	Outgoing
64	In-Transit Robbery & Theft	Incoming
65	In-Transit Robbery & Theft	In-Country
66	In-Transit Robbery & Theft	Outgoing
67	Intermittent Connectivity	In-Country
68	Lacking/Intermittent Access to Broadband	In-Country
69	Limited/Throttled Connectivity	In-Country
70	Login Forced (Device)	Incoming
71	Login Forced (Device)	In-Country
72	Login Forced (Device)	Outgoing
73	Login Forced (Service)	Incoming
74	Login Forced (Service)	In-Country
75	Login Forced (Service)	Outgoing
76	Mobile Data Shutdown	In-Country
77	Passive Internet Surveillance	Pre	Exposes all unsecured communication with in-country project contacts (partners, fixers, etc) which can flag travler.
78	Passive Internet Surveillance	In-Country
79	Passive Mobile Comms Surveillance	Pre	Exposes all unsecured communication with in-country project contacts (partners, fixers, etc) which can flag travler.
80	Passive Mobile Comms Surveillance	In-Country
81	Passive Mobile Data Surveillance	Pre	Exposes all unsecured communication with in-country project contacts (partners, fixers, etc) which can flag travler.
82	Passive Mobile Data Surveillance	In-Country
83	Passive Mobile Location Surveillance	In-Country
84	Passive Social Media Surveillance	Pre	Exposes realationships and any public communication with in-country project contacts (partners, fixers, etc). If the target is being monitored this can get the traveler flagged. Also can expose any publicly posted travel plans and/or in-country activities which, if not disclosed when detained, could be used against the travler.
85	Passive Social Media Surveillance	Incoming
86	Passive Social Media Surveillance	In-Country
87	Passive Social Media Surveillance	Outgoing
88	Passive Social Media Surveillance	Post
89	Pharming	Incoming
90	Pharming	In-Country
91	Pharming	Outgoing
92	Phishing	Pre
93	Phishing	Incoming
94	Phishing	In-Country
95	Phishing	Outgoing
96	Phishing	Post
97	Physical Stalking	In-Country
98	Power Outage	In-Country
99	Principal Spoof	Pre	Can be used to elicit information from the traveler
100	Principal Spoof	Pre	Can be used to try to make traveler "confess" to sanctionable activities
101	Principal Spoof	Incoming
102	Principal Spoof	In-Country
103	Principal Spoof	Outgoing
104	Principal Spoof	Post
105	RF Jamming	In-Country
106	RF Triangulation	In-Country
107	Satellite Comms Jamming	In-Country
108	Spoofed Access Point	Incoming
109	Spoofed Access Point	In-Country
110	Spoofed Access Point	Outgoing
111	Targeted Workplace Raids	In-Country
112	Topical/Information Censorship	Incoming
113	Topical/Information Censorship	In-Country
114	Topical/Information Censorship	Outgoing
115	Traveler Circumvent Mitigations	Pre
116	Traveler Circumvent Mitigations	Incoming
117	Traveler Circumvent Mitigations	In-Country
118	Traveler Circumvent Mitigations	Outgoing
119	Traveler Circumvent Mitigations	Post
120	Traveler Detained	Incoming
121	Traveler Detained	In-Country
122	Traveler Detained	Outgoing
123	Traveler Mislead/Lie to Border Officials	Incoming
124	Traveler Mislead/Lie to Border Officials	Outgoing
125	Traveler Perceived to be Misleading/Lying to Border Officials	Incoming
126	Traveler Perceived to be Misleading/Lying to Border Officials	Outgoing
127	Traveler/Partner Association Regulated	Incoming
128	Traveler/Partner Association Regulated	In-Country
129	Traveler/Partner Association Regulated	Outgoing
130	Usernames Exposed	Incoming
131	Usernames Exposed	In-Country
132	Usernames Exposed	Outgoing
133	Destruction (Device)	Incoming
134	Destruction (Device)	In-Country
135	Destruction (Device)	Outgoing
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997


1	< Index
2	Threat	Can Lead To	Requires Additional Threat	Mitigation	Notes

3	Targeted Workplace Raids	Confiscation
4	In-Transit Robbery & Theft	Confiscation
5	Hotel Robbery & Theft	Confiscation
6	Device Confiscation	Decryption Forced (Device)	Traveler Detained
7	Device Confiscation	Decryption Forced (Service)	Traveler Detained
8	Device Confiscation	Login Forced	Traveler Detained
9	Phishing	Compromised Account
10	Phishing	Compromised Device
11	Phishing	Compromised Account
12	Phishing	Compromised Account
13	Phishing	Compromised Device
14	Phishing	Compromised Device
15	Phishing	Compromised Account
16	Phishing	Compromised Account
17	Pharming	Compromised Account
18	Pharming	Compromised Device
19	Pharming	Compromised Account
20	Pharming	Compromised Account
21	Pharming	Compromised Device
22	Pharming	Compromised Device
23	Pharming	Compromised Account
24	Pharming	Compromised Account
25	Spoofed Access Point	Compromised Account
26	Spoofed Access Point	Compromised Account
27	Spoofed Access Point	Compromised Account
28	Spoofed Access Point	Compromised Account
29	Spoofed Access Point	Compromised Account
30	Physical Stalking	Compromised Account			Shoulder Surfing
31	Physical Stalking	Compromised Device			Shoulder Surfing
32	Physical Stalking	Usernames Exposed			Shoulder Surfing


1	< Index
2	Store	Physical	Electronic Device	Network Enabled	WiFi Connectivity	Cellular Connectivity	Encrypted	Login Required	Online Service	Communication Channel	Notes

3	Local volume (USB/SD/Device)	Yes	Yes	N/A	N/A	No	Yes	No	No	No
4	Travel Laptop (Chromebook)	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
5	Travel/Local Mobile Phone	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
6	Primary Personal Mobile Device	Yes	No	No	Yes	Yes	Yes	Yes	No	No	If brought see: device preparation
7	Physical Notes / Documents	Yes	No	N/A	N/A	No	No	No	No	No
8	Identity Cards (Passports)	Yes	No	N/A	N/A	No	No	No	No	No
9	Non-Phone Mobile Device(s)	Yes	Yes	Yes	Yes	No	Yes	Yes	No	No	Encryption is possible for most, but my experience has shown me that people treat tablets with far less care. (If brought see: device preparation.)
10	Personal Laptop	Yes	Yes	Yes	Yes	No	Yes	Yes	No	No	If brought see: device preparation & Seamus beating them about the head for circumventing all the security that the rest of this process provided.
11	Online Travel Archive	No	No	N/A	N/A	N/A	Yes	Yes	Yes	No
12	Email	No	No	N/A	N/A	N/A	Yes	Yes	Yes	Yes
13	Social Media	No	No	N/A	N/A	N/A	No	Yes	Yes	Yes
14	Password Manager	No	No	N/A	N/A	N/A	Yes	Yes	Yes	No
15	Team file store	No	No	N/A	N/A	N/A	No	Yes	Yes	No
16	Team Admin Services (HR, Billing)	No	No	N/A	N/A	N/A	No	Yes	Yes	No
17	Team Tech Admin Services	No	No	N/A	N/A	N/A	No	Yes	Yes	No
18	Travel PGP Key	No	No	N/A	N/A	N/A	Yes	Yes	No	No
19	Primary PGP Key	No	No	N/A	N/A	N/A	Yes	Yes	No	No
20	Camera	Yes	Yes	No	No	No	No	No	No	No
21	Video Recorder	Yes	Yes	No	No	No	No	No	No	No
22	Encrypted Online Backups	No	No	Yes	No	No	Yes	Yes	Yes	No
23	Unencrypted Online Backups	No	No	Yes	No	No	Yes	No	Yes	No


1	< Index
2	Threat	Possible Threat & Requirements	If [TARGET] is [CONDITION].		Info Store Column Letter

3	App Store App Blocking/Restriction	Availability	Online Service	Yes		#VALUE!
4	Application/Protocol Blocking	Availability	Online Service	Yes		#VALUE!
5	Application/Protocol Blocking	Availability	Communication Channel	Yes		#VALUE!
6	Certificate Spoofing	Integrity	Online Service	Yes		#VALUE!
7	Certificate Spoofing	Integrity	Communication Channel	Yes		#VALUE!
8	Circumvention Tech Regulated	Integrity	Physical	No		#VALUE!
9	Circumvention Tech Regulated	Confidentiality	Physical	No		#VALUE!
10	Circumvention Tech Regulated	Availability	Physical	No		#VALUE!
11	Compromised Account	Integrity	Online Service	Yes		#VALUE!
12	Compromised Account	Confidentiality	Online Service	Yes		#VALUE!
13	Compromised Account	Availability	Online Service	Yes		#VALUE!
14	Compromised Device	Confidentiality	Electronic Device	Yes		#VALUE!
15	Compromised Device	Integrity	Electronic Device	Yes		#VALUE!
16	Compromised Device	Availability	Electronic Device	Yes		#VALUE!
17	Data requests from online services	Confidentiality	Online Service	Yes		#VALUE!
18	Decryption Forced (Device)	Requires	Encrypted	Yes		#VALUE!
19	Decryption Forced (Device)	Integrity	Encrypted	Yes		#VALUE!
20	Decryption Forced (Service)	Requires	Physical	No		#VALUE!
21	Decryption Forced (Service)	Integrity	Encrypted	Yes		#VALUE!
22	Device Confiscation	Requires	Physical	Yes	B	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder
23	Device Confiscation	Availability	Physical	Yes	B	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder
24	Device Confiscation	Integrity	Encrypted	No	G	Physical Notes / Documents; Identity Cards (Passports); Social Media; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Camera; Video Recorder
25	Encrypted Comms Regulated	Requires	Communication Channel	Yes	J	Email; Social Media
26	Encrypted Comms Regulated	Availability	Encrypted	Yes	G	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups
27	Encrypted Comms Regulated	Availability	Communication Channel	Yes	J	Email; Social Media
28	Encrypted Comms Regulated	Confidentiality	Communication Channel	Yes	J	Email; Social Media
29	Encryption Regulated	Requires	Encrypted	Yes	G	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups
30	Encryption Regulated	Availability	Encrypted	Yes	G	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups
31	Endpoint/Route Disabling	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
32	Forced proof of travel plans	Confidentiality			#N/A	#N/A
33	Full Internet Shutdown	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
34	Full Internet Shutdown	Availability	Communication Channel	Yes	J	Email; Social Media
35	Full Mobile Shutdown	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
36	Full Mobile Shutdown	Availability	Communication Channel	Yes	J	Email; Social Media
37	In-Country Partners / Contacts Accounts and/or devices	Confidentiality	Communication Channel	Yes	J	Email; Social Media
38	Intermittent Connectivity	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
39	Intermittent Connectivity	Availability	Communication Channel	Yes	J	Email; Social Media
40	Lacking/Intermittent Access to Broadband	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
41	Lacking/Intermittent Access to Broadband	Availability	Communication Channel	Yes	J	Email; Social Media
42	Limited/Throttled Connectivity	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
43	Limited/Throttled Connectivity	Availability	Communication Channel	Yes	J	Email; Social Media
44	Login Forced (Device)	Requires	Login Required	Yes	H	Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups
45	Login Forced (Device)	Requires	Physical	Yes	B	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder
46	Login Forced (Device)	Confidentiality	Login Required	Yes	H	Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups
47	Login Forced (Device)	Integrity	Login Required	Yes	H	Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups
48	Login Forced (Service)	Requires	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
49	Login Forced (Service)	Requires	Login Required	Yes	H	Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups
50	Login Forced (Service)	Confidentiality	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
51	Login Forced (Service)	Integrity	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
52	Mobile Data Shutdown	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
53	Mobile Data Shutdown	Availability	Communication Channel	Yes	J	Email; Social Media
54	Passive Internet Surveillance	Confidentiality			#N/A	#N/A
55	Passive Mobile Comms Surveillance	Confidentiality			#N/A	#N/A
56	Passive Mobile Data Surveillance	Confidentiality			#N/A	#N/A
57	Passive Mobile Location Surveillance	Confidentiality			#N/A	#N/A
58	Passive Social Media Surveillance	Confidentiality			#N/A	#N/A
59	Physical Stalking	Confidentiality	Login Required	Yes	H	Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups
60	Physical Stalking	Confidentiality	Physical	Yes	B	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder
61	Power Outage	Availability	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
62	Power Outage	Availability	Communication Channel	Yes	J	Email; Social Media
63	Power Outage	Availability	Electronic Device	Yes	C	Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder
64	Principal Spoof	Integrity	Communication Channel	Yes	J	Email; Social Media
65	Spoofed Access Point	Confidentiality	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
66	Spoofed Access Point	Confidentiality	Communication Channel	Yes	J	Email; Social Media
67	Spoofed Access Point	Integrity	Online Service	Yes	I	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups
68	Spoofed Access Point	Integrity	Communication Channel	Yes	J	Email; Social Media
69	Usernames Exposed	Requires	Physical	No	B	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups
70	Usernames Exposed	Confidentiality	Physical	No	B	Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups
71					#N/A	#N/A
72					#N/A	#N/A
73					#N/A	#N/A
74					#N/A	#N/A
75					#N/A	#N/A
76					#N/A	#N/A
77					#N/A	#N/A
78					#N/A	#N/A
79					#N/A	#N/A
80					#N/A	#N/A
81					#N/A	#N/A
82					#N/A	#N/A
83					#N/A	#N/A
84					#N/A	#N/A
85					#N/A	#N/A
86					#N/A	#N/A
87					#N/A	#N/A
88					#N/A	#N/A
89					#N/A	#N/A
90					#N/A	#N/A
91					#N/A	#N/A
92					#N/A	#N/A
93					#N/A	#N/A
94					#N/A	#N/A
95					#N/A	#N/A
96					#N/A	#N/A
97					#N/A	#N/A
98					#N/A	#N/A
99					#N/A	#N/A
100					#N/A	#N/A
101					#N/A	#N/A
102					#N/A	#N/A
103					#N/A	#N/A
104					#N/A	#N/A
105					#N/A	#N/A
106					#N/A	#N/A
107					#N/A	#N/A
108					#N/A	#N/A
109					#N/A	#N/A
110					#N/A	#N/A
111					#N/A	#N/A
112					#N/A	#N/A
113					#N/A	#N/A
114					#N/A	#N/A
115					#N/A	#N/A
116					#N/A	#N/A
117					#N/A	#N/A
118					#N/A	#N/A
119					#N/A	#N/A
120					#N/A	#N/A
121					#N/A	#N/A
122					#N/A	#N/A
123					#N/A	#N/A
124					#N/A	#N/A
125					#N/A	#N/A
126					#N/A	#N/A
127					#N/A	#N/A
128					#N/A	#N/A
129					#N/A	#N/A
130					#N/A	#N/A
131					#N/A	#N/A
132					#N/A	#N/A
133					#N/A	#N/A
134					#N/A	#N/A
135					#N/A	#N/A
136					#N/A	#N/A
137					#N/A	#N/A
138					#N/A	#N/A
139					#N/A	#N/A
140					#N/A	#N/A
141					#N/A	#N/A
142					#N/A	#N/A
143					#N/A	#N/A
144					#N/A	#N/A
145					#N/A	#N/A
146					#N/A	#N/A
147					#N/A	#N/A
148					#N/A	#N/A
149					#N/A	#N/A
150					#N/A	#N/A
151					#N/A	#N/A
152					#N/A	#N/A
153					#N/A	#N/A
154					#N/A	#N/A
155					#N/A	#N/A
156					#N/A	#N/A
157					#N/A	#N/A
158					#N/A	#N/A
159					#N/A	#N/A
160					#N/A	#N/A
161					#N/A	#N/A
162					#N/A	#N/A
163					#N/A	#N/A
164					#N/A	#N/A
165					#N/A	#N/A
166					#N/A	#N/A
167					#N/A	#N/A
168					#N/A	#N/A
169					#N/A	#N/A
170					#N/A	#N/A
171					#N/A	#N/A
172					#N/A	#N/A
173					#N/A	#N/A
174					#N/A	#N/A
175					#N/A	#N/A
176					#N/A	#N/A
177					#N/A	#N/A
178					#N/A	#N/A
179					#N/A	#N/A
180					#N/A	#N/A
181					#N/A	#N/A


1	< Index	The GSuite User Settings menu can be found here.			Settings Reccomendations		Mitigation			Modification to Threats				Requirements
2	Category	Title	SubItem	Option(s)	Basic	High Risk	Supports	Inhibits	Requires	Likelihood ↧	Impact ↧	Likelihood ↥	Impact ↥	Supports	Inhibits

3	Mobile	Chrome Mobile		Apply supported user settings to Chrome on Android	N/A	N/A
4	General	Avatar		Upload Avatar File	Yes	Yes	Proof Of Inaccess			Traveler Perceived to be Misleading/Lying to Border Officials
5	General	Wallpaper		Upload Wallpaper File	Yes	Yes	Proof Of Inaccess			Traveler Perceived to be Misleading/Lying to Border Officials
6	General	Smart Lock for Chrome		Allow Smart Lock for Chrome	No	No		Multi-Factor Authentication	Security Awareness and Training			Login Forced (Device)
7	General	Smart Lock for Chrome		Do not allow Smart Lock for Chrome	Yes	Yes	Multi-Factor Authentication
8	Enrollment Controls	Device Enrollment		Keep Chrome device in current location	No	No		Account Monitoring and Control,Controlled Access Based On Need to Know
9	Enrollment Controls	Device Enrollment		Place Chrome device in team member organization	Yes	Yes	Controlled Access Based On Need to Know		Account Monitoring and Control					Self-Managed Considerations	Low Resourced Administrator
10	Enrollment Controls	Asset Identifier During Enrollment		Do not allow for team member's in this organization	Yes	Yes		Inventory of Authorized and Unauthorized devices
11	Enrollment Controls	Asset Identifier During Enrollment		team member's in this organization can provide asset ID and location during enrollment	Yes	Yes	Inventory of Authorized and Unauthorized devices								Self-Managed Considerations
12	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices	Varies	Varies	In-Country Device Swapping	Inventory of Authorized and Unauthorized devices	Enrollment Contact Policies			Compromised Account		Self-Managed Considerations,Self-Managed Considerations
13	Enrollment Controls	Enrollment Permissions		Do not allow team member's in this organization to enroll new or deprovisioned devices	Varies	Varies	Inventory of Authorized and Unauthorized devices								Low Resourced Administrator,Self-Managed Considerations
14	Apps and Extensions	Allowed Types of Apps and Extensions		Extension	Yes	Yes			Inventory of Authorized and Unauthorized Software,Whitelist(s)	Compromised Device
15	Apps and Extensions	Allowed Types of Apps and Extensions		Theme	Yes	Yes			Inventory of Authorized and Unauthorized Software,Whitelist(s)	Compromised Device
16	Apps and Extensions	Allowed Types of Apps and Extensions		Google Apps Script	Yes	Yes			Inventory of Authorized and Unauthorized Software,Whitelist(s)	Compromised Device
17	Apps and Extensions	Allowed Types of Apps and Extensions		Hosted App	Yes	Yes			Inventory of Authorized and Unauthorized Software,Whitelist(s)	Compromised Device
18	Apps and Extensions	Allowed Types of Apps and Extensions		Legacy Packaged App	Yes	Yes			Inventory of Authorized and Unauthorized Software,Whitelist(s)	Compromised Device
19	Apps and Extensions	Allowed Types of Apps and Extensions		Chrome Packaged App	Yes	Yes			Inventory of Authorized and Unauthorized Software,Whitelist(s)	Compromised Device
20	Apps and Extensions	App and Extension Install Sources		List of URL Patterns	LongTerm	LongTerm			Inventory of Authorized and Unauthorized Software,Whitelist(s),Whitelist(s)	Compromised Device
21	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	Yes	Yes	Cohesive Security Tool Adoption					Circumvention Tech Regulated,Encrypted Comms Regulated,Encryption Regulated		Low Resourced Administrator
22	Apps and Extensions	Allow or Block All Apps and Extensions		Allow all apps and extensions except the ones I block	Varies	Varies		Inventory of Authorized and Unauthorized Software	Blacklist(s)			Compromised Device
23	Apps and Extensions	Allow or Block All Apps and Extensions		Block all apps and extensions except the ones I allow	LongTerm	LongTerm			Inventory of Authorized and Unauthorized Software,Needs Assessment (Apps)	Compromised Device
24	Apps and Extensions	Pinned Apps and Extensions		Manage pinned apps	Yes	Yes	Security Awareness and Training					In-Country Activities Regulated,Traveler Detained,Traveler/Partner Association Regulated	Login Forced (Device)	Security must not make the traveler ineffective
25	Apps and Extensions	Task Manager		Allow user's to end processes with the Chrome task manager	Yes	Yes		External Enterprise Mobility Management Tool					Login Forced (Device)
26	Apps and Extensions	Task Manager		Block team member's from ending processes with the Chrome task manager	No	No	External Enterprise Mobility Management Tool
27	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the default homepage	Yes	Yes			Custom Chrome Web Store Homepage
28	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the 'For [YOUR_DOMAIN>TLD]' collection:	Varies	Varies			Custom Chrome Web Store Homepage			In-Country Activities Regulated,Traveler/Partner Association Regulated	Login Forced (Device)
29	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	Varies	Varies	Cohesive Security Tool Adoption,Whitelist(s)		Custom Chrome Web Store Homepage,Security Awareness and Training	In-Country Activities Regulated,Traveler/Partner Association Regulated	Login Forced (Device)			Widely Dispersed Team
30	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	Include all private apps and extensions from my domain.	Varies	Varies		Private Apps	Inventory of Authorized and Unauthorized Software				Compromised Account	Low Resourced Administrator
31	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	I will choose which private apps and extensions to include.	Varies	Varies	Inventory of Authorized and Unauthorized Software,Proof Of Inaccess			Traveler Perceived to be Misleading/Lying to Border Officials
32	Chrome Web Store	Chrome Web Store Homepage		What should the collection name be?	Yes	Yes	Cohesive Security Tool Adoption		Security Awareness and Training	In-Country Activities Regulated,Traveler/Partner Association Regulated	Login Forced (Device)
33	Chrome Web Store	Recommended Apps and Extensions		Manage	Yes	Yes
34	Chrome Web Store	Chrome Web Store Permissions		Allow user's to publish private apps that are restricted to your domain on Chrome Web Store.	Varies	Varies		Inventory of Authorized and Unauthorized Software	Private Apps				Compromised Account
35	Chrome Web Store	Chrome Web Store Permissions		Allow user's to skip verification for websites not owned	No	No		Inventory of Authorized and Unauthorized Software					Compromised Account
36	Android applications	Android applications on Chrome devices		Do not allow	No	No		Cohesive Security Tool Adoption
37	Android applications	Android applications on Chrome devices		Allow	Yes	Yes	Cohesive Security Tool Adoption,Inventory of Authorized and Unauthorized Software		Inventory of Authorized and Unauthorized Software,Security Awareness and Training					Security must not make the traveler ineffective
38	Android applications	Access to Android applications		Do not allow	LongTerm	LongTerm	Blacklist(s),Inventory of Authorized and Unauthorized Software	In-country alternative working software identification
39	Android applications	Access to Android applications		Allow	ShortTerm	ShortTerm	In-country alternative working software identification,Whitelist(s)	Cohesive Security Tool Adoption	Needs Assessment (Apps),Security Awareness and Training		Application/Protocol Blocking,Endpoint/Route Disabling	Compromised Device		Receptive and Trusted Admin/Security Team
40	Android applications	Account Management		Google account	Yes	Yes		Cohesive Security Tool Adoption,Inventory of Authorized and Unauthorized Software				Compromised Device
41	Android applications	Unknown Sources		Allow install from unknown sources	Yes	Yes	In-country alternative working software identification		Security Awareness and Training		App Store App Blocking/Restriction,Circumvention Tech Regulated,Encrypted Comms Regulated,Endpoint/Route Disabling	Compromised Device,Compromised Device		Localizable & Internationalizable Practices
42	Android applications	Unknown Sources		Do not allow install from unknown sources	No	No		In-country alternative working software identification		Compromised Device			App Store App Blocking/Restriction,Circumvention Tech Regulated,Encrypted Comms Regulated,Endpoint/Route Disabling		Localizable & Internationalizable Practices
43	Android applications	Certificate Synchronization		Disable usage of Chrome OS CA Certificates in Android apps
44	Android applications	Certificate Synchronization		Enable usage of Chrome OS CA Certificates in Android apps
45	Security	Password Manager		Always allow use of password manager	No	No			Security Awareness and Training				Login Forced (Service)		Allow for Greater Security
46	Security	Password Manager		Never allow use of password manager	No	Varies					Login Forced (Service)
47	Security	Password Manager		Allow user to configure	Yes	Varies			Security Awareness and Training				Login Forced (Service)
48	Security	Lock Screen		Do not allow locking screen	Varies	Varies	Device Wiping				Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids	Traveler Circumvent Mitigations
49	Security	Lock Screen		Allow locking screen	Varies	Varies
50	Security	Idle Settings		Idle time in minutes (leave empty for system default)	Default	Default			Security Awareness and Training			Traveler Circumvent Mitigations
51	Security	Idle Settings	Action on idle	Sleep	Yes	Varies		Security Awareness and Training
52	Security	Idle Settings	Action on idle	Logout	No	Varies	Device Wiping	Security Awareness and Training			Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids
53	Security	Idle Settings	Action on lid close	Sleep	Yes	Varies		Security Awareness and Training
54	Security	Idle Settings	Action on lid close	Logout	No	Varies	Device Wiping	Security Awareness and Training			Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids
55	Security	Idle Settings	Lock screen on sleep	Allow user to configure	Varies	No
56	Security	Idle Settings	Lock screen on sleep	Lock Screen	Varies	Varies		Security Awareness and Training
57	Security	Idle Settings	Lock screen on sleep	Don't Lock Screen	No	No		Security Awareness and Training
58	Security	Incognito Mode		Allow incognito mode	Yes	Yes	Security Awareness and Training				Login Forced (Device)			Allow for Greater Security
59	Security	Incognito Mode		Disallow incognito mode	No	No							Login Forced (Device)		Allow for Greater Security
60	Security	Browser History		Always save browser history	Yes	Varies			Security Awareness and Training				Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids
61	Security	Browser History		Never save browser history	No	Varies			Proof Of Inaccess		Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids
62	Security	Clear Browser History		Do not allow clearing history in settings menu	Varies	Varies							Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids
63	Security	Clear Browser History		Allow clearing history in settings menu	Varies	Varies			Security Awareness and Training				Traveler Detained
64	Security	Force Ephemeral Mode		Do not erase local team member data
65	Security	Force Ephemeral Mode		Erase all local team member data
66	Security	Online Revocation Checks		Perform online OCSP/CRL checks	No	No							Passive Internet Surveillance,Passive Mobile Data Surveillance
67	Security	Online Revocation Checks		Do not perform online OCSP/CRL checks	Yes	Yes
68	Security	Safe Browsing		Always enable Safe Browsing	Yes	Yes			Security Awareness and Training	Compromised Device	Pharming
69	Security	Safe Browsing		Always disable Safe Browsing	No	No			Security Awareness and Training	Compromised Device	Pharming
70	Security	Safe Browsing		Allow user to decide whether to use Safe Browsing	No	No			Security Awareness and Training	Compromised Device	Pharming
71	Security	Malicious Sites		Allow user to proceed anyway to malicious sites	Varies	Varies			Security Awareness and Training				Pharming
72	Security	Malicious Sites		Prevent team member from proceeding anyway to malicious sites	Varies	Varies			Desktop Virtualization,Traveler Sub-Organization(s)		Pharming	Traveler Circumvent Mitigations
73	Security	Geolocation		Allow sites to detect team member's' geolocation	No	No				Traveler Circumvent Mitigations,Traveler Circumvent Mitigations	Data requests from online services		Data requests from online services		Allow for Greater Security
74	Security	Geolocation		Do not allow sites to detect team member's' geolocation	No	No					Data requests from online services	Traveler Circumvent Mitigations
75	Security	Geolocation		Always ask the team member if a site wants to detect their geolocation	Varies	Varies				Traveler Circumvent Mitigations,Traveler Circumvent Mitigations	Data requests from online services		Data requests from online services		Allow for Greater Security
76	Security	Geolocation		Allow user to configure	Varies	Varies			Security Awareness and Training			Traveler Circumvent Mitigations
77	Security	Remote access clients		Remote Access Host Client Domain - Configure the required domain name for remote access clients.	Yes	Yes	External Enterprise Mobility Management Tool,Remote Access Management			Compromised Device
78	Security	Local Trust Anchors Certificates	Local Anchors Sha1	Follow the publicly announced SHA-1 deprecation schedule	Yes	Yes
79	Security	Local Trust Anchors Certificates	Local Anchors Sha1	Allow SHA-1 for local trust anchors	No	No						Certificate Spoofing
80	Security	Local Trust Anchors Certificates	Local Anchors Common Name Fallback	Block	Yes	Yes				Certificate Spoofing
81	Security	Local Trust Anchors Certificates	Local Anchors Common Name Fallback	Allow	No	No						Certificate Spoofing
82	Session Settings	Show Logout Button in Tray		Does not show logout button in tray	No	No		Security Awareness and Training				Traveler Circumvent Mitigations
83	Session Settings	Show Logout Button in Tray		Show logout button in tray	Yes	Yes	Security Awareness and Training			Traveler Circumvent Mitigations
84	Network	Proxy Settings		Never use a proxy	Varies	Varies			Security Awareness and Training		Limited/Throttled Connectivity
85	Network	Proxy Settings		Always auto detect the proxy	No	No							Passive Internet Surveillance,Spoofed Access Point		Allow for Greater Security
86	Network	Proxy Settings		Always use the proxy specified below	Varies	Varies	Secure Traffic Tunneling	In-country alternative working software identification,In-country alternative working software identification			Passive Internet Surveillance,Passive Internet Surveillance	Traveler Circumvent Mitigations,Traveler Circumvent Mitigations	Limited/Throttled Connectivity,Limited/Throttled Connectivity
87	Network	Proxy Settings		Always use the proxy auto-config specified below	Varies	Varies	Secure Traffic Tunneling	In-country alternative working software identification,In-country alternative working software identification			Passive Internet Surveillance,Passive Internet Surveillance	Traveler Circumvent Mitigations,Traveler Circumvent Mitigations	Limited/Throttled Connectivity,Limited/Throttled Connectivity
88	Network	SSL Record Splitting		Enable SSL record splitting
89	Network	SSL Record Splitting		Disable SSL record splitting
90	Network	Data Compression Proxy		Allow user to decide whether to use data compression proxy
91	Network	Data Compression Proxy		Always enable data compression proxy
92	Network	Data Compression Proxy		Always disable data compression proxy
93	Network	WebRTC UDP Ports		Minimum port (1024-65535)	Varies	Varies		Traveler Sub-Organization(s)			Application/Protocol Blocking	Traveler/Partner Association Regulated	Passive Internet Surveillance
94	Network	WebRTC UDP Ports		Maximum port (1024-65535)	Varies	Varies		Traveler Sub-Organization(s)			Application/Protocol Blocking	Traveler/Partner Association Regulated	Passive Internet Surveillance
95	Network	QUIC Protocol		Enabled	Yes	Yes					Application/Protocol Blocking,Limited/Throttled Connectivity
96	Network	QUIC Protocol		Disabled	No	No							Limited/Throttled Connectivity
97	Startup	Home Button		Always show 'Home' button	Varies	Yes	Proof Of Inaccess		Security Awareness and Training	Traveler Perceived to be Misleading/Lying to Border Officials
98	Startup	Home Button		Never show 'Home' button	No	No
99	Startup	Home Button		Allow user to configure	Varies	No			Security Awareness and Training
100	Startup	Homepage		Allow user to configure	Varies	No			Security Awareness and Training
101	Startup	Homepage		Homepage is always the new tab page	Varies	No		Proof Of Inaccess				Traveler Perceived to be Misleading/Lying to Border Officials	Login Forced (Device)		Allow for Greater Security
102	Startup	Homepage		Homepage is always the Homepage URL, set below	Varies	Yes	Proof Of Inaccess			Traveler Perceived to be Misleading/Lying to Border Officials
103	Startup	Pages to Load on Startup		Pages to Load on Startup	Yes	Yes	Proof Of Inaccess			Traveler Perceived to be Misleading/Lying to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials
104	Content	Safe Search and Restricted Mode	Google Safe Search for Google Web Search queries	Do not enforce Safe Search for Google Web Search queries	Yes	Yes
105	Content	Safe Search and Restricted Mode	Google Safe Search for Google Web Search queries	Always use Safe Search for Google Web Search queries	No	No						Traveler Circumvent Mitigations
106	Content	Safe Search and Restricted Mode	Restricted Mode for YouTube	Do not enforce Restricted Mode on YouTube	Yes	Yes
107	Content	Safe Search and Restricted Mode	Restricted Mode for YouTube	Enforce at least Moderate Restricted Mode on YouTube	No	No						Traveler Circumvent Mitigations,Traveler Circumvent Mitigations
108	Content	Safe Search and Restricted Mode	Restricted Mode for YouTube	Enforce Strict Restricted Mode for YouTube	No	No						Traveler Circumvent Mitigations,Traveler Circumvent Mitigations
109	Content	Screenshot		Enable screenshot	Yes	Yes
110	Content	Screenshot		Disable screenshot	No	No						Traveler Circumvent Mitigations
111	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	Yes	Yes	Account Monitoring and Control,Proof Of Inaccess	In-Country Device Swapping	Multi-Factor Authentication	Traveler Perceived to be Misleading/Lying to Border Officials	Compromised Account,Compromised Account
112	Content	3D Content		Always allow display of 3D content	Yes	Yes
113	Content	3D Content		Never allow display of 3D content	No	No
114	Content	Cookies	Default Cookie Setting	Allow sites to set cookies	Varies	No							Passive Internet Surveillance		Allow for Greater Security
115	Content	Cookies	Default Cookie Setting	Never allow sites to set cookies	No	No					Passive Internet Surveillance	Traveler Circumvent Mitigations
116	Content	Cookies	Default Cookie Setting	Allow user to configure	Varies	Varies			Security Awareness and Training					Allow for Greater Security
117	Content	Cookies	Default Cookie Setting	Keep cookies for the duration of the session	Varies	Varies	Device Wiping				Passive Internet Surveillance	Traveler Circumvent Mitigations
118	Content	Cookies		Allow Cookies for URL Patterns	No	No	Whitelist(s)		Whitelist(s)		Passive Internet Surveillance,Passive Internet Surveillance	Traveler Circumvent Mitigations,Traveler Circumvent Mitigations			Low Resourced Administrator
119	Content	Cookies		Block Cookies for URL Patterns	Varies	Varies			Security Awareness and Training
120	Content	Cookies		Allow Session-Only Cookies for URL Patterns	Varies	Varies	Whitelist(s)		Whitelist(s)		Passive Internet Surveillance,Passive Internet Surveillance	Traveler Circumvent Mitigations,Traveler Circumvent Mitigations			Low Resourced Administrator
121	Content	Third-Party Cookie Blocking		Allow third-party cookies	No	No			Security Awareness and Training				Passive Internet Surveillance		Allow for Greater Security
122	Content	Third-Party Cookie Blocking		Disallow third-party cookies	Varies	Varies					Passive Internet Surveillance
123	Content	Third-Party Cookie Blocking		Allow user to decide whether to allow third-party cookies	Yes	Varies			Security Awareness and Training				Passive Internet Surveillance		Allow for Greater Security
124	Content	Images	Images	Show images	Varies	Varies
125	Content	Images	Images	Do not show images	No	No						Traveler Circumvent Mitigations
126	Content	Images	Images	Allow user to configure	Yes	Yes			Security Awareness and Training		Limited/Throttled Connectivity
127	Content	Images		Show Images on These Sites	No	No			Whitelist(s)
128	Content	Images		Block Images on These Sites	No	No			Blacklist(s)
129	Content	JavaScript	JavaScript	Allow sites to run JavaScript	No	No			Security Awareness and Training			Pharming,Phishing			Allow for Greater Security
130	Content	JavaScript	JavaScript	Do not allow sites to run JavaScript	No	No				Pharming,Phishing		Traveler Circumvent Mitigations
131	Content	JavaScript	JavaScript	Allow user to configure	Yes	Yes			Security Awareness and Training
132	Content	JavaScript		Allow These Sites to Run JavaScript	No	No			Whitelist(s)			Pharming,Phishing,Traveler Circumvent Mitigations
133	Content	JavaScript		Block JavaScript on These Sites	No	No			Blacklist(s)
134	Content	Notifications	Notifications	Allow sites to show desktop notifications	No	No			Security Awareness and Training,Security Awareness and Training			Traveler Circumvent Mitigations	Phishing
135	Content	Notifications	Notifications	Do not allow sites to show desktop notifications	Varies	Varies			Needs Assessment (Apps)		Phishing	Traveler Circumvent Mitigations
136	Content	Notifications	Notifications	Always ask the team member if a site can show desktop notifications	Varies	Varies			Security Awareness and Training,Security Awareness and Training			Traveler Circumvent Mitigations	Phishing
137	Content	Notifications	Notifications	Allow user to configure	Varies	Varies			Security Awareness and Training
138	Content	Notifications		Allow These Sites to Show Desktop Notifications	Varies	Varies			Needs Assessment (Apps)
139	Content	Notifications		Block Desktop Notifications on These Sites	No	No
140	Content	Plug-ins	Plug-ins	Run plug-ins automatically	No	No							Pharming,Phishing		Allow for Greater Security
141	Content	Plug-ins	Plug-ins	Block all plug-ins	Varies	Varies			Needs Assessment (Apps)		Pharming,Phishing	Traveler Circumvent Mitigations
142	Content	Plug-ins	Plug-ins	Allow user to configure	Varies	Varies			Security Awareness and Training
143	Content	Plug-ins		Allow Plug-ins on These Sites	Varies	Varies			Needs Assessment (Apps),Whitelist(s)					Receptive and Trusted Admin/Security Team
144	Content	Plug-ins		Block Plug-ins on These Sites	No	No			Blacklist(s)
145	Content	Enabled and Disabled Plug-ins		Enabled Plug-ins	No	No
146	Content	Enabled and Disabled Plug-ins		Disabled Plug-ins	No	No
147	Content	Enabled and Disabled Plug-ins		Exceptions to Disabled Plug-ins	No	No
148	Content	Plugin Finder		Enable automatic search and installation of missing plugins	No	No
149	Content	Plugin Finder		Disable automatic search and installation of missing plugins	Yes	Yes			Needs Assessment (Apps)
150	Content	Plugin Authorization		Always run plugins that require authorization	No	No							Pharming,Phishing		Allow for Greater Security
151	Content	Plugin Authorization		Ask for user permission before running plugins that require authorization	Yes	Yes			Security Awareness and Training		Pharming,Phishing			Allow for Greater Security
152	Content	Outdated Plugins		Allow outdated plugins to be used as normal plugins	No	No							Pharming,Phishing		Allow for Greater Security
153	Content	Outdated Plugins		Disallow outdated plugins	Varies	Varies					Pharming,Phishing	Traveler Circumvent Mitigations
154	Content	Outdated Plugins		Ask user for permission to run outdated plugins	Varies	Varies			Security Awareness and Training
155	Content	Pop-ups	Pop-ups	Allow all pop-ups	No	No									Allow for Greater Security
156	Content	Pop-ups	Pop-ups	Block all pop-ups	No	No			Needs Assessment (Apps)			Traveler Circumvent Mitigations
157	Content	Pop-ups	Pop-ups	Allow user to configure	Yes	Yes			Security Awareness and Training
158	Content	Pop-ups		Allow Pop-ups on These Sites	Varies	Varies			Needs Assessment (Apps),Whitelist(s)
159	Content	Pop-ups		Block Pop-ups on These Sites	No	No			Blacklist(s)
160	Content	URL Blocking		URL Blacklist	Varies	Varies			Blacklist(s),Blacklist(s)		Pharming
161	Content	URL Blacklist Exception		URL Blacklist Exception	No	No
162	Content	Google Drive Syncing		Enable Google Drive syncing	Varies	Varies			Security Awareness and Training	Traveler Circumvent Mitigations			Compromised Device,Hotel Robbery & Theft,In-Transit Robbery & Theft,Login Forced (Device),Targeted Workplace Raids	Receptive and Trusted Admin/Security Team	Allow for Greater Security
163	Content	Google Drive Syncing		Disable Google Drive syncing	Varies	Varies					Compromised Device,Hotel Robbery & Theft,In-Transit Robbery & Theft,Login Forced (Device),Targeted Workplace Raids	Traveler Circumvent Mitigations
164	Content	Google Drive Syncing		Allow user to decide whether to use Google Drive syncing	Varies	Varies			Security Awareness and Training					Allow for Greater Security
165	Content	Google Drive Syncing over Cellular		Enable Google Drive syncing over cellular connections	Varies	Varies					Lacking/Intermittent Access to Broadband
166	Content	Google Drive Syncing over Cellular		Disable Google Drive syncing over cellular connections	Varies	Varies							Lacking/Intermittent Access to Broadband
167	Content	Cast		Allow user's to Cast	Yes	Yes
168	Content	Cast		Do not allow team member's to Cast	No	No						Traveler Circumvent Mitigations
169	Printing	Printing		Enable printing	Yes	Yes
170	Printing	Printing		Disable printing	No	No						Traveler Circumvent Mitigations
171	Printing	Print Preview		Allow using print preview	Yes	Yes
172	Printing	Print Preview		Always use the system print dialog instead of print preview	No	No
173	Printing	Google Cloud Print Submission		Allow submission of documents to Google Cloud Print	Varies	Varies			Needs Assessment (Apps),Security Awareness and Training
174	Printing	Google Cloud Print Submission		Disallow submission of documents to Google Cloud Print	Varies	Varies			Needs Assessment (Apps)
175	Printing	Google Cloud Print Proxy		Allow using Chrome as a proxy for Google Cloud Print	N/A	N/A			Needs Assessment (Apps)
176	Printing	Google Cloud Print Proxy		Disallow using Chrome as a proxy for Google Cloud Print	N/A	N/A
177	Printing	Print Preview Default		Use default print behavior
178	Printing	Print Preview Default		Define the default printer
179	Printing	Print Preview Default		Cloud & Local printers
180	Printing	Print Preview Default		Cloud only
181	Printing	Print Preview Default		Local only
182	Printing	Print Preview Default		Match by Name
183	Printing	Print Preview Default		Match by ID
184	Printing	Print Preview Default
185	Printing	Native Chrome OS Printing	[X] Chrome OS printers configured.	Manage
186	User Experience	Managed Bookmarks		Managed Bookmarks Folder Name	Varies	Varies	Proof Of Inaccess			Traveler Perceived to be Misleading/Lying to Border Officials
187	User Experience	Managed Bookmarks		Managed Bookmarks	Varies	Varies	Proof Of Inaccess		Appropriate Organizational Identifiers,Needs Assessment (Apps),Security Awareness and Training	Traveler Perceived to be Misleading/Lying to Border Officials	Pharming,Phishing		Login Forced (Device)
188	User Experience	Bookmark Bar		Enable bookmark bar	No	Varies						Traveler Circumvent Mitigations		Security must not make the traveler ineffective
189	User Experience	Bookmark Bar		Disable bookmark bar	No	Varies						Traveler Circumvent Mitigations
190	User Experience	Bookmark Bar		Allow user to decide whether to enable bookmark bar	Yes	Varies								Security must not make the traveler ineffective
191	User Experience	Bookmark Editing		Enable bookmark editing	Yes	Varies			Security Awareness and Training				Login Forced (Device)
192	User Experience	Bookmark Editing		Disable bookmark editing	No	Varies						Traveler Circumvent Mitigations
193	User Experience	Download Location		Set Google Drive as default, but allow team member to change	Varies	Varies			Security Awareness and Training			Traveler Circumvent Mitigations	Compromised Account
194	User Experience	Download Location		Local Downloads folder, but allow team member to change	Varies	Varies			Security Awareness and Training			Traveler Circumvent Mitigations
195	User Experience	Download Location		Force Google Drive	No	No						Traveler Circumvent Mitigations	Compromised Account,Intermittent Connectivity,Lacking/Intermittent Access to Broadband,Limited/Throttled Connectivity		Allow for Greater Security
196	User Experience	Spell Check Service		Enable the spell checking web service	Varies	Varies									Allow for Greater Security
197	User Experience	Spell Check Service		Disable the spell checking web service	No	No
198	User Experience	Spell Check Service		Allow user to decide whether to use the spell checking web service	Varies	Varies			Security Awareness and Training					Allow for Greater Security
199	User Experience	Google Translate		Always offer translation	No	No									Allow for Greater Security
200	User Experience	Google Translate		Never offer translation	No	Varies						Traveler Circumvent Mitigations
201	User Experience	Google Translate		Allow user to configure	Yes	Varies			Security Awareness and Training					Allow for Greater Security
202	User Experience	Alternate Error Pages		Always use alternate error pages	No	No
203	User Experience	Alternate Error Pages		Never use alternate error pages	No	No
204	User Experience	Alternate Error Pages		Allow user to configure	Yes	Yes
205	User Experience	Developer Tools		Always allow use of built-in developer tools	Yes	Yes
206	User Experience	Developer Tools		Never allow use of built-in developer tools	No	No						Traveler Circumvent Mitigations
207	User Experience	Form Auto-fill		Never auto-fill forms	No	Varies					Pharming,Phishing	Traveler Circumvent Mitigations
208	User Experience	Form Auto-fill		Allow user to configure	Yes	Varies			Security Awareness and Training					Allow for Greater Security
209	User Experience	DNS Pre-fetching		Always pre-fetch DNS	No	No		Maintenance, Monitoring, and Analysis of Audit Logs				Topical/Information Censorship	Passive Internet Surveillance	Allow for Greater Security
210	User Experience	DNS Pre-fetching		Never pre-fetch DNS	Yes	Yes				Topical/Information Censorship	Passive Internet Surveillance
211	User Experience	DNS Pre-fetching		Allow user to configure	Varies	No			Security Awareness and Training					Allow for Greater Security
212	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	No	No		Boundary Defense,Proof Of Inaccess,Secure Traffic Tunneling	Needs Assessment (Apps)			Compromised Device,Traveler Circumvent Mitigations	Login Forced (Device)
213	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	No	No		Boundary Defense,Proof Of Inaccess,Secure Traffic Tunneling	Needs Assessment (Apps),Security Awareness and Training			Compromised Device,Traveler Circumvent Mitigations	Login Forced (Device)
214	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization	Yes	Yes		Proof Of Inaccess	Needs Assessment (Apps)	Compromised Device,Traveler Circumvent Mitigations,Traveler Perceived to be Misleading/Lying to Border Officials
215	User Experience	Unified Desktop		Do not make Unified Desktop mode available to user	N/A	N/A
216	User Experience	Unified Desktop		Make Unified Desktop mode available to user	N/A	N/A
217	Omnibox Search Provider	Search Suggest		Always allow team member's to use Search Suggest	Varies	Varies								Allow for Greater Security
218	Omnibox Search Provider	Search Suggest		Never allow team member's to use Search Suggest	No	No						Traveler Circumvent Mitigations
219	Omnibox Search Provider	Search Suggest		Allow user to configure	Varies	Varies			Security Awareness and Training
220	Omnibox Search Provider	Omnibox Search Provider		Allow user to select the Omnibox Search Provider	Varies	Varies			Security Awareness and Training			Compromised Device
221	Omnibox Search Provider	Omnibox Search Provider		Lock the Omnibox Search Provider settings to the values below	Varies	Varies				Compromised Device		Traveler Circumvent Mitigations			Allow for Greater Security
222	Hardware	External Storage devices		Allow external storage devices	Varies	Varies	In-Country Device Swapping					Compromised Device
223	Hardware	External Storage devices		Allow external storage devices (read only)	Varies	Varies	Encrypted External Storage devices ,In-Country Device Swapping					Compromised Device,Traveler Circumvent Mitigations
224	Hardware	External Storage devices		Disallow external storage devices	No	No		Encrypted External Storage devices ,In-Country Device Swapping				Traveler Circumvent Mitigations	Decryption Forced (Device),Device Confiscation,In-Transit Robbery & Theft,Login Forced (Device)
225	Hardware	Audio Input		Prompt team member to allow each time	Varies	Varies
226	Hardware	Audio Input		Disable audio input	LongTerm	LongTerm					Compromised Device	Traveler Circumvent Mitigations		Support Personal Computing Needs
227	Hardware	Audio Output		Enable audio output	Yes	Yes
228	Hardware	Audio Output		Disable audio output	No	No						Traveler Circumvent Mitigations
229	Hardware	Video Input		Enable video input	Yes	Yes			Webcam cover
230	Hardware	Video Input		Disable video input	No	No					Compromised Device	Traveler Circumvent Mitigations			Security must not make the traveler ineffective,Support Personal Computing Needs
231	Hardware	Keyboard		Treat top-row keys as media keys, but allow team member to change	N/A	N/A
232	Hardware	Keyboard		Treat top-row keys as function keys, but allow team member to change	N/A	N/A
233	Verified Access	Verified Access		Disable for Enterprise Extensions	Varies	Varies
234	Verified Access	Verified Access		Enable for Enterprise Extensions	Varies	Varies	Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling	Emergency Communication Practices,In-Country Device Swapping			Compromised Account	Traveler Circumvent Mitigations
235	User Verification	Verified Mode	Verified Mode Boot Check	Skip boot mode check for Verified Access	No	No		Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling					Compromised Device
236	User Verification	Verified Mode	Verified Mode Boot Check	Require verified mode boot for Verified Access	Yes	Yes	Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling				Compromised Device
237	User Verification	Verified Mode		Service accounts which are allowed to receive team member data	Varies	Varies					Data requests from online services
238	User Verification	Verified Mode		Service accounts which can verify team member's but do not receive team member data	Varies	Varies					Data requests from online services


1	< Index	The GSuite Device Settings menu can be found here.			Setting Reccomendation		Mitigation			Modification to Threats				Requirements
2	Category	Title	SubItem	Option(s)	Basic	High Risk	Supports	Inhibits	Requires	Likelihood ↧	Impact ↧	Likelihood ↥	Impact ↥	Supports	Inhibits

3	Enrollment & Access	Forced Re-enrollment		Force device to re-enroll into this domain after wiping	Varies	Varies	Inventory of Authorized and Unauthorized devices	Traveler Sub-Organization(s)		Traveler Circumvent Mitigations			In-Country Activities Regulated,Traveler/Partner Association Regulated
4	Enrollment & Access	Forced Re-enrollment		Device is not forced to re-enroll after wiping	Varies	Varies	Traveler Sub-Organization(s)
5	Enrollment & Access	Verified Access		Disable for Enterprise Extensions
6	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	Varies	Varies	Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling	Emergency Communication Practices,In-Country Device Swapping			Compromised Account	Traveler Circumvent Mitigations
7	Enrollment & Access	Verified Access		Disable for Content Protection	N/A	N/A
8	Enrollment & Access	Verified Access		Enable for Content Protection	N/A	N/A						Traveler Circumvent Mitigations
9	Enrollment & Access	Verified Mode		Skip boot mode check for Verified Access	No	No		Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling					Compromised Device
10	Enrollment & Access	Verified Mode		Require verified mode boot for Verified Access	Yes	Yes	Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling				Compromised Device
11	Enrollment & Access	Verified Mode		Service accounts which are allowed to receive device ID	Varies	Varies					Data requests from online services
12	Enrollment & Access	Verified Mode		Service accounts which can verify devices but do not receive device ID	Varies	Varies					Data requests from online services
13	Enrollment & Access	Disabled device return instructions		Custom text to display	Yes	Yes	Proof Of Inaccess		Security Awareness and Training	Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials	In-Transit Robbery & Theft		Compromised Device,Device Confiscation,In-Country Activities Regulated,Traveler/Partner Association Regulated		Security must not make the traveler ineffective
14	Sign-in Settings	Guest Mode		Allow guest mode	Varies	Varies	Device Wiping,In-country alternative working software identification	Cohesive Security Tool Adoption,Secure Traffic Tunneling,Traveler Sub-Organization(s)	Security Awareness and Training		Compromised Account,Compromised Device,Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Login Forced (Device),Targeted Workplace Raids			Allow for Greater Security
15	Sign-in Settings	Guest Mode		Do not allow guest mode	Varies	Varies			Security Awareness and Training	Traveler Circumvent Mitigations		Traveler Circumvent Mitigations			Allow for Greater Security
16	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	Yes	Yes			Traveler Sub-Organization(s)		Device Confiscation,In-Country Activities Regulated,Login Forced (Service),Traveler Detained,Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials,Traveler/Partner Association Regulated
17	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	No	No	Proof Of Inaccess	Account Monitoring and Control,App Pinning,Chrome Remote Desktop,Cohesive Security Tool Adoption,Custom Chrome Web Store Homepage,Desktop Virtualization,Private Apps,Project Specific GSuite Accounts,Secure Traffic Tunneling,Temporary G Suite Accounts,Traveler Sub-Organization(s),Whitelist(s)				Traveler Circumvent Mitigations			Allow for Greater Security,Security must not make the traveler ineffective
18	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	Varies	Varies			Traveler Sub-Organization(s)	Traveler Circumvent Mitigations	Device Confiscation,In-Country Activities Regulated,Login Forced (Service),Traveler Detained,Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials,Traveler/Partner Association Regulated	Traveler Circumvent Mitigations
19	Sign-in Settings	Autocomplete Domain		Do not display an autocomplete domain on the sign in page	Varies	Varies
20	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	Varies	Varies						Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials	Traveler Detained,Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials
21	Sign-in Settings	Sign-in Screen		Always show team member names and photos	No	No
22	Sign-in Settings	Sign-in Screen		Never show team member names and photos	Yes	Yes
23	Sign-in Settings	team member Data		Erase all local team member data	Varies	Varies	Device Wiping	Cohesive Security Tool Adoption			Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids	Traveler Circumvent Mitigations
24	Sign-in Settings	team member Data		Do not erase all local team member data	Varies	Varies				Traveler Circumvent Mitigations
25	Sign-in Settings	Single Sign-On IdP Redirection		Default. Take team member's to the default Google login page	Varies	Varies	Account Monitoring and Control
26	Sign-in Settings	Single Sign-On IdP Redirection		Allow user's to go directly to SAML SSO IdP page	Varies	Varies	Account Monitoring and Control					Traveler Perceived to be Misleading/Lying to Border Officials	Traveler Detained,Traveler Perceived to be Misleading/Lying to Border Officials
27	Sign-in Settings	Single Sign-On Cookie Behavior		Disable transfer of SAML SSO Cookies into team member session during login	Varies	Varies	Account Monitoring and Control					Traveler Circumvent Mitigations
28	Sign-in Settings	Single Sign-On Cookie Behavior		Enable transfer of SAML SSO Cookies into team member session during login	Varies	Varies	Account Monitoring and Control			Traveler Circumvent Mitigations		Compromised Account
29	Sign-in Settings	Single Sign-On Camera Permissions		Whitelist of single sign-on camera permissions	Varies	Varies	Account Monitoring and Control,Multi-Factor Authentication				Device Confiscation,Login Forced (Device)
30	Sign-in Settings	Accessibility Control		Turn off accessibility settings on sign-in screen upon logout	N/A	N/A						Traveler Circumvent Mitigations
31	Sign-in Settings	Sign-in Language		Allow user to configure	Varies	Varies
32	Sign-in Settings	Sign-in Language		[All the Languages]	Varies	Varies						Traveler Circumvent Mitigations,Traveler/Partner Association Regulated
33	Sign-in Settings	Sign-in Keyboard		[All the Keyboards]	Varies	Varies						Traveler Circumvent Mitigations,Traveler/Partner Association Regulated
34	Device Update Settings	Auto Update Settings	Auto Update	Allow auto-updates	Varies	Varies			In-country alternative working software identification			Application/Protocol Blocking
35	Device Update Settings	Auto Update Settings	Auto Update	Stop auto-updates	Varies	Varies				Application/Protocol Blocking					Allow for Greater Security
36	Device Update Settings	Auto Update Settings	Randomly scatter auto-updates over	None	Varies	Varies							Limited/Throttled Connectivity		Security must not make the traveler ineffective
37	Device Update Settings	Auto Update Settings	Randomly scatter auto-updates over	[1-14] Day(s)	Varies	Varies					Limited/Throttled Connectivity			Security must not make the traveler ineffective
38	Device Update Settings	Auto Update Settings	Auto reboot after updates	Allow auto-reboots	Varies	Varies	Inventory of Authorized and Unauthorized devices					Traveler Circumvent Mitigations
39	Device Update Settings	Auto Update Settings	Auto reboot after updates	Disallow auto-reboots	Varies	Varies		Inventory of Authorized and Unauthorized devices
40	Device Update Settings	Release Channel		Allow user to configure	Varies	Varies				Traveler Circumvent Mitigations				Allow for Greater Security
41	Device Update Settings	Release Channel		Move to Stable Channel	Varies	Varies				Traveler Circumvent Mitigations,Traveler Circumvent Mitigations				Receptive and Trusted Admin/Security Team,Receptive and Trusted Admin/Security Team
42	Device Update Settings	Release Channel		Move to Beta Channel	No	No				Traveler Circumvent Mitigations,Traveler Circumvent Mitigations				Receptive and Trusted Admin/Security Team,Receptive and Trusted Admin/Security Team
43	Device Update Settings	Release Channel		Move to Development Channel	No	No				Traveler Circumvent Mitigations,Traveler Circumvent Mitigations				Receptive and Trusted Admin/Security Team,Receptive and Trusted Admin/Security Team
44	Kiosk Settings	Kiosk Settings	Public Session Kiosk	Allow Public Session Kiosk
45	Kiosk Settings	Kiosk Settings	Public Session Kiosk	Do not allow Public Session Kiosk
46	Kiosk Settings	Kiosk Settings	Public Session Kiosk	Manage Public Session settings
47	Kiosk Settings	Kiosk Settings	Auto-Launch Public Session	No
48	Kiosk Settings	Kiosk Settings	Auto-Launch Public Session	Yes
49	Kiosk Settings	Kiosk Settings	Auto-Launch Public Session	Number of seconds before delaying auto-login; 0 means immediate auto-login
50	Kiosk Settings	Kiosk Settings	Single App Kiosk	Allow Single App Kiosk	N/A	N/A
51	Kiosk Settings	Kiosk Settings	Single App Kiosk	Do not allow Single App Kiosk	N/A	N/A
52	Kiosk Settings	Kiosk Settings	Single App Kiosk	Manage Kiosk Applications	N/A	N/A
53	Kiosk Settings	Kiosk Settings	Single App Kiosk	Auto-Launch Kiosk App	N/A	N/A
54	Kiosk Settings	Kiosk Settings	Enable device health monitoring	Disable device health monitoring	N/A	N/A
55	Kiosk Settings	Kiosk Settings	Enable device health monitoring	Enable device health monitoring	N/A	N/A
56	Kiosk Settings	Kiosk Settings	Enable device system log upload	Disable device system log upload	N/A	N/A
57	Kiosk Settings	Kiosk Settings	Enable device system log upload	Enable device system log upload	N/A	N/A
58	Kiosk Settings	Kiosk Settings	Screen Rotation (Clockwise)	0 Degree	N/A	N/A
59	Kiosk Settings	Kiosk Settings	Screen Rotation (Clockwise)	90 Degrees	N/A	N/A
60	Kiosk Settings	Kiosk Settings	Screen Rotation (Clockwise)	180 Degrees	N/A	N/A
61	Kiosk Settings	Kiosk Settings	Screen Rotation (Clockwise)	270 Degrees	N/A	N/A
62	Kiosk Settings	Kiosk Settings	Allow Kiosk App to Control OS Version	Do not allow kiosk app to control OS version	N/A	N/A
63	Kiosk Settings	Kiosk Settings	Allow Kiosk App to Control OS Version	Allow kiosk app to control OS version	N/A	N/A
64	Kiosk Settings	Kiosk Apps		Manage Kiosk Applications	N/A	N/A
65	Kiosk Settings	Kiosk Device Status Alerting Delivery		Receive alert via email	N/A	N/A
66	Kiosk Settings	Kiosk Device Status Alerting Delivery		Receive alert via SMS	N/A	N/A
67	Kiosk Settings	Kiosk Device Status Alerting Contact Info		Kiosk Device Status Alerting Emails	N/A	N/A
68	Kiosk Settings	Kiosk Device Status Alerting Contact Info		Kiosk Device Status Alerting Mobile Phones	N/A	N/A
69	User & Device Reporting	Device Reporting	Device State Reporting	Enable device state reporting	Yes	Yes	Account Monitoring and Control,Inventory of Authorized and Unauthorized devices				Compromised Device,Traveler Circumvent Mitigations			Receptive and Trusted Admin/Security Team
70	User & Device Reporting	Device Reporting	Device State Reporting	Disable device state reporting	No	No		Inventory of Authorized and Unauthorized devices
71	User & Device Reporting	Device Reporting	Device team member Tracking	Enable tracking recent device user's	Yes	Yes	Needs Assessment (Apps)			Traveler Circumvent Mitigations				Receptive and Trusted Admin/Security Team,Support Personal Computing Needs
72	User & Device Reporting	Device Reporting	Device team member Tracking	Disable tracking recent device user's	No	No
73	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Disable inactive device notifications	No	No
74	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Yes	Yes	Crisis Identification,Inventory of Authorized and Unauthorized devices				Full Internet Shutdown,Hotel Robbery & Theft,In-Transit Robbery & Theft,Traveler Circumvent Mitigations,Traveler Detained			Receptive and Trusted Admin/Security Team
75	User & Device Reporting	Inactive Device Notifications	Inactive Range (days)	Inactive Range (days)	Varies	Varies	Crisis Identification
76	User & Device Reporting	Inactive Device Notifications	Notification Cadence (days)	Notification Cadence (days)	Varies	Varies	Crisis Identification
77	User & Device Reporting	Inactive Device Notifications	Email addresses to receive notification reports	Email addresses to receive notification reports	Varies	Varies	Crisis Identification		Security Awareness and Training
78	User & Device Reporting	Anonymous Metric Reporting		Always send metrics to Google	N/A	N/A
79	User & Device Reporting	Anonymous Metric Reporting		Never send metrics to Google	N/A	N/A
80	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	Varies	Varies	Device Wiping				Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids	Traveler Circumvent Mitigations			Security must not make the traveler ineffective
81	Power & Shutdown	Power Management		Do not allow device to sleep/shut down when idle on the sign-in screen	Varies	Varies			Security Awareness and Training				Power Outage
82	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	N/A	N/A	Device Wiping		Security Awareness and Training		Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids	Traveler Circumvent Mitigations
83	Power & Shutdown	Shut down		Allow user's to turn off the device via the Shut down icon on the screen, or the physical power button	Yes	Yes
84	Power & Shutdown	Shut down		Only allow team member's to turn off the device using the physical power button	No	No
85	Other	Cloud Print		Manage
86	Other	Time Zone		Keep timezone as it is on device currently	Varies	Varies	Device Wiping
87	Other	Time Zone		[All the timezones]	Varies	Varies
88	Other	System timezone automatic detection		Let team member's decide	Varies	Varies			Security Awareness and Training
89	Other	System timezone automatic detection		Never auto-detect timezone	Varies	Varies			Security Awareness and Training
90	Other	System timezone automatic detection		Always use coarse timezone detection	Varies	Varies		Secure Traffic Tunneling
91	Other	System timezone automatic detection		Always send WiFi access-points to server while resolving timezone	Varies	Varies	Secure Traffic Tunneling						Data requests from online services
92	Other	Mobile Data Roaming		Allow mobile data roaming	Varies	Varies					Lacking/Intermittent Access to Broadband
93	Other	Mobile Data Roaming		Do not allow mobile data roaming	Varies	Varies							Lacking/Intermittent Access to Broadband
94	Other	USB Detachable Whitelist		List of VID:PID pairs	Varies	Varies	Chrome Remote Desktop,Desktop Virtualization			Compromised Device
95	Other	Bluetooth		Do not disable bluetooth
96	Other	Bluetooth		Disable bluetooth
97	Other	Throttle Device Bandwidth		Enable network throttling	No	No
98	Other	Throttle Device Bandwidth		Disable network throttling	Yes	Yes
99	Other	Throttle Device Bandwidth		Download speed in kbps	N/A	N/A
100	Other	Throttle Device Bandwidth		Upload speed in kbps	N/A	N/A
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238


1	< Index			Aggregated Comments on Configuration Options
2	Category	Title	Option	Mitigations	Threats	Requirements

3	Mobile	Chrome Mobile	Apply supported user settings to Chrome on Android
4	General	Avatar	Upload Avatar File	* Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content	* Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content
5	General	Wallpaper	Upload Wallpaper File	* Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual.	* Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual.
6	General	Smart Lock for Chrome	Allow Smart Lock for Chrome	* Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. * Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. If you are going to do this you will need a significant amount of user training.	* Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesireable feature. We want multi-factor authentication for login to our travel devices. This removes a factor.
7	General	Smart Lock for Chrome	Do not allow Smart Lock for Chrome
8	Enrollment Controls	Device Enrollment	Keep Chrome device in current location
9	Enrollment Controls	Device Enrollment	Place Chrome device in team member organization			* A user's organizational unit determines which services and features are available to that user. By putting all our temporary travel accounts into a specific team member organization designated for travel we can set our travel team member permissions in that organizational unit once, instead of every time we create a new user. This also applies to Solo team member's who want to increase the ease of device setup and refreshing. * This will make it far easier for self-managed groups to grow without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc.
10	Enrollment Controls	Asset Identifier During Enrollment	Do not allow for team member's in this organization	* Only on non-solo use cases. If you are an individual you don't need to track who has what hardware.
11	Enrollment Controls	Asset Identifier During Enrollment	team member's in this organization can provide asset ID and location during enrollment	* Only on non-solo use cases. If you are an individual you don't need to track who has what hardware.		* If you are an individual you don't need to track who has what hardware.
12	Enrollment Controls	Enrollment Permissions	Allow user's in this organization to enroll new or deprovisioned devices	* This allows team member's who are traveling to purchase and add new devices on the fly. If a team member needs a replacement phone or chromebook they can purchase it in country and enroll it without intervention by a organizational admin. * Allowing team member's to register devices will make it harder for admins to control which devices are authorized on the network.	* This allows anyone with a team member's credentials to register a new device as that user. An adversary who forces a team member to provide their credentials could then register a different device, provide the team member the original device, and keep this new device on, and registered, to surveil the team member's actions.	* It should be noted that a team member who purchase a chromebook independently will often have to also purchase the "management license" for that chromebook separately. If you are going to support team member enrollment make sure you have clear, easy to follow guidance that your will guide your team member's through the steps required to prepare the device for enrollment. * Self managed groups: This might makes it easier for self-managed groups to increase the number of chromebooks being used without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc.
13	Enrollment Controls	Enrollment Permissions	Do not allow team member's in this organization to enroll new or deprovisioned devices	* This option provides a greater level of control over the devices that will be added to your domain. But, it also requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel.		* This option requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel.
14	Apps and Extensions	Allowed Types of Apps and Extensions	Extension
15	Apps and Extensions	Allowed Types of Apps and Extensions	Theme
16	Apps and Extensions	Allowed Types of Apps and Extensions	Google Apps Script
17	Apps and Extensions	Allowed Types of Apps and Extensions	Hosted App
18	Apps and Extensions	Allowed Types of Apps and Extensions	Legacy Packaged App
19	Apps and Extensions	Allowed Types of Apps and Extensions	Chrome Packaged App
20	Apps and Extensions	App and Extension Install Sources	List of URL Patterns	* A whitelist of apps can be valuable for preventing team member's from installing malicious apps and extensions that are masquerading as a team member's desired application. [We are already combatting this slightly by seeding the web-store with links to commonly used apps and extensions.] As stated elsewhere, Whitelisting requires a greater amount of administrator availability to ensure that the wait for new additions to the whitelist does not impede the team's ability to accomplish their work. * If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play..	* A whitelist of app sources can be valuable for preventing team member's from installing malicious apps and extensions, or apps that are masquerading as a team member's desired application. There are a variety of app stores/sources that are far less managed than Google Play and are more likely to have malicious apps found in them.	* If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play..
21	Apps and Extensions	Force-installed Apps and Extensions	Manage force-installed apps	* If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp * Force installing apps is a way to ensure that team member's have access to a consistent baseline set of applications that they have been trained to use. These "baseline apps" should be the same apps that team member's are trained on and should be the ones that are supporting security policies and practices that are put in place.	* If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member *cannot uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal.	* The auto-installation of these apps will also decrease the number of steps an administrator needs to worry about during the device setup process.
22	Apps and Extensions	Allow or Block All Apps and Extensions	Allow all apps and extensions except the ones I block	* Blacklist Problems
23	Apps and Extensions	Allow or Block All Apps and Extensions	Block all apps and extensions except the ones I allow	* One strategy is to start with "allow all except blocked" and use an initial period of active use by your team member's to develop a list of apps and extensions that are used / desired by your team member's. Once you have a list of all of these apps you can add them to a custom web-store homepage and implement "block all except whitelisted" restrictions. This way team member's will have access to a trusted source immediately upon enabling a travel device and administrators will only have to be available to approve the use of new apps and extensions within your team member community.
24	Apps and Extensions	Pinned Apps and Extensions	Manage pinned apps	* Pinning baseline security apps will make them more visible and encourage use.	* See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.) * Pinning apps makes them more easily used but also makes them more visible during a casual search by a border patrol. It is worth considering this trade off when pinning apps that might raise an officials suspicions if the device is casually examined.	* Pinning apps that are common in team member's workflows will make it easier and quicker for a team member to adopt to the chromebook workflow.
25	Apps and Extensions	Task Manager	Allow user's to end processes with the Chrome task manager	* This option is used to restrict a team member's ability to kill processes. It is commonly used by schools where the student is in an adversarial relationship with the system administrator. In our use-case we do not consider non-security focused restrictions. There is currently only one security focused reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access.	* There is currently only one possible security related reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access.
26	Apps and Extensions	Task Manager	Block team member's from ending processes with the Chrome task manager
27	Chrome Web Store	Chrome Web Store Homepage	Use the default homepage
28	Chrome Web Store	Chrome Web Store Homepage	Use the 'For [YOUR_DOMAIN>TLD]' collection:		* See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.
29	Chrome Web Store	Chrome Web Store Homepage	Use a custom page, set below	* If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp * Use the url and title of the custom Chrome Web Store to help ensure team member's knows that this is the official recommendation of the administrators and/or security team. - By providing recommendations you can combat the tendency for splits in tool usage that are often caused by ad-hoc adoption of security tools by staff. This is important for a sustainable security program because the more varied the application usage within your team, the more complex your admin/security team's risk assessments will have to be. * You will, of course, have to make sure you inform the team member about the web store or they won't know to look for it, and will likely not know to trust it when they do see it. * This initial setup and ongoing maintenance of the Chrome Web Store Recommendations will take effort, but it will help centralize secure app recommendations in one place.	* See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	* The Chrome Web Store Recommendations can be a valuable tool. In distributed and/or largely independent team's it provides a simple portal for app recommendations for commonly requested mitigations. As a team member perceives their threat landscape changing around them they may decide to incorporate additional technical mitigations (such as VPN's, password managers, encrypted communications tools, etc.). The security team and/or administrators can seed the recommendations section with the apps that have been previously used and evaluated.
30	Chrome Web Store	Chrome Web Store Homepage	Include all private apps and extensions from my domain.		* If this option is selected AND team member's are given permission to publish private apps [See "Chrome Web Store Permissions"] this can increase our attack surface.	* Because we are restricting team member's to a "travel" sub-organization we can segment any "internal" private apps used in daily business from the apps that are available during travel. This allows administrators to manage what apps are available simply by adding and/or removing them from the organization. This would allow them to avoid the extra step of adding those apps in this menu. When team member's are given permission to publish private apps this can increase our attack surface. [See "Chrome Web Store Permissions"].
31	Chrome Web Store	Chrome Web Store Homepage	I will choose which private apps and extensions to include.	* This more restrictive option forces an additional administrative step when distributing web-apps to your travel devices. But, it does not increate the attack surface. If you do not have a team that is activly creating and sharing private web apps this is the easier and more secure option to choose. * A private apps could include a simple web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess."	* Private apps can be used to create organization specific web applications for a variety of purposes. You could, for instance, use it to add a pinned web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess."
32	Chrome Web Store	Chrome Web Store Homepage	What should the collection name be?	* Proper branding for your section will help guide team member's to look at these apps. * The Admin will need to also make sure that team member's are well informed about the existence of this recommended apps section. They will likely not find it on their own because they will not be looking for it.	* See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.
33	Chrome Web Store	Recommended Apps and Extensions	Manage
34	Chrome Web Store	Chrome Web Store Permissions	Allow user's to publish private apps that are restricted to your domain on Chrome Web Store.		* If you allow team member's to publish private apps then a malicious actor who gets a hold of one of the devices can privately publish a malicious app and deliver it to your other team member's. By leveraging a compromised account to publish a private app to others within the google apps domain a malicious team member can increase the team member trust in the app they are receiving. If the team member account of admin is compromised and used in this way it can gain even more weight because it can be masqueraded as a directive from the admin/security team.The adversary can even hide their private app from administrators and other team member's through Google's built in app targeting system. They can publish an app targeting a specific country or even specific device models.
35	Chrome Web Store	Chrome Web Store Permissions	Allow user's to skip verification for websites not owned		* This turns off the app verification feature that warns team member's when they are installing potentially harmful apps. This just amplifies the likelihood of a team member installing one of these apps if an adversary gains access to a team member account and begins spear phishing other team member's to install the private apps.
36	Android applications	Android applications on Chrome devices	Do not allow
37	Android applications	Android applications on Chrome devices	Allow	* This allows you to pick appropriate security tools for your team member's from a much larger, more secure, more function, and often more usable array of possible security tools. * If you are restricting access to the google app store the same considerations found under apps and extensions apply here. While the documentation in this menu is not very clear about this fact, Android apps on chromebooks use a whitelist only model by default. (https://support.google.com/chrome/a/answer/7131624) * Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. As such, it will take security awareness building and hands on guidance to get the benefits from adding this.		* Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. When I considered this I decided that by increasing the utility of the device was more likely to build adoption and adherence to the security procedures.
38	Android applications	Access to Android applications	Do not allow	* By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624
39	Android applications	Access to Android applications	Allow	* With greater access to the world of Android applications in the Google play store you are likely to see tool divergence when you have distributed and/or largely independent team's. You want to make sure you have solid adoption of your core security tool set when opening up the app store for travel devices. * Being able to search for alternatives in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. * By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624 * You want to make sure that your team member's understand what security requirements they have and what the correct tools are for those use cases when opening up the app store for travel devices. A team member who decides to seek out a new app from the full app-store because the supported app stopped working (censorship, etc) or because someone told them of a new app with "military grade encryption" you want to make sure they are making smart choices.	* When communication apps are censored being able to search for alternative working secure communication apps in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. * Adding android applications opens up a range of possibilities for making the chromebook more useful & usable for your team member's and more secure. It can also considerably increase the attack surface you have to contend with. * When endpoints (websites, servers, services) are blocked being able to search for working circumvention tools in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution.	* This may be useful for gaining initial adoption when you do not have the capacity to do an assessment of the app needs of all of your team member's.
40	Android applications	Account Management	Google account	* By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device.	* By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device.
41	Android applications	Unknown Sources	Allow install from unknown sources	* If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ * Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled. Enabling this feature forces the team member to take more responsibility for the security of their devices. - They will need to be more careful about protecting access to their device. - They will have to be mindful about the possible security concerns with applications they install. To support this an administrator should make sure that they have a application submission pipeline built where team member's can submit links to applications they want to install for review by the administration/security team.	* If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ * This can considerably increase the attack surface you have to contend with. There are currently less controls in place for android applications than there are for apps and extensions. * Adding the ability to install untrusted apps does significantly increase the possible attack surface. Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled.	* If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.)
42	Android applications	Unknown Sources	Do not allow install from unknown sources			* If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.)
43	Android applications	Certificate Synchronization	Disable usage of Chrome OS CA Certificates in Android apps
44	Android applications	Certificate Synchronization	Enable usage of Chrome OS CA Certificates in Android apps
45	Security	Password Manager	Always allow use of password manager	* In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts.		* Since the third option allows a team member to configure this option I see no reason to prevent some team member's from enabling greater security by turning password manager usage off. If you are thinking about this option just use the "team member configuration" option instead.
46	Security	Password Manager	Never allow use of password manager		* Choosing "never allow use" is an absolutist technical control that is appropriate for some high threat environments, but unnecessary and inconvenient in many others. It raises the question, "How does your team weigh the psycho-social value of being able to save a netflix password against their willingness to follow your instructions?"
47	Security	Password Manager	Allow user to configure	* In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts.	* In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts.
48	Security	Lock Screen	Do not allow locking screen	* This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	* This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) * This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. * Having all the applications and windows one had open wiped every time the have to walk away from their computer can become frustrating very quickly. As such, this option should be saved for specific higher risk environments.
49	Security	Lock Screen	Allow locking screen
50	Security	Idle Settings	Idle time in minutes (leave empty for system default)	* When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices).	* When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices).
51	Security	Idle Settings	Sleep	* You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking.
52	Security	Idle Settings	Logout		* This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) * This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.
53	Security	Idle Settings	Sleep	* You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking.
54	Security	Idle Settings	Logout		* This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) * This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.
55	Security	Idle Settings	Allow user to configure
56	Security	Idle Settings	Lock Screen
57	Security	Idle Settings	Don't Lock Screen
58	Security	Incognito Mode	Allow incognito mode	* Teaching traveler's how not create histories with sensitive links and information using incognito mode means that they don't have to go about trying to erase it later.	* Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode.	* Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode.
59	Security	Incognito Mode	Disallow incognito mode		* Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode.
60	Security	Browser History	Always save browser history		* Confiscation of the travel device
61	Security	Browser History	Never save browser history	* This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion.	* This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. (Confiscation of the travel device) * This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion.
62	Security	Clear Browser History	Do not allow clearing history in settings menu		* Confiscation of the travel device
63	Security	Clear Browser History	Allow clearing history in settings menu		* The laws around the destruction of evidence differ by country. An rough assessment of the legal risks associated with team member's clearing their history, using incognito mode, and/or ephemeral mode should be done in the early phases of exploring how to deal with data retention/destruction during travel.
64	Security	Force Ephemeral Mode	Do not erase local team member data
65	Security	Force Ephemeral Mode	Erase all local team member data
66	Security	Online Revocation Checks	Perform online OCSP/CRL checks		* Online OCSP/CRL checks should not be enabled. It is bad in just about every sort of way. To quote the chromium policy list "In light of the fact that soft-fail, online revocation checks provide no effective security benefit..." This means that on a failure a revoked certificate will still be used. * https://bugs.chromium.org/p/chromium/issues/detail?id=361820
67	Security	Online Revocation Checks	Do not perform online OCSP/CRL checks
68	Security	Safe Browsing	Always enable Safe Browsing		* "Safe Browsing also protects you from abusive extensions and malicious software. At start up of Chrome, Safe Browsing scans extensions installed in your browser against the Safe Browsing list. If an extension on the list is found, Chrome will temporarily disable the extension, offer you relevant information and provide an option for you to remove the extension or re-enable it." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#malware * Safe browsing helps protect team member's from websites that may contain malware and/or pharmed content. When a team member attempts to connect to a url safe browsing checks web pages against local copies of Google's "Safe Browsing lists." If the hash of a url the team member is attempting to visit matches one of the hashes of the items in the Safe Browsing Lists it will warn the user. [1] The privacy preserving implementation of safe browsing make enabling it the obvious choice. [1] https://github.com/scheib/chromium/blob/9ae6b4f4a8679c8598316544dccf378b86f99845/chrome/browser/safe_browsing/client_side_model_loader.cc
69	Security	Safe Browsing	Always disable Safe Browsing
70	Security	Safe Browsing	Allow user to decide whether to use Safe Browsing	* Providing privacy concerned team member's information about the actual implementation of this feature should ease any of their privacy worries about this feature. If it does not then a team member may be convinced once you explain to them the personal effort they will have to exert to gain the same level of security without safe browsing enabled.
71	Security	Malicious Sites	Allow user to proceed anyway to malicious sites	* "This should not be enabled until you have tested how often malicious site warnings appear for your team member base during a testing period. This is because there are reports of critical travel sites, like hotel portals, being flagged as malicious. [1] [1] https://twitter.com/brettmorrison/status/891804686579359745"	* If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook.
72	Security	Malicious Sites	Prevent team member from proceeding anyway to malicious sites	* If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook.
73	Security	Geolocation	Allow sites to detect team member's' geolocation		* Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak.
74	Security	Geolocation	Do not allow sites to detect team member's' geolocation		* Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. * Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps)	* Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps)
75	Security	Geolocation	Always ask the team member if a site wants to detect their geolocation		* Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. * This might be annoying to some traveler's. But, the tradeoff is important. Proper security awareness training around why should be available for those who find it difficult. Having your team member's trust that you will be receptive to their difficulties enough to reach out to tell you that this is difficult is critical for seemingly small things, like geolocation, that actually can have significant security implications because of the information they leak.
76	Security	Geolocation	Allow user to configure	* Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily. As such, I have chosen "always asking" over the team member configuration option.	* This is unintentional circumvention in many cases. Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily.
77	Security	Remote access clients	Remote Access Host Client Domain - Configure the required domain name for remote access clients.	* In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain.	* In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain.
78	Security	Local Trust Anchors Certificates	Follow the publicly announced SHA-1 deprecation schedule
79	Security	Local Trust Anchors Certificates	Allow SHA-1 for local trust anchors		* Sometimes you just have to follow best practice - https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html
80	Security	Local Trust Anchors Certificates	Block		* Sometimes you just have to follow best practice
81	Security	Local Trust Anchors Certificates	Allow		* Setting this to allow can allow the name constraints certificate extension to be bypassed. Just follow best practice and block it. You will have to follow proper cert provisioning within your organization for private services. But, is that really too much to ask? - https://blogs.technet.microsoft.com/pki/2014/03/05/constraints-what-they-are-and-how-theyre-used/ - https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx
82	Session Settings	Show Logout Button in Tray	Does not show logout button in tray
83	Session Settings	Show Logout Button in Tray	Show logout button in tray	* Make it easy for team member's to follow the appropriate logout practices.	* Make it easy for team member's to follow the appropriate logout practices.
84	Network	Proxy Settings	Never use a proxy	* If you don't have a secure proxy set up then use this option and use forced apps to install a VPN. * They will have to know when, and how, to use a VPN.	* Proxies be inconvenient in low connectivity areas.
85	Network	Proxy Settings	Always auto detect the proxy			* Are you kidding me.
86	Network	Proxy Settings	Always use the proxy specified below		* Proxies be inconvenient in low connectivity areas. * Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy.
87	Network	Proxy Settings	Always use the proxy auto-config specified below	* If you are using a PAC file make sure that you are using a secure connection to your proxy. https://www.chromium.org/developers/design-documents/secure-web-proxy"	* Proxies be inconvenient in low connectivity areas. If there are concerns about passive surveillance than the use of a proxy that is only configured to proxy non-TLS (HTTP) connections can provide a greater level of security against surveillance without impacting connections that already have TLS. * Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy.
88	Network	SSL Record Splitting	Enable SSL record splitting
89	Network	SSL Record Splitting	Disable SSL record splitting
90	Network	Data Compression Proxy	Allow user to decide whether to use data compression proxy
91	Network	Data Compression Proxy	Always enable data compression proxy
92	Network	Data Compression Proxy	Always disable data compression proxy
93	Network	WebRTC UDP Ports	Minimum port (1024-65535)	* Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there.	* Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. * One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments.
94	Network	WebRTC UDP Ports	Maximum port (1024-65535)	* Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there.	* Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. * One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments.
95	Network	QUIC Protocol	Enabled		* QUIC has the same security properties as HTTP/S. It also has the added perk of getting around basic HTTP/S protocol blocking. A device with QUIC enabled, connecting to a service that supports QUIC, will fallback to QUIC when HTTP/S is blocked. It is not a "real" circumvention protocol, but it does make connections just a small bit more resilient to HTTP/S blocking - https://twitter.com/seamustuohy/status/805474243509186561 * QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad.
96	Network	QUIC Protocol	Disabled		* QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad.
97	Startup	Home Button	Always show 'Home' button	* This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access.	* This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access.
98	Startup	Home Button	Never show 'Home' button
99	Startup	Home Button	Allow user to configure
100	Startup	Homepage	Allow user to configure
101	Startup	Homepage	Homepage is always the new tab page	* This can't to be set for the "always show home button" option in [Startup > Home Button] to work.	* New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP * This can't be set for the "always show home button" option in [Startup > Home Button] to work.	* New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP
102	Startup	Homepage	Homepage is always the Homepage URL, set below	* This has to be set for the "always show home button" option in [Startup > Home Button] to work.	* This has to be set for the "always show home button" option in [Startup > Home Button] to work.
103	Startup	Pages to Load on Startup	Pages to Load on Startup	* For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies.	* For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies.
104	Content	Safe Search and Restricted Mode	Do not enforce Safe Search for Google Web Search queries
105	Content	Safe Search and Restricted Mode	Always use Safe Search for Google Web Search queries		* All "Safe Search" does is filter explicit or pornographic images. Not relevant to our security model. And, if it gets in the way of researcher and/or personal device usage when traveling the team member is going to find a way to circumvent it.
106	Content	Safe Search and Restricted Mode	Do not enforce Restricted Mode on YouTube
107	Content	Safe Search and Restricted Mode	Enforce at least Moderate Restricted Mode on YouTube		* Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention.
108	Content	Safe Search and Restricted Mode	Enforce Strict Restricted Mode for YouTube		* Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention.
109	Content	Screenshot	Enable screenshot
110	Content	Screenshot	Disable screenshot		* I see no reason to disable screenshot. Especially if team member's are conducting research, etc. where they may need screenshots of websites or temporary communications they have on the chromebook.
111	Content	Client Certificates	Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	* This option only makes the process easier. You still need to implement client side certificate checking on your services, and certificate management in your device provisioning process. * You will have to put a side-channel process in place for installing the certificate on the team member's device if you are using in-country device swapping. * Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device.	* Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. * Client certs will only allow a device with a valid certificate installed on it to connect to a service. I'm not going to go in depth about it here. But, it means that if a travel team member's username and password are compromised for any account the attacker will also need to have access to a device with that team member's certs installed. * Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. Of course, this requires clear and absolutist language to be included in the border-guard facing documentation to make this clear.
112	Content	3D Content	Always allow display of 3D content
113	Content	3D Content	Never allow display of 3D content
114	Content	Cookies	Allow sites to set cookies		* Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D )	* I would consider this the default. You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way.
115	Content	Cookies	Never allow sites to set cookies		* Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D )	* You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way.
116	Content	Cookies	Allow user to configure	* With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option.		* With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option.
117	Content	Cookies	Keep cookies for the duration of the session	* Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	* Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D )
118	Content	Cookies	Allow Cookies for URL Patterns	* If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.		* If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.
119	Content	Cookies	Block Cookies for URL Patterns	* This is a way to enforce that the chromebook browser does not save persistent cookies for sites with sensitive data when using travel devices without having to remove cookies for all team member's server side. You can allow cookies globally so that the team member can save cookies and logins for convenience sites, but have the session cookies for pre-determined sensitive sites blocked (i.e. the secure data repository, organizaiton data logins, etc.)
120	Content	Cookies	Allow Session-Only Cookies for URL Patterns	* Whitelisting problems: You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.		* You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.
121	Content	Third-Party Cookie Blocking	Allow third-party cookies		* This is another fingerprinting threat, and therefore not very relevant for most contexts.	* This is another fingerprinting threat, and therefore not relevant for this context.
122	Content	Third-Party Cookie Blocking	Disallow third-party cookies		* This is another fingerprinting threat, and therefore not very relevant for most contexts.
123	Content	Third-Party Cookie Blocking	Allow user to decide whether to allow third-party cookies	* This is another fingerprinting threat, and therefore not relevant for this context.
124	Content	Images	Show images
125	Content	Images	Do not show images		* This is not relevant for security purposes and would cause any normal team member to be furious.
126	Content	Images	Allow user to configure	* You will want to inform team member's of the benefits of this option in low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet. If you don't they are not going to find it themselves.	* There is the one case for low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet.
127	Content	Images	Show Images on These Sites	* Whitelisting problems
128	Content	Images	Block Images on These Sites	* See blacklisting problems under the blacklisting mitigation.
129	Content	JavaScript	Allow sites to run JavaScript	* They will have to be trained how to use the JS blocking extension.	* Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis.
130	Content	JavaScript	Do not allow sites to run JavaScript		* Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis.
131	Content	JavaScript	Allow user to configure
132	Content	JavaScript	Allow These Sites to Run JavaScript	* Whitelisting problems
133	Content	JavaScript	Block JavaScript on These Sites	* See blacklisting problems under the blacklisting mitigation.
134	Content	Notifications	Allow sites to show desktop notifications		* "This is a complex one for me. It does fall under the basic guidelines for not destroying your team's workflow using security. But, I think desktop notifications are ripe for future phishing attacks (see below). As such, if after surveying my team member base I discover that notifications are not being used I would choose the option ""Do not allow notifications."" But, if there are team member's who do already use notifications I would just do some user-awareness training around the possible threats of notifications and allow them to show/block notifications as they see fit. I choose this over (allowing a team member to configure) because of how convinceing I beleive these attacks will be. I see desktop notifications as a likely future avenue for phishing and wateringhole attacks. I have not seen examples of this being abused. But, their feature set combined with their platform native look makes them especially likely to be used in this way. These alerts don't require the website to be open, can play sounds or cause the team member's device to vibrate, stay shown until a team member to interacts with them, and run javascript or take a team member to a URL when they click on events. This makes them a convinceing interface for fakeing legitimate platform security/anti-virus/etc. alerts. https://developers.google.com/web/fundamentals/engage-and-retain/push-notifications/notification-behaviour"
135	Content	Notifications	Do not allow sites to show desktop notifications		* It does fall under the basic guidelines for not destroying your team's workflow using security.
136	Content	Notifications	Always ask the team member if a site can show desktop notifications		* Because of the "exhausted Traveler 'just work!' problem" I think that initial acceptance of the initial phishing website to provide notifications will be hard to stop. After this the attacker can then send the notification based phishing attack at a later point.
137	Content	Notifications	Allow user to configure
138	Content	Notifications	Allow These Sites to Show Desktop Notifications	* Since I am, for once, willing to agree to the wholesale disabling of a feature it is only appropriate to note that once a needs assessment is done you can use a whitelist to add sites back in. If you survey your user base and they use notifications on a small number of specific websites this is an option that will allow you to support your team member's workflows without opening up this attack vector too widely. As with all the whitelist options this can get out of control and lead to team member frustration, so it should be done when there is low notification usage and/or a small team
139	Content	Notifications	Block Desktop Notifications on These Sites
140	Content	Plug-ins	Run plug-ins automatically		* Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)	* Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)
141	Content	Plug-ins	Block all plug-ins	* Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)	* Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)
142	Content	Plug-ins	Allow user to configure
143	Content	Plug-ins	Allow Plug-ins on These Sites	* if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator. * Whitelisting problems		* if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator.
144	Content	Plug-ins	Block Plug-ins on These Sites	* See blacklisting problems under the blacklisting mitigation.
145	Content	Enabled and Disabled Plug-ins	Enabled Plug-ins
146	Content	Enabled and Disabled Plug-ins	Disabled Plug-ins
147	Content	Enabled and Disabled Plug-ins	Exceptions to Disabled Plug-ins
148	Content	Plugin Finder	Enable automatic search and installation of missing plugins
149	Content	Plugin Finder	Disable automatic search and installation of missing plugins	* Chrome only allows one plugin, flash. So, if they need flash make sure it is installed.
150	Content	Plugin Authorization	Always run plugins that require authorization		* Flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.
151	Content	Plugin Authorization	Ask for user permission before running plugins that require authorization	* Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.	* Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.	* Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.
152	Content	Outdated Plugins	Allow outdated plugins to be used as normal plugins		* Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions
153	Content	Outdated Plugins	Disallow outdated plugins		* Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions
154	Content	Outdated Plugins	Ask user for permission to run outdated plugins
155	Content	Pop-ups	Allow all pop-ups			* Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)
156	Content	Pop-ups	Block all pop-ups	* Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)	* Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)	* Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)
157	Content	Pop-ups	Allow user to configure	* Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)
158	Content	Pop-ups	Allow Pop-ups on These Sites	* If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting. * Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting.
159	Content	Pop-ups	Block Pop-ups on These Sites	* See blacklisting problems under the blacklisting mitigation.
160	Content	URL Blocking	URL Blacklist	* A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist * See blacklisting problems under the blacklisting mitigation.	* A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist
161	Content	URL Blacklist Exception	URL Blacklist Exception
162	Content	Google Drive Syncing	Enable Google Drive syncing	* As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder.	* "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	* This, when used in the following travel document support use-case, can make the travel device far more useful for the Traveler than it would be otherwise. Offline access to required documents is a very useful thing. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.
163	Content	Google Drive Syncing	Disable Google Drive syncing		* "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.
164	Content	Google Drive Syncing	Allow user to decide whether to use Google Drive syncing	* As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder.
165	Content	Google Drive Syncing over Cellular	Enable Google Drive syncing over cellular connections		* If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable
166	Content	Google Drive Syncing over Cellular	Disable Google Drive syncing over cellular connections
167	Content	Cast	Allow user's to Cast
168	Content	Cast	Do not allow team member's to Cast
169	Printing	Printing	Enable printing
170	Printing	Printing	Disable printing		* Don't destroy a team member's ability to use the device to get the work done!
171	Printing	Print Preview	Allow using print preview
172	Printing	Print Preview	Always use the system print dialog instead of print preview
173	Printing	Google Cloud Print Submission	Allow submission of documents to Google Cloud Print	* "I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. "
174	Printing	Google Cloud Print Submission	Disallow submission of documents to Google Cloud Print	* "I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. "
175	Printing	Google Cloud Print Proxy	Allow using Chrome as a proxy for Google Cloud Print	* This is only relevant for mac,windows,and linux. On chrome google cloud print should just work.
176	Printing	Google Cloud Print Proxy	Disallow using Chrome as a proxy for Google Cloud Print
177	Printing	Print Preview Default	Use default print behavior
178	Printing	Print Preview Default	Define the default printer
179	Printing	Print Preview Default	Cloud & Local printers
180	Printing	Print Preview Default	Cloud only
181	Printing	Print Preview Default	Local only
182	Printing	Print Preview Default	Match by Name
183	Printing	Print Preview Default	Match by ID
184	Printing	Print Preview Default
185	Printing	Native Chrome OS Printing	Manage
186	User Experience	Managed Bookmarks	Managed Bookmarks Folder Name	* For proof of inaccess it could be valuable to name this something official.	* For proof of inaccess it could be valuable to name this something official.
187	User Experience	Managed Bookmarks	Managed Bookmarks	* These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phsihing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks.	* These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obfuscated account. * Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks.
188	User Experience	Bookmark Bar	Enable bookmark bar		* Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.	* Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.
189	User Experience	Bookmark Bar	Disable bookmark bar		* There is no security reason to disable this
190	User Experience	Bookmark Bar	Allow user to decide whether to enable bookmark bar	* Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.		* Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.
191	User Experience	Bookmark Editing	Enable bookmark editing	* Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks.	* Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks.
192	User Experience	Bookmark Editing	Disable bookmark editing		* Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks.
193	User Experience	Download Location	Set Google Drive as default, but allow team member to change	* By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.	* By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.
194	User Experience	Download Location	Local Downloads folder, but allow team member to change	* By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.	* By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.
195	User Experience	Download Location	Force Google Drive		* In some instances a team member will want to have offline data. Esp. in cases where online access will be Intermittent. * In some instances a team member will want to have offline data. Esp. in cases where data is throttled/slow. * We don't want forced online storage. Likely lead to unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.	* We don't want forced online storage. If a team member needs to keep their profile free of downloads for their own increased security forcing this will get in their way.
196	User Experience	Spell Check Service	Enable the spell checking web service			* Chrome does come with a client-side spell checker. This option will enable the web-based spell checker that sends all a team member's typing to Google's servers. Note, that if the team member is using google docs it is already using this feature, just natively within google docs.
197	User Experience	Spell Check Service	Disable the spell checking web service
198	User Experience	Spell Check Service	Allow user to decide whether to use the spell checking web service	* Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others.		* Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others.
199	User Experience	Google Translate	Always offer translation			* See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
200	User Experience	Google Translate	Never offer translation		* Don't break all the useful things on the internet.
201	User Experience	Google Translate	Allow user to configure
202	User Experience	Alternate Error Pages	Always use alternate error pages
203	User Experience	Alternate Error Pages	Never use alternate error pages
204	User Experience	Alternate Error Pages	Allow user to configure
205	User Experience	Developer Tools	Always allow use of built-in developer tools
206	User Experience	Developer Tools	Never allow use of built-in developer tools		* Don't dis empower team member's for no reason.
207	User Experience	Form Auto-fill	Never auto-fill forms		* Browser autofill phishing/pharming was just trending on the info-sec news circuit. * See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
208	User Experience	Form Auto-fill	Allow user to configure	* See all the previous comments about giving team member's the power to increase their security without breaking their workflow.		* See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
209	User Experience	DNS Pre-fetching	Always pre-fetch DNS	* If the team member is using a VPN into a network that I control and am logging DNS requests it will increase the noise on the network significantly. Even if they don't click on the URL I may spend my time tracking down DNS requests for possibly malicious sites.	* I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS.
210	User Experience	DNS Pre-fetching	Never pre-fetch DNS		* I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS.	* I don't think that not pre-fetching will impact the team member in any meaningful way. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model.
211	User Experience	DNS Pre-fetching	Allow user to configure			* I don't think that not pre-fetching will impact the team member significantly. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model.
212	User Experience	Multiple Sign-in Access	Managed team member must be the primary team member (secondary team member's are allowed)	* Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool. * See "block multiple". With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. * Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user." * With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases.	* With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. * With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases. * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.
213	User Experience	Multiple Sign-in Access	Unrestricted team member access (allow any team member to be added to any other user's session)	* Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool. * "Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. * Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user." * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.	* With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. * With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases. * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.
214	User Experience	Multiple Sign-in Access	Block multiple sign-in access for team member's in this organization	* Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. * Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user.	* Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user.	* Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.
215	User Experience	Unified Desktop	Do not make Unified Desktop mode available to user
216	User Experience	Unified Desktop	Make Unified Desktop mode available to user
217	Omnibox Search Provider	Search Suggest	Always allow team member's to use Search Suggest			* See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
218	Omnibox Search Provider	Search Suggest	Never allow team member's to use Search Suggest
219	Omnibox Search Provider	Search Suggest	Allow user to configure
220	Omnibox Search Provider	Omnibox Search Provider	Allow user to select the Omnibox Search Provider		* "The threat here is Omnibox (search) Hijacking. This type of malware can redirect a team member to further malicious and/or phishing pages and surveil a team member's searches. By locking the omnibox search provider to a specific subset you can make this type of malware useless. - If you encounter one of these check out this short guidance to get rid of the: https://productforums.google.com/forum/#!msg/websearch/6W1JbCZMjMU/qCm7oM8cIMQJ
221	Omnibox Search Provider	Omnibox Search Provider	Lock the Omnibox Search Provider settings to the values below		* By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox.	* By locking to a search provider that is less secure than others you can disrupt the threat model of your travelers if they accidentally type an address wrong and it get's interpreted as a search. * By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox.
222	Hardware	External Storage devices	Allow external storage devices	* External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.)	* External storage devices add another attack surface for local attempts at compromise.
223	Hardware	External Storage devices	Allow external storage devices (read only)	* This will make it impossible for the Traveler to load sensitive information while they are in country. But, with access to, and proper use of, a secured archive they should be able to protect data when in transit without the use of external devices. * External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.)	* External storage devices add another attack surface for local attempts at compromise. * Don't break core functionality for security reasons.
224	Hardware	External Storage devices	Disallow external storage devices	* External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.)	* USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device. * Don't break core functionality for security reasons.
225	Hardware	Audio Input	Prompt team member to allow each time
226	Hardware	Audio Input	Disable audio input		* "I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. In the long-term I would move towards this with high-risk team's. But, you will have to get them all small headset/microphones and ensure that they remember to take them with them when they travel. This could be a huge impediment to their work if they can't use their ""secured travel device"" to conduct sensitive calls and/or video-chats. AV is always the worst. So, for team's I would start with it enabled, and then once you have made sure you can build adoption of the practices (and bought everyone nice travel headsets) you can move to disabling it."	* By disabling internal microphones you have greater assurances that the apps that your team member's are installing are not listening in on them at all times. This helps to lock down the device even if the team member installed a non-work-related app that attempts to listen to the environment. I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in.
227	Hardware	Audio Output	Enable audio output
228	Hardware	Audio Output	Disable audio output
229	Hardware	Video Input	Enable video input
230	Hardware	Video Input	Disable video input		* This makes me happy from a privacy perspective (except that you have to disable hangouts separately). But, the inability to whitelist anything except google hangouts could lead to it getting in the way of staff conducting their work. If you are only using google hangouts for video communications within your org, and among the possible partners your team will have to communicate with while traveling this could be a way to ensure that video based surveillance by apps cannot occur. The same considerations mentioned about the use of ephemeral devices still apply.	* Make sure that your traveler's do not need to use non-google video apps to communicate with their partners, etc when they are traveling. * This removed the traveler's ability to use a webcam to chat with their loved ones unless they are using google hangouts. Depending upon how you support this, this would get in the way of many traveler's personal needs.
231	Hardware	Keyboard	Treat top-row keys as media keys, but allow team member to change
232	Hardware	Keyboard	Treat top-row keys as function keys, but allow team member to change
233	Verified Access	Verified Access	Disable for Enterprise Extensions
234	Verified Access	Verified Access	Enable for Enterprise Extensions	* If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments.	* If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team members, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place.	* With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security.
235	User Verification	Verified Mode	Skip boot mode check for Verified Access	* Only if this is using verified access"	* If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used.
236	User Verification	Verified Mode	Require verified mode boot for Verified Access	* Only if this is using verified access"	* See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot
237	User Verification	Verified Mode	Service accounts which are allowed to receive team member data
238	User Verification	Verified Mode	Service accounts which can verify team member's but do not receive team member data		* If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is.
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002


1	< Index			Aggregated Comments on Configuration Options
2	Category	Title	Option	Mitigations	Threats	Requirements
3	Enrollment & Access	Forced Re-enrollment	Force device to re-enroll into this domain after wiping	* This will allow you to enforce specific devices for specific types of domains * If a team member needs to switch over to another sub-organization mid-trip while using the same device this would prohibit that switch. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country.	* If a team member needs to switch over a personal account mid-trip because conditions have changed and their association with your organization has become more dangerous this would prohibit them from doing so. * This will allow you to enforce specific devices for specific types of domains. If a team member tries to reset their device to use it with a regular account this will not work.
4	Enrollment & Access	Forced Re-enrollment	Device is not forced to re-enroll after wiping	* This will allow a team member to switch over to another sub-organization mid-trip while using the same device. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country.
5	Enrollment & Access	Verified Access	Disable for Enterprise Extensions
6	Enrollment & Access	Verified Access	Enable for Enterprise Extensions	* If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments.	* If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place.	* With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security.
7	Enrollment & Access	Verified Access	Disable for Content Protection
8	Enrollment & Access	Verified Access	Enable for Content Protection		* Ahhh, built in copyright protections. I don't care about you at all for this context. But, possibly in the future your team member's will want to buy protected media from YouTube or others that use this. Who knows.
9	Enrollment & Access	Verified Mode	Skip boot mode check for Verified Access	* Only if this is using verified access"	* If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used.
10	Enrollment & Access	Verified Mode	Require verified mode boot for Verified Access	* Only if this is using verified access"	* See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot
11	Enrollment & Access	Verified Mode	Service accounts which are allowed to receive device ID
12	Enrollment & Access	Verified Mode	Service accounts which can verify devices but do not receive device ID		* If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is.
13	Enrollment & Access	Disabled device return instructions	Custom text to display	* The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. * This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.	* Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. * The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. * This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.	* This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.
14	Sign-in Settings	Guest Mode	Allow guest mode	* With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. * Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	* Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	* With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.
15	Sign-in Settings	Guest Mode	Do not allow guest mode	* Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this.	* Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this. * With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.	* Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this.
16	Sign-in Settings	Sign-in Restriction	Restrict Sign-in to list of users:	* If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. * If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device.	* If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) * If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials.	* This will allow you to limit the ability for personal accounts to be used with these chromebooks. As with all other restrictions on team member capabilities this should be done after working with your team member's to identify an appropriate solution for meeting their personal computing needs during travel.
17	Sign-in Settings	Sign-in Restriction	Do not allow any users to Sign-in	* This would limit a significant amount of the controls we have put in place. So, no. Don't use this.	* If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues.	* This would limit a significant amount of the controls we have put in place. So, no. Don't use this. * If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues.
18	Sign-in Settings	Sign-in Restriction	comma-delimited list of usernames	* If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. * If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device.	* If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) * If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials. * If accounts other than the sub-org accounts can access device team member's might log in with their personal accounts * If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device.	* You can use *.YOURDOMAIN domain to limit across the board. Also important to take into consideration possible secondary google apps domains that your team member's might need to access, and keep separate from their current device, on their account.
19	Sign-in Settings	Autocomplete Domain	Do not display an autocomplete domain on the sign in page
20	Sign-in Settings	Autocomplete Domain	Use the domain name, set below, for autocomplete at sign in	* If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact. * If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection"	* If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact. * If the domain that is used for travel accounts does not have any website or online presence and is attempting to hide the affiliation of the team member (this is a whole other can of worms that I'm not getting into) then this can open up the same "hiding identity risks." (""domain shown"" + ""not welcome"" + ""no online presence for domain"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] * If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection"
21	Sign-in Settings	Sign-in Screen	Always show team member names and photos	* There is no reason to go advertising a person's name and identity on a publicly facing surface of their device.
22	Sign-in Settings	Sign-in Screen	Never show team member names and photos
23	Sign-in Settings	team member Data	Erase all local team member data	* This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.	* This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.	* This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.
24	Sign-in Settings	team member Data	Do not erase all local team member data		* This is the opposite of the ephemeral mode we have been talking about. And for good reason. It does not delete all team member state between logins. This way any settings and/or configurations do not have to be re-entered every login. This is a lot less of a pain than the other option.
25	Sign-in Settings	Single Sign-On IdP Redirection	Default. Take team member's to the default Google login page	* This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).
26	Sign-in Settings	Single Sign-On IdP Redirection	Allow user's to go directly to SAML SSO IdP page	* This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).	* This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).
27	Sign-in Settings	Single Sign-On Cookie Behavior	Disable transfer of SAML SSO Cookies into team member session during login		* It can be annoying to have to log into multiple services each time you login
28	Sign-in Settings	Single Sign-On Cookie Behavior	Enable transfer of SAML SSO Cookies into team member session during login		* This allows your single sign on credentials to be saved across different logins. It ties the security of your internal services to the security of the chrome login. Which, if you are this far into this document is likely to be fine. But, it does mean that if the chrome travel account credentials are identified, but the SSO credentials are not, an adversary can't get past the chrome login to access your internal systems. * It can be annoying to have to log into multiple services each time you login
29	Sign-in Settings	Single Sign-On Camera Permissions	Whitelist of single sign-on camera permissions	* I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the devices camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges	* You could remotely get a picture of everyone who tries to login! Wouldn't that be a fun way to see if folks are trying to access your devices behind your team member's back. * I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the device's camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges (QR codes for kids to login to stuff)
30	Sign-in Settings	Accessibility Control	Turn off accessibility settings on sign-in screen upon logout		* Don't be evil. If a team member needs accessibility settings have them be saved between logins. You can always hard reset the device when you get it back to remove this. But, don't force the team member to keep reconfiguring their accessibility controls.
31	Sign-in Settings	Sign-in Language	Allow user to configure
32	Sign-in Settings	Sign-in Language	[All the Languages]		* Useful if all your team member's are of a non-english (the default) language. * Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world.
33	Sign-in Settings	Sign-in Keyboard	[All the Keyboards]		* Useful if all your team member's are of a non-english (the default) keyboard setup. * Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world.
34	Device Update Settings	Auto Update Settings	Allow auto-updates	* Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.)	* Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.)
35	Device Update Settings	Auto Update Settings	Stop auto-updates		* Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.)	* If you don't have an admin with this capability and capacity to quickly check and release updates then this will require allowing updates and building staff capacity at finding alternate solutions when things break. Because updates are critical for security. Don't let an admin's fear of things breaking combined with a lack of time get in the way of real security.
36	Device Update Settings	Auto Update Settings	None		* If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.	* If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.
37	Device Update Settings	Auto Update Settings	[1-14] Day(s)		* If you have multiple team members traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.	* If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.
38	Device Update Settings	Auto Update Settings	Allow auto-reboots		* This can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying.	* Auto-Reboots can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying.
39	Device Update Settings	Auto Update Settings	Disallow auto-reboots	* If team member's are missing device updates that contain security updates because they avoid turning their devices off at all costs it can open up new attack vectors for fast moving advanced persistent adversaries.
40	Device Update Settings	Release Channel	Allow user to configure		* The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. They will end up having to use other devices that work.	* The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. It's just not cool.
41	Device Update Settings	Release Channel	Move to Stable Channel
42	Device Update Settings	Release Channel	Move to Beta Channel		* Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.	* Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.
43	Device Update Settings	Release Channel	Move to Development Channel		* Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.	* Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.
44	Kiosk Settings	Kiosk Settings	Allow Public Session Kiosk
45	Kiosk Settings	Kiosk Settings	Do not allow Public Session Kiosk
46	Kiosk Settings	Kiosk Settings	Manage Public Session settings
47	Kiosk Settings	Kiosk Settings	No
48	Kiosk Settings	Kiosk Settings	Yes
49	Kiosk Settings	Kiosk Settings	Number of seconds before delaying auto-login; 0 means immediate auto-login
50	Kiosk Settings	Kiosk Settings	Allow Single App Kiosk
51	Kiosk Settings	Kiosk Settings	Do not allow Single App Kiosk
52	Kiosk Settings	Kiosk Settings	Manage Kiosk Applications
53	Kiosk Settings	Kiosk Settings	Auto-Launch Kiosk App
54	Kiosk Settings	Kiosk Settings	Disable device health monitoring
55	Kiosk Settings	Kiosk Settings	Enable device health monitoring
56	Kiosk Settings	Kiosk Settings	Disable device system log upload
57	Kiosk Settings	Kiosk Settings	Enable device system log upload
58	Kiosk Settings	Kiosk Settings	0 Degree
59	Kiosk Settings	Kiosk Settings	90 Degrees
60	Kiosk Settings	Kiosk Settings	180 Degrees
61	Kiosk Settings	Kiosk Settings	270 Degrees
62	Kiosk Settings	Kiosk Settings	Do not allow kiosk app to control OS version
63	Kiosk Settings	Kiosk Settings	Allow kiosk app to control OS version
64	Kiosk Settings	Kiosk Apps	Manage Kiosk Applications
65	Kiosk Settings	Kiosk Device Status Alerting Delivery	Receive alert via email
66	Kiosk Settings	Kiosk Device Status Alerting Delivery	Receive alert via SMS
67	Kiosk Settings	Kiosk Device Status Alerting Contact Info	Kiosk Device Status Alerting Emails
68	Kiosk Settings	Kiosk Device Status Alerting Contact Info	Kiosk Device Status Alerting Mobile Phones
69	User & Device Reporting	Device Reporting	Enable device state reporting	* Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.	* Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.	* Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.
70	User & Device Reporting	Device Reporting	Disable device state reporting
71	User & Device Reporting	Device Reporting	Enable tracking recent device user's	* Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.	* Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.	* Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.
72	User & Device Reporting	Device Reporting	Disable tracking recent device user's
73	User & Device Reporting	Inactive Device Notifications	Disable inactive device notifications
74	User & Device Reporting	Inactive Device Notifications	Enable inactive device notifications	* Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen.	* Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.)	* Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen.
75	User & Device Reporting	Inactive Device Notifications	Inactive Range (days)	* A shorter number of days gives you a quicker response, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value you can take action on.
76	User & Device Reporting	Inactive Device Notifications	Notification Cadence (days)	* A shorter re-alert time shows chronic behavior, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value that you can take action on.
77	User & Device Reporting	Inactive Device Notifications	Email addresses to receive notification reports	* Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed.		* Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed.
78	User & Device Reporting	Anonymous Metric Reporting	Always send metrics to Google
79	User & Device Reporting	Anonymous Metric Reporting	Never send metrics to Google
80	Power & Shutdown	Power Management	Allow device to sleep/shut down when idle on the sign-in screen	* This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	* This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	* This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.
81	Power & Shutdown	Power Management	Do not allow device to sleep/shut down when idle on the sign-in screen	* Power down on idle is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	* The device will still draw power with idle. It's not a huge amount. But, if they are dealing with limited power it might be nice to know that their device will conserve power as much as possible.
82	Power & Shutdown	Scheduled Reboot	Number of days before reboot; leave empty for unset	* In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)	* In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)	* In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)
83	Power & Shutdown	Shut down	Allow user's to turn off the device via the Shut down icon on the screen, or the physical power button
84	Power & Shutdown	Shut down	Only allow team member's to turn off the device using the physical power button
85	Other	Cloud Print	Manage
86	Other	Time Zone	Keep timezone as it is on device currently	* This should default to the timezone that the device was reset at so this is the correct answer. traveler's should not be using devices that have not been fully reset to wipe all team member data and sessions from them in-between team member's.
87	Other	Time Zone	[All the timezones]			* If you have a specific timezone that your team member's want as a default and the devices are being reset from some other location this might make sense. I don't really see it though.
88	Other	System timezone automatic detection	Let team member's decide	* The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
89	Other	System timezone automatic detection	Never auto-detect timezone	* The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.		* The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
90	Other	System timezone automatic detection	Always use coarse timezone detection	* This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.		* This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
91	Other	System timezone automatic detection	Always send WiFi access-points to server while resolving timezone	* This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect	* This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect
92	Other	Mobile Data Roaming	Allow mobile data roaming		* If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable
93	Other	Mobile Data Roaming	Do not allow mobile data roaming
94	Other	USB Detachable Whitelist	List of VID:PID pairs	* This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here.	* This limits the ability of devices from accessing your applications. Therefore limiting the possibility of malicious apps and/or malicious devices compromising the other.	* This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here.
95	Other	Bluetooth	Do not disable bluetooth
96	Other	Bluetooth	Disable bluetooth
97	Other	Throttle Device Bandwidth	Enable network throttling
98	Other	Throttle Device Bandwidth	Disable network throttling
99	Other	Throttle Device Bandwidth	Download speed in kbps
100	Other	Throttle Device Bandwidth	Upload speed in kbps
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002


1	< Index	The GSuite Public Session Settings menu can be found here.						Mitigation			Modification to Threats (Only direct modifications. Not cascading.)				Requirements
2	Category	Title	Description	SubItem	Option(s)	Basic	High Risk	Supports	Inhibits	Requires	Likelihood ↧	Impact ↧	Likelihood ↥	Impact ↥	Supports	Inhibits

3	General	Session Display Name
4	General	Maximum User Session Length	1 - 1440 minutes; leave empty for unlimited sessions
5	General	Terms of Service	Custom Terms of Service Agreement.		Upload terms of service file
6	General	Avatar	Custom Avatar.		Upload avatar file
7	General	Wallpaper	Custom Wallpaper		Upload wallpaper file
8	General	Policy Refresh Rate	The number of minutes between client policy refreshes.		minutes
9	Apps and Extensions	Force-installed Apps and Extensions	Bulk install the Apps pack for Business for your organization. (Note: To ensure force-installed apps and extensions can't be tampered with, we recommend you disallow developer tools access.)		Manage force-installed apps
10	Apps and Extensions	Allow or Block All Apps and Extensions	Choose which Chrome apps and extensions to allow.		Allow all apps and extensions except the ones I block
11	Apps and Extensions				Block all apps and extensions except the ones I allow
12	Apps and Extensions	Allowed Apps and Extensions	apps or extensions are blocked.		Manage
13	Apps and Extensions	Pinned Apps and Extensions	apps or extensions will be pinned to the Chrome launcher if they are installed.		Manage pinned apps
14	Security	Logout on Idle after			1 - 1440 minutes; leave empty to never logout
15	Security	Incognito Mode			Allow incognito mode
16	Security	Incognito Mode			Disallow incognito mode
17	Security	Browser History			Always save browser history
18	Security	Browser History			Never save browser history
19	Security	Safe Browsing			Always enable Safe Browsing
20	Security	Safe Browsing			Always disable Safe Browsing
21	Security	Safe Browsing			Allow user to decide whether to use Safe Browsing
22	Security	Remote access clients	Configure the required domain name for remote access clients.		Remote Access Host Client Domain
23	Network	Proxy Settings	Proxy Mode		Allow user to configure
24	Network	Proxy Settings	Proxy Mode		Never use a proxy
25	Network	Proxy Settings	Proxy Mode		Always auto detect the proxy
26	Network	Proxy Settings	Proxy Mode		Always use the proxy specified below
27	Network	Proxy Settings	Proxy Mode		Always use the proxy auto-config specified below
28	Network	Proxy Settings	Proxy Mode	Always use the proxy specified below	Proxy Server URL
29	Network	Proxy Settings	Enter a list of URLs that should bypass specified proxy. Put each URL on its own line.	Always use the proxy specified below	Proxy Bypass List
30	Network	Proxy Settings	URL of the .pac file that should be used for network connections.	Always use the proxy auto-config specified below	Proxy Server Auto Configuration File URL
31	Network	QUIC Protocol	QUIC Protocol		Enabled
32	Network	QUIC Protocol	QUIC Protocol		Disabled
33	Startup	Home Button			Always show "Home" button
34	Startup	Home Button			Never show "Home" button
35	Startup	Home Button			Allow user to configure
36	Startup	Homepage	Homepage is New Tab Page		Allow user to configure
37	Startup	Homepage	Homepage is New Tab Page		Homepage is always the new tab page
38	Startup	Homepage	Homepage is New Tab Page		Homepage is always the Homepage URL, set below
39	Startup	Homepage	Homepage is New Tab Page	Homepage is always the Homepage URL, set below	Homepage URL
40	Startup	Pages to Load on Startup			Put each URL on its own line.
41	Content	Safe Search and Restricted Mode	Google Safe Search for Google Web Search queries		Do not enforce Safe Search for Google Web Search queries
42	Content	Safe Search and Restricted Mode	Google Safe Search for Google Web Search queries		Always use Safe Search for Google Web Search queries
43	Content	Restricted Mode for YouTube			Do not enforce Restricted Mode on YouTube
44	Content	Restricted Mode for YouTube			Enforce at least Moderate Restricted Mode on YouTube
45	Content	Restricted Mode for YouTube			Enforce Strict Restricted Mode for YouTube
46	Content	Screenshot			Enable screenshot
47	Content	Screenshot			Disable screenshot
48	Content	Plug-ins			Run plug-ins automatically
49	Content	Plug-ins			Block all plug-ins
50	Content	Plug-ins			Allow user to configure
51	Content	Plug-ins	Put one pattern on each line.		Allow Plug-ins on These Sites
52	Content	Plug-ins	Put one pattern on each line.		Block Plug-ins on These Sites
53	Content	Pop-ups			Allow all pop-ups
54	Content	Pop-ups			Block all pop-ups
55	Content	Pop-ups			Allow user to configure
56	Content	Pop-ups	Put one pattern on each line.		Allow Pop-ups on These Sites
57	Content	Pop-ups	Put one pattern on each line.		Block Pop-ups on These Sites
58	Content	URL Blocking	Any URL in the URL blacklist will be blocked, unless it also appears in the URL blacklist exception list.		URL Blacklist
59	Content	URL Blocking	Any URL in the blacklist exception list will be allowed, even if it appears in the URL blacklist.		URL Blacklist Exception
60	Content	Cast	Allow users to Cast from Chrome		Allow users to Cast
61	Content	Cast	Allow users to Cast from Chrome		Do not allow users to Cast
62	Printing	Printing			Enable printing
63	Printing	Printing			Disable printing
64	Printing	Print Preview Default	Default printer selection		Use default print behavior
65	Printing	Print Preview Default	Default printer selection		Define the default printer
66	Printing	Print Preview Default		Printer Types	Cloud & Local printers
67	Printing	Print Preview Default		Printer Types	Cloud only
68	Printing	Print Preview Default		Printer Types	Local only
69	Printing	Print Preview Default		Printer Matching	Match by Name
70	Printing	Print Preview Default		Printer Matching	Match by ID
71	Printing	Print Preview Default	Enter a regular expression that matches the desired default printer selection. The print preview will default to the first printer to match the regular expression.	Default Printer	regular expression
72	Printing	Native Chrome OS Printing	Native Chrome OS Printers		Manage
73	User Experience	Managed Bookmarks			Managed Bookmarks Folder Name
74	User Experience	Managed Bookmarks			URL/Name
75	User Experience	Bookmark Bar			Enable bookmark bar
76	User Experience	Bookmark Bar			Disable bookmark bar
77	User Experience	Bookmark Bar			Allow user to decide whether to enable bookmark bar
78	User Experience	Spell Check Service			Enable the spell checking web service
79	User Experience	Spell Check Service			Disable the spell checking web service
80	User Experience	Spell Check Service			Allow user to decide whether to use the spell checking web service
81	User Experience	Google Translate			Always offer translation
82	User Experience	Google Translate			Never offer translation
83	User Experience	Google Translate			Allow user to configure
84	User Experience	Developer Tools	Developer Tools		Always allow use of built-in developer tools
85	User Experience	Developer Tools	Developer Tools		Never allow use of built-in developer tools
86	User Experience	Form Auto-fill			Never auto-fill forms
87	User Experience	Form Auto-fill			Allow user to configure
88	User Experience	Session Locale	Create an ordered shortlist of locales recommended for a Public Session	Language and Keyboard	Recommended languages
89	User Experience	Unified Desktop (BETA)	Unified Desktop mode allows applications to span multiple displays.		Do not make Unified Desktop mode available to user
90	User Experience	Unified Desktop (BETA)	Unified Desktop mode allows applications to span multiple displays.		Make Unified Desktop mode available to user
91	Omnibox Search Provider	Search Suggest			Always allow users to use Search Suggest
92	Omnibox Search Provider	Search Suggest			Never allow users to use Search Suggest
93	Omnibox Search Provider	Search Suggest			Allow user to configure
94	Omnibox Search Provider	Omnibox Search Provider			Allow user to select the Omnibox Search Provider
95	Omnibox Search Provider	Omnibox Search Provider			Lock the Omnibox Search Provider settings to the values below
96	Hardware	External Storage Devices	Secure Digital (SD) Cards, USB Flash Drive Devices, and MTP devices		Allow external storage devices
97	Hardware	External Storage Devices	Secure Digital (SD) Cards, USB Flash Drive Devices, and MTP devices		Allow external storage devices (read only)
98	Hardware	External Storage Devices	Secure Digital (SD) Cards, USB Flash Drive Devices, and MTP devices		Disallow external storage devices
99	Hardware	Audio Input			Microphone and Audio Input
100	Hardware	Audio Input			Prompt user to allow each time
101	Hardware	Audio Input			Disable audio input
102	Hardware	Audio Output			Speakers and Audio Output
103	Hardware	Audio Output			Enable audio output
104	Hardware	Audio Output			Disable audio output
105	Hardware	Video Input			Video Input
106	Hardware	Video Input			Enable video input
107	Hardware	Video Input			Disable video input
108	Hardware	Keyboard	Set default top-row key behavior		Treat top-row keys as media keys, but allow user to change
109	Hardware	Keyboard	Set default top-row key behavior		Treat top-row keys as function keys, but allow user to change
110
111
112
113
114


1	< Index
2	Setting	Impact	Mitigation	Category	Title	Sub Item	Option	Comments

3	Device	Inhibits	Account Monitoring and Control	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
4	Device	Supports	Account Monitoring and Control	Sign-in Settings	Single Sign-On Camera Permissions		Whitelist of single sign-on camera permissions	I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the devices camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges
5	Device	Supports	Account Monitoring and Control	Sign-in Settings	Single Sign-On Cookie Behavior		Disable transfer of SAML SSO Cookies into team member session during login
6	Device	Supports	Account Monitoring and Control	Sign-in Settings	Single Sign-On Cookie Behavior		Enable transfer of SAML SSO Cookies into team member session during login
7	Device	Supports	Account Monitoring and Control	Sign-in Settings	Single Sign-On IdP Redirection		Allow user's to go directly to SAML SSO IdP page	This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).
8	Device	Supports	Account Monitoring and Control	Sign-in Settings	Single Sign-On IdP Redirection		Default. Take team member's to the default Google login page	This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).
9	Device	Supports	Account Monitoring and Control	User & Device Reporting	Device Reporting	Device State Reporting	Enable device state reporting	Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.
10	User	Supports	Account Monitoring and Control	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	This option only makes the process easier. You still need to implement client side certificate checking on your services, and certificate management in your device provisioning process.
11	User	Inhibits	Account Monitoring and Control	Enrollment Controls	Device Enrollment		Keep Chrome device in current location
12	User	Requires	Account Monitoring and Control	Enrollment Controls	Device Enrollment		Place Chrome device in team member organization
13	Device	Inhibits	App Pinning	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
14	User	Requires	Blacklist(s)	Apps and Extensions	Allow or Block All Apps and Extensions		Allow all apps and extensions except the ones I block	Blacklist Problems
15	User	Requires	Blacklist(s)	Content	Images		Block Images on These Sites	See blacklisting problems under the blacklisting mitigation.
16	User	Requires	Blacklist(s)	Content	JavaScript		Block JavaScript on These Sites	See blacklisting problems under the blacklisting mitigation.
17	User	Requires	Blacklist(s)	Content	Plug-ins		Block Plug-ins on These Sites	See blacklisting problems under the blacklisting mitigation.
18	User	Requires	Blacklist(s)	Content	Pop-ups		Block Pop-ups on These Sites	See blacklisting problems under the blacklisting mitigation.
19	User	Requires	Blacklist(s)	Content	URL Blocking		URL Blacklist	A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist
20	User	Requires	Blacklist(s)	Content	URL Blocking		URL Blacklist	See blacklisting problems under the blacklisting mitigation.
21	User	Supports	Blacklist(s)	Android applications	Access to Android applications		Do not allow	By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624
22	User	Inhibits	Boundary Defense	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool.
23	User	Inhibits	Boundary Defense	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool.
24	Device	Supports	Chrome Remote Desktop	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
25	Device	Supports	Chrome Remote Desktop	Enrollment & Access	Verified Mode		Require verified mode boot for Verified Access	Only if this is using verified access"
26	Device	Inhibits	Chrome Remote Desktop	Enrollment & Access	Verified Mode		Skip boot mode check for Verified Access	Only if this is using verified access"
27	Device	Supports	Chrome Remote Desktop	Other	USB Detachable Whitelist		List of VID:PID pairs	This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here.
28	Device	Inhibits	Chrome Remote Desktop	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
29	User	Supports	Chrome Remote Desktop	User Verification	Verified Mode	Verified Mode Boot Check	Require verified mode boot for Verified Access	Only if this is using verified access"
30	User	Inhibits	Chrome Remote Desktop	User Verification	Verified Mode	Verified Mode Boot Check	Skip boot mode check for Verified Access	Only if this is using verified access"
31	User	Supports	Chrome Remote Desktop	Verified Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
32	User	Supports	Chrome Remote Desktop	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp
33	User	Supports	Chrome Remote Desktop	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp
34	User	Inhibits	Cohesive Security Tool Adoption	Android applications	Access to Android applications		Allow	With greater access to the world of Android applications in the Google play store you are likely to see tool divergence when you have distributed and/or largely independent team's. You want to make sure you have solid adoption of your core security tool set when opening up the app store for travel devices.
35	User	Inhibits	Cohesive Security Tool Adoption	Android applications	Account Management		Google account	By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device.
36	User	Supports	Cohesive Security Tool Adoption	Android applications	Android applications on Chrome devices		Allow	This allows you to pick appropriate security tools for your team member's from a much larger, more secure, more function, and often more usable array of possible security tools.
37	User	Inhibits	Cohesive Security Tool Adoption	Android applications	Android applications on Chrome devices		Do not allow
38	User	Supports	Cohesive Security Tool Adoption	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	Force installing apps is a way to ensure that team member's have access to a consistent baseline set of applications that they have been trained to use. These "baseline apps" should be the same apps that team member's are trained on and should be the ones that are supporting security policies and practices that are put in place.
39	User	Supports	Cohesive Security Tool Adoption	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	Use the url and title of the custom Chrome Web Store to help ensure team member's knows that this is the official recommendation of the administrators and/or security team. - By providing recommendations you can combat the tendency for splits in tool usage that are often caused by ad-hoc adoption of security tools by staff. This is important for a sustainable security program because the more varied the application usage within your team, the more complex your admin/security team's risk assessments will have to be.
40	User	Supports	Cohesive Security Tool Adoption	Chrome Web Store	Chrome Web Store Homepage		What should the collection name be?	Proper branding for your section will help guide team member's to look at these apps.
41	Device	Inhibits	Cohesive Security Tool Adoption	Sign-in Settings	Guest Mode		Allow guest mode	With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.
42	Device	Inhibits	Cohesive Security Tool Adoption	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
43	Device	Inhibits	Cohesive Security Tool Adoption	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.
44	User	Inhibits	Controlled Access Based On Need to Know	Enrollment Controls	Device Enrollment		Keep Chrome device in current location
45	User	Supports	Controlled Access Based On Need to Know	Enrollment Controls	Device Enrollment		Place Chrome device in team member organization
46	Device	Supports	Crisis Identification	User & Device Reporting	Inactive Device Notifications	Email addresses to receive notification reports	Email addresses to receive notification reports	Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed.
47	Device	Supports	Crisis Identification	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen.
48	Device	Supports	Crisis Identification	User & Device Reporting	Inactive Device Notifications	Inactive Range (days)	Inactive Range (days)	A shorter number of days gives you a quicker response, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value you can take action on.
49	Device	Supports	Crisis Identification	User & Device Reporting	Inactive Device Notifications	Notification Cadence (days)	Notification Cadence (days)	A shorter re-alert time shows chronic behavior, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value that you can take action on.
50	Device	Inhibits	Custom Chrome Web Store Homepage	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
51	User	Requires	Custom Chrome Web Store Homepage	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below
52	User	Requires	Custom Chrome Web Store Homepage	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the 'For [YOUR_DOMAIN>TLD]' collection:
53	User	Requires	Custom Chrome Web Store Homepage	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the default homepage
54	Device	Supports	Desktop Virtualization	Other	USB Detachable Whitelist		List of VID:PID pairs	This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here.
55	Device	Inhibits	Desktop Virtualization	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
56	User	Requires	Desktop Virtualization	Security	Malicious Sites		Prevent team member from proceeding anyway to malicious sites	If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook.
57	Device	Supports	Device Wiping	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.
58	Device	Supports	Device Wiping	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)
59	Device	Supports	Device Wiping	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.
60	Device	Supports	Device Wiping	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.
61	User	Supports	Device Wiping	Content	Cookies	Default Cookie Setting	Keep cookies for the duration of the session	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.
62	User	Supports	Device Wiping	Security	Idle Settings	Action on idle	Logout
63	User	Supports	Device Wiping	Security	Idle Settings	Action on lid close	Logout
64	User	Supports	Device Wiping	Security	Lock Screen		Do not allow locking screen	This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.
65	Device	Supports	Device Wiping	Other	Time Zone		Keep timezone as it is on device currently	This should default to the timezone that the device was reset at so this is the correct answer. traveler's should not be using devices that have not been fully reset to wipe all team member data and sessions from them in-between team member's.
66	Device	Inhibits	Emergency Communication Practices	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments.
67	User	Inhibits	Emergency Communication Practices	Verified Access	Verified Access		Enable for Enterprise Extensions	If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments.
68	User	Supports	Encrypted External Storage devices	Hardware	External Storage devices		Allow external storage devices (read only)
69	User	Both	Encrypted External Storage devices	Hardware	External Storage devices		Allow external storage devices (read only)	This will make it impossible for the Traveler to load sensitive information while they are in country. But, with access to, and proper use of, a secured archive they should be able to protect data when in transit without the use of external devices.
70	User	Inhibits	Encrypted External Storage devices	Hardware	External Storage devices		Disallow external storage devices
71	Device	Supports	Encrypted online archive	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
72	Device	Supports	Encrypted online archive	Enrollment & Access	Verified Mode		Require verified mode boot for Verified Access	Only if this is using verified access"
73	Device	Inhibits	Encrypted online archive	Enrollment & Access	Verified Mode		Skip boot mode check for Verified Access	Only if this is using verified access"
74	User	Supports	Encrypted online archive	User Verification	Verified Mode	Verified Mode Boot Check	Require verified mode boot for Verified Access	Only if this is using verified access"
75	User	Inhibits	Encrypted online archive	User Verification	Verified Mode	Verified Mode Boot Check	Skip boot mode check for Verified Access	Only if this is using verified access"
76	User	Supports	Encrypted online archive	Verified Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
77	User	Requires	Enrollment Contact Policies	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices
78	User	Inhibits	External Enterprise Mobility Management Tool	Apps and Extensions	Task Manager		Allow user's to end processes with the Chrome task manager	This option is used to restrict a team member's ability to kill processes. It is commonly used by schools where the student is in an adversarial relationship with the system administrator. In our use-case we do not consider non-security focused restrictions. There is currently only one security focused reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access.
79	User	Supports	External Enterprise Mobility Management Tool	Apps and Extensions	Task Manager		Block team member's from ending processes with the Chrome task manager
80	User	Supports	External Enterprise Mobility Management Tool	Security	Remote access clients		Remote Access Host Client Domain - Configure the required domain name for remote access clients.	In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain.
81	Device	Requires	In-country alternative working software identification	Device Update Settings	Auto Update Settings	Auto Update	Allow auto-updates	Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.)
82	Device	Supports	In-country alternative working software identification	Sign-in Settings	Guest Mode		Allow guest mode	With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.
83	User	Supports	In-country alternative working software identification	Android applications	Access to Android applications		Allow	Being able to search for alternatives in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution.
84	User	Inhibits	In-country alternative working software identification	Android applications	Access to Android applications		Do not allow
85	User	Supports	In-country alternative working software identification	Android applications	Unknown Sources		Allow install from unknown sources	If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/
86	User	Inhibits	In-country alternative working software identification	Android applications	Unknown Sources		Do not allow install from unknown sources
87	User	Inhibits	In-country alternative working software identification	Network	Proxy Settings		Always use the proxy auto-config specified below
88	User	Inhibits	In-country alternative working software identification	Network	Proxy Settings		Always use the proxy specified below
89	Device	Inhibits	In-Country Device Swapping	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments.
90	User	Inhibits	In-Country Device Swapping	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	You will have to put a side-channel process in place for installing the certificate on the team member's device if you are using in-country device swapping.
91	User	Supports	In-Country Device Swapping	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices	This allows team member's who are traveling to purchase and add new devices on the fly. If a team member needs a replacement phone or chromebook they can purchase it in country and enroll it without intervention by a organizational admin.
92	User	Supports	In-Country Device Swapping	Hardware	External Storage devices		Allow external storage devices	External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.)
93	User	Supports	In-Country Device Swapping	Hardware	External Storage devices		Allow external storage devices (read only)	External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.)
94	User	Inhibits	In-Country Device Swapping	Hardware	External Storage devices		Disallow external storage devices	External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.)
95	User	Inhibits	In-Country Device Swapping	Verified Access	Verified Access		Enable for Enterprise Extensions	If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments.
96	Device	Supports	Inventory of Authorized and Unauthorized devices	Device Update Settings	Auto Update Settings	Auto reboot after updates	Allow auto-reboots
97	Device	Inhibits	Inventory of Authorized and Unauthorized devices	Device Update Settings	Auto Update Settings	Auto reboot after updates	Disallow auto-reboots	If team member's are missing device updates that contain security updates because they avoid turning their devices off at all costs it can open up new attack vectors for fast moving advanced persistent adversaries.
98	Device	Supports	Inventory of Authorized and Unauthorized devices	Enrollment & Access	Forced Re-enrollment		Force device to re-enroll into this domain after wiping	This will allow you to enforce specific devices for specific types of domains
99	Device	Supports	Inventory of Authorized and Unauthorized devices	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
100	Device	Supports	Inventory of Authorized and Unauthorized devices	Enrollment & Access	Verified Mode		Require verified mode boot for Verified Access	Only if this is using verified access"
101	Device	Inhibits	Inventory of Authorized and Unauthorized devices	Enrollment & Access	Verified Mode		Skip boot mode check for Verified Access	Only if this is using verified access"
102	Device	Inhibits	Inventory of Authorized and Unauthorized devices	User & Device Reporting	Device Reporting	Device State Reporting	Disable device state reporting
103	Device	Supports	Inventory of Authorized and Unauthorized devices	User & Device Reporting	Device Reporting	Device State Reporting	Enable device state reporting	Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.
104	Device	Supports	Inventory of Authorized and Unauthorized devices	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen.
105	User	Inhibits	Inventory of Authorized and Unauthorized devices	Enrollment Controls	Asset Identifier During Enrollment		Do not allow for team member's in this organization	Only on non-solo use cases. If you are an individual you don't need to track who has what hardware.
106	User	Supports	Inventory of Authorized and Unauthorized devices	Enrollment Controls	Asset Identifier During Enrollment		team member's in this organization can provide asset ID and location during enrollment	Only on non-solo use cases. If you are an individual you don't need to track who has what hardware.
107	User	Inhibits	Inventory of Authorized and Unauthorized devices	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices	Allowing team member's to register devices will make it harder for admins to control which devices are authorized on the network.
108	User	Supports	Inventory of Authorized and Unauthorized devices	Enrollment Controls	Enrollment Permissions		Do not allow team member's in this organization to enroll new or deprovisioned devices	This option provides a greater level of control over the devices that will be added to your domain. But, it also requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel.
109	User	Supports	Inventory of Authorized and Unauthorized devices	User Verification	Verified Mode	Verified Mode Boot Check	Require verified mode boot for Verified Access	Only if this is using verified access"
110	User	Inhibits	Inventory of Authorized and Unauthorized devices	User Verification	Verified Mode	Verified Mode Boot Check	Skip boot mode check for Verified Access	Only if this is using verified access"
111	User	Supports	Inventory of Authorized and Unauthorized devices	Verified Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
112	User	Supports	Inventory of Authorized and Unauthorized Software	Android applications	Access to Android applications		Do not allow
113	User	Inhibits	Inventory of Authorized and Unauthorized Software	Android applications	Account Management		Google account	By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device.
114	User	Supports	Inventory of Authorized and Unauthorized Software	Android applications	Android applications on Chrome devices		Allow	If you are restricting access to the google app store the same considerations found under apps and extensions apply here. While the documentation in this menu is not very clear about this fact, Android apps on chromebooks use a whitelist only model by default. (https://support.google.com/chrome/a/answer/7131624)
115	User	Requires	Inventory of Authorized and Unauthorized Software	Android applications	Android applications on Chrome devices		Allow	If you are restricting access to the google app store the same considerations found under apps and extensions apply here. While the documentation in this menu is not very clear about this fact, Android apps on chromebooks use a whitelist only model by default. (https://support.google.com/chrome/a/answer/7131624)
116	User	Inhibits	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allow or Block All Apps and Extensions		Allow all apps and extensions except the ones I block
117	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allow or Block All Apps and Extensions		Block all apps and extensions except the ones I allow
118	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allowed Types of Apps and Extensions		Chrome Packaged App
119	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allowed Types of Apps and Extensions		Extension
120	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allowed Types of Apps and Extensions		Google Apps Script
121	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allowed Types of Apps and Extensions		Hosted App
122	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allowed Types of Apps and Extensions		Legacy Packaged App
123	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	Allowed Types of Apps and Extensions		Theme
124	User	Requires	Inventory of Authorized and Unauthorized Software	Apps and Extensions	App and Extension Install Sources		List of URL Patterns
125	User	Supports	Inventory of Authorized and Unauthorized Software	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	I will choose which private apps and extensions to include.	This more restrictive option forces an additional administrative step when distributing web-apps to your travel devices. But, it does not increate the attack surface. If you do not have a team that is activly creating and sharing private web apps this is the easier and more secure option to choose.
126	User	Requires	Inventory of Authorized and Unauthorized Software	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	Include all private apps and extensions from my domain.
127	User	Inhibits	Inventory of Authorized and Unauthorized Software	Chrome Web Store	Chrome Web Store Permissions		Allow user's to publish private apps that are restricted to your domain on Chrome Web Store.
128	User	Inhibits	Inventory of Authorized and Unauthorized Software	Chrome Web Store	Chrome Web Store Permissions		Allow user's to skip verification for websites not owned
129	User	Inhibits	Maintenance, Monitoring, and Analysis of Audit Logs	User Experience	DNS Pre-fetching		Always pre-fetch DNS	If the team member is using a VPN into a network that I control and am logging DNS requests it will increase the noise on the network significantly. Even if they don't click on the URL I may spend my time tracking down DNS requests for possibly malicious sites.
130	Device	Both	Appropriate Organizational Identifiers	Enrollment & Access	Disabled device return instructions		Custom text to display	The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration.
131	Device	Both	Appropriate Organizational Identifiers	Sign-in Settings	Autocomplete Domain		Do not display an autocomplete domain on the sign in page
132	Device	Both	Appropriate Organizational Identifiers	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact.
133	Device	Both	Appropriate Organizational Identifiers	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection"
134	Device	Both	Appropriate Organizational Identifiers	Sign-in Settings	Sign-in Screen		Always show team member names and photos	There is no reason to go advertising a person's name and identity on a publicly facing surface of their device.
135	Device	Both	Appropriate Organizational Identifiers	Sign-in Settings	Sign-in Screen		Never show team member names and photos
136	Device	Both	Appropriate Organizational Identifiers	Sign-in Settings	Single Sign-On IdP Redirection		Allow user's to go directly to SAML SSO IdP page	This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).
137	User	Both	Appropriate Organizational Identifiers	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the 'For [YOUR_DOMAIN>TLD]' collection:
138	User	Both	Appropriate Organizational Identifiers	Chrome Web Store	Chrome Web Store Homepage		What should the collection name be?
139	User	Requires	Appropriate Organizational Identifiers	User Experience	Managed Bookmarks		Managed Bookmarks	These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account.
140	Device	Supports	Multi-Factor Authentication	Sign-in Settings	Single Sign-On Camera Permissions		Whitelist of single sign-on camera permissions	I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the devices camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges
141	User	Requires	Multi-Factor Authentication	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	This option only makes the process easier. You still need to implement client side certificate checking on your services, and certificate management in your device provisioning process.
142	User	Inhibits	Multi-Factor Authentication	General	Smart Lock for Chrome		Allow Smart Lock for Chrome	Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor.
143	User	Supports	Multi-Factor Authentication	General	Smart Lock for Chrome		Do not allow Smart Lock for Chrome
144	Device	Supports	Needs Assessment (Apps)	User & Device Reporting	Device Reporting	Device team member Tracking	Enable tracking recent device user's	Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.
145	User	Requires	Needs Assessment (Apps)	Content	Notifications		Allow These Sites to Show Desktop Notifications	Since I am, for once, willing to agree to the wholesale disabling of a feature it is only appropriate to note that once a needs assessment is done you can use a whitelist to add sites back in. If you survey your user base and they use notifications on a small number of specific websites this is an option that will allow you to support your team member's workflows without opening up this attack vector too widely. As with all the whitelist options this can get out of control and lead to team member frustration, so it should be done when there is low notification usage and/or a small team
146	User	Requires	Needs Assessment (Apps)	Content	Notifications	Notifications	Do not allow sites to show desktop notifications
147	User	Requires	Needs Assessment (Apps)	Content	Plug-ins		Allow Plug-ins on These Sites	if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator.
148	User	Requires	Needs Assessment (Apps)	Content	Plug-ins	Plug-ins	Block all plug-ins	Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)
149	User	Requires	Needs Assessment (Apps)	Content	Plugin Finder		Disable automatic search and installation of missing plugins	Chrome only allows one plugin, flash. So, if they need flash make sure it is installed.
150	User	Requires	Needs Assessment (Apps)	Content	Pop-ups		Allow Pop-ups on These Sites	If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting.
151	User	Requires	Needs Assessment (Apps)	Content	Pop-ups	Pop-ups	Block all pop-ups	Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)
152	User	Requires	Needs Assessment (Apps)	Printing	Google Cloud Print Proxy		Allow using Chrome as a proxy for Google Cloud Print	This is only relevant for mac,windows,and linux. On chrome google cloud print should just work.
153	User	Requires	Needs Assessment (Apps)	Printing	Google Cloud Print Submission		Allow submission of documents to Google Cloud Print
154	User	Requires	Needs Assessment (Apps)	Printing	Google Cloud Print Submission		Disallow submission of documents to Google Cloud Print	"I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. "
155	User	Requires	Needs Assessment (Apps)	User Experience	Managed Bookmarks		Managed Bookmarks	It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phsihing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account.
156	User	Requires	Needs Assessment (Apps)	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization	Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's.
157	User	Requires	Needs Assessment (Apps)	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	See "block multiple". With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases.
158	User	Requires	Needs Assessment (Apps)	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	"Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's.
159	User	Requires	Needs Assessment (Apps)	Android applications	Access to Android applications		Allow	By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624
160	User	Requires	Needs Assessment (Apps)	Apps and Extensions	Allow or Block All Apps and Extensions		Block all apps and extensions except the ones I allow	One strategy is to start with "allow all except blocked" and use an initial period of active use by your team member's to develop a list of apps and extensions that are used / desired by your team member's. Once you have a list of all of these apps you can add them to a custom web-store homepage and implement "block all except whitelisted" restrictions. This way team member's will have access to a trusted source immediately upon enabling a travel device and administrators will only have to be available to approve the use of new apps and extensions within your team member community.
161	Device	Inhibits	Private Apps	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
162	User	Inhibits	Private Apps	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	Include all private apps and extensions from my domain.
163	User	Requires	Private Apps	Chrome Web Store	Chrome Web Store Permissions		Allow user's to publish private apps that are restricted to your domain on Chrome Web Store.
164	Device	Inhibits	Project Specific GSuite Accounts	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
165	Device	Supports	Proof Of Inaccess	Enrollment & Access	Disabled device return instructions		Custom text to display	This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.
166	Device	Both	Proof Of Inaccess	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain.
167	Device	Both	Proof Of Inaccess	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device.
168	Device	Supports	Proof Of Inaccess	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
169	Device	Both	Proof Of Inaccess	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain.
170	Device	Both	Proof Of Inaccess	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device.
171	User	Supports	Proof Of Inaccess	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	I will choose which private apps and extensions to include.	A private apps could include a simple web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess."
172	User	Supports	Proof Of Inaccess	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device.
173	User	Supports	Proof Of Inaccess	General	Avatar		Upload Avatar File	Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content
174	User	Supports	Proof Of Inaccess	General	Wallpaper		Upload Wallpaper File	Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual.
175	User	Requires	Proof Of Inaccess	Security	Browser History		Never save browser history	This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion.
176	User	Supports	Proof Of Inaccess	Startup	Home Button		Always show 'Home' button	This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access.
177	User	Supports	Proof Of Inaccess	Startup	Homepage		Homepage is always the Homepage URL, set below	This has to be set for the "always show home button" option in [Startup > Home Button] to work.
178	User	Inhibits	Proof Of Inaccess	Startup	Homepage		Homepage is always the new tab page	This can't to be set for the "always show home button" option in [Startup > Home Button] to work.
179	User	Supports	Proof Of Inaccess	Startup	Pages to Load on Startup		Pages to Load on Startup	For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies.
180	User	Both	Proof Of Inaccess	User Experience	Bookmark Bar		Allow user to decide whether to enable bookmark bar	Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.
181	User	Supports	Proof Of Inaccess	User Experience	Managed Bookmarks		Managed Bookmarks	Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks.
182	User	Supports	Proof Of Inaccess	User Experience	Managed Bookmarks		Managed Bookmarks Folder Name	For proof of inaccess it could be valuable to name this something official.
183	User	Inhibits	Proof Of Inaccess	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization	Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user.
184	User	Inhibits	Proof Of Inaccess	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user."
185	User	Inhibits	Proof Of Inaccess	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user."
186	User	Supports	Remote Access Management	Security	Remote access clients		Remote Access Host Client Domain - Configure the required domain name for remote access clients.	In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain.
187	User	Supports	Remote Access Management	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp
188	User	Supports	Remote Access Management	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp
189	Device	Supports	Secure Traffic Tunneling	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
190	Device	Supports	Secure Traffic Tunneling	Enrollment & Access	Verified Mode		Require verified mode boot for Verified Access	Only if this is using verified access"
191	Device	Inhibits	Secure Traffic Tunneling	Enrollment & Access	Verified Mode		Skip boot mode check for Verified Access	Only if this is using verified access"
192	Device	Supports	Secure Traffic Tunneling	Other	System timezone automatic detection		Always send WiFi access-points to server while resolving timezone	This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect
193	Device	Inhibits	Secure Traffic Tunneling	Other	System timezone automatic detection		Always use coarse timezone detection	This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
194	Device	Inhibits	Secure Traffic Tunneling	Sign-in Settings	Guest Mode		Allow guest mode	With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.
195	Device	Inhibits	Secure Traffic Tunneling	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
196	User	Supports	Secure Traffic Tunneling	Network	Proxy Settings		Always use the proxy auto-config specified below	If you are using a PAC file make sure that you are using a secure connection to your proxy. https://www.chromium.org/developers/design-documents/secure-web-proxy"
197	User	Both	Secure Traffic Tunneling	Network	Proxy Settings		Never use a proxy	If you don't have a secure proxy set up then use this option and use forced apps to install a VPN.
198	User	Inhibits	Secure Traffic Tunneling	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases.
199	User	Inhibits	Secure Traffic Tunneling	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool.
200	User	Supports	Secure Traffic Tunneling	User Verification	Verified Mode	Verified Mode Boot Check	Require verified mode boot for Verified Access	Only if this is using verified access"
201	User	Inhibits	Secure Traffic Tunneling	User Verification	Verified Mode	Verified Mode Boot Check	Skip boot mode check for Verified Access	Only if this is using verified access"
202	User	Supports	Secure Traffic Tunneling	Verified Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.
203	Device	Requires	Security Awareness and Training	Enrollment & Access	Disabled device return instructions		Custom text to display	This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.
204	Device	Requires	Security Awareness and Training	Other	System timezone automatic detection		Let team member's decide	The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
205	Device	Requires	Security Awareness and Training	Other	System timezone automatic detection		Never auto-detect timezone	The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
206	Device	Requires	Security Awareness and Training	Power & Shutdown	Power Management		Do not allow device to sleep/shut down when idle on the sign-in screen	Power down on idle is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.
207	Device	Requires	Security Awareness and Training	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)
208	Device	Requires	Security Awareness and Training	Sign-in Settings	Guest Mode		Allow guest mode	With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.
209	Device	Requires	Security Awareness and Training	Sign-in Settings	Guest Mode		Do not allow guest mode	Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this.
210	Device	Requires	Security Awareness and Training	User & Device Reporting	Inactive Device Notifications	Email addresses to receive notification reports	Email addresses to receive notification reports	Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed.
211	User	Requires	Security Awareness and Training	Android applications	Access to Android applications		Allow	You want to make sure that your team member's understand what security requirements they have and what the correct tools are for those use cases when opening up the app store for travel devices. A team member who decides to seek out a new app from the full app-store because the supported app stopped working (censorship, etc) or because someone told them of a new app with "military grade encryption" you want to make sure they are making smart choices.
212	User	Requires	Security Awareness and Training	Android applications	Android applications on Chrome devices		Allow	Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. As such, it will take security awareness building and hands on guidance to get the benefits from adding this.
213	User	Requires	Security Awareness and Training	Android applications	Unknown Sources		Allow install from unknown sources	Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled. Enabling this feature forces the team member to take more responsibility for the security of their devices. - They will need to be more careful about protecting access to their device. - They will have to be mindful about the possible security concerns with applications they install. To support this an administrator should make sure that they have a application submission pipeline built where team member's can submit links to applications they want to install for review by the administration/security team.
214	User	Supports	Security Awareness and Training	Apps and Extensions	Pinned Apps and Extensions		Manage pinned apps	Pinning baseline security apps will make them more visible and encourage use.
215	User	Requires	Security Awareness and Training	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	You will, of course, have to make sure you inform the team member about the web store or they won't know to look for it, and will likely not know to trust it when they do see it.
216	User	Requires	Security Awareness and Training	Chrome Web Store	Chrome Web Store Homepage		What should the collection name be?	The Admin will need to also make sure that team member's are well informed about the existence of this recommended apps section. They will likely not find it on their own because they will not be looking for it.
217	User	Requires	Security Awareness and Training	Content	Cookies	Default Cookie Setting	Allow user to configure	With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option.
218	User	Requires	Security Awareness and Training	Content	Cookies		Block Cookies for URL Patterns	This is a way to enforce that the chromebook browser does not save persistent cookies for sites with sensitive data when using travel devices without having to remove cookies for all team member's server side. You can allow cookies globally so that the team member can save cookies and logins for convenience sites, but have the session cookies for pre-determined sensitive sites blocked (i.e. the secure data repository, organizaiton data logins, etc.)
219	User	Requires	Security Awareness and Training	Content	Google Drive Syncing		Allow user to decide whether to use Google Drive syncing	As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder.
220	User	Requires	Security Awareness and Training	Content	Google Drive Syncing		Enable Google Drive syncing	As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder.
221	User	Requires	Security Awareness and Training	Content	Images	Images	Allow user to configure	You will want to inform team member's of the benefits of this option in low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet. If you don't they are not going to find it themselves.
222	User	Requires	Security Awareness and Training	Content	JavaScript	JavaScript	Allow sites to run JavaScript	They will have to be trained how to use the JS blocking extension.
223	User	Requires	Security Awareness and Training	Content	JavaScript	JavaScript	Allow user to configure
224	User	Requires	Security Awareness and Training	Content	Notifications	Notifications	Allow sites to show desktop notifications
225	User	Requires	Security Awareness and Training	Content	Notifications	Notifications	Allow user to configure
226	User	Requires	Security Awareness and Training	Content	Notifications	Notifications	Always ask the team member if a site can show desktop notifications
227	User	Requires	Security Awareness and Training	Content	Outdated Plugins		Ask user for permission to run outdated plugins
228	User	Requires	Security Awareness and Training	Content	Plug-ins	Plug-ins	Allow user to configure
229	User	Requires	Security Awareness and Training	Content	Plugin Authorization		Ask for user permission before running plugins that require authorization	Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.
230	User	Requires	Security Awareness and Training	Content	Pop-ups	Pop-ups	Allow user to configure	Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)
231	User	Requires	Security Awareness and Training	Content	Third-Party Cookie Blocking		Allow user to decide whether to allow third-party cookies	This is another fingerprinting threat, and therefore not relevant for this context.
232	User	Requires	Security Awareness and Training	General	Smart Lock for Chrome		Allow Smart Lock for Chrome	Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. If you are going to do this you will need a significant amount of user training.
233	User	Requires	Security Awareness and Training	Network	Proxy Settings		Never use a proxy	They will have to know when, and how, to use a VPN.
234	User	Requires	Security Awareness and Training	Omnibox Search Provider	Omnibox Search Provider		Allow user to select the Omnibox Search Provider
235	User	Requires	Security Awareness and Training	Omnibox Search Provider	Search Suggest		Allow user to configure
236	User	Requires	Security Awareness and Training	Printing	Google Cloud Print Submission		Allow submission of documents to Google Cloud Print	"I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. "
237	User	Requires	Security Awareness and Training	Security	Browser History		Always save browser history
238	User	Requires	Security Awareness and Training	Security	Clear Browser History		Allow clearing history in settings menu
239	User	Requires	Security Awareness and Training	Security	Geolocation		Allow user to configure	Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily. As such, I have chosen "always asking" over the team member configuration option.
240	User	Inhibits	Security Awareness and Training	Security	Idle Settings	Lock screen on sleep	Don't Lock Screen
241	User	Requires	Security Awareness and Training	Security	Idle Settings		Idle time in minutes (leave empty for system default)	When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices).
242	User	Inhibits	Security Awareness and Training	Security	Idle Settings	Lock screen on sleep	Lock Screen
243	User	Inhibits	Security Awareness and Training	Security	Idle Settings	Action on idle	Logout
244	User	Inhibits	Security Awareness and Training	Security	Idle Settings	Action on lid close	Logout
245	User	Inhibits	Security Awareness and Training	Security	Idle Settings	Action on idle	Sleep	You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking.
246	User	Inhibits	Security Awareness and Training	Security	Idle Settings	Action on lid close	Sleep	You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking.
247	User	Supports	Security Awareness and Training	Security	Incognito Mode		Allow incognito mode	Teaching traveler's how not create histories with sensitive links and information using incognito mode means that they don't have to go about trying to erase it later.
248	User	Requires	Security Awareness and Training	Security	Malicious Sites		Allow user to proceed anyway to malicious sites	"This should not be enabled until you have tested how often malicious site warnings appear for your team member base during a testing period. This is because there are reports of critical travel sites, like hotel portals, being flagged as malicious. [1] [1] https://twitter.com/brettmorrison/status/891804686579359745"
249	User	Requires	Security Awareness and Training	Security	Password Manager		Allow user to configure	In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts.
250	User	Requires	Security Awareness and Training	Security	Password Manager		Always allow use of password manager	In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts.
251	User	Requires	Security Awareness and Training	Security	Safe Browsing		Allow user to decide whether to use Safe Browsing	Providing privacy concerned team member's information about the actual implementation of this feature should ease any of their privacy worries about this feature. If it does not then a team member may be convinced once you explain to them the personal effort they will have to exert to gain the same level of security without safe browsing enabled.
252	User	Inhibits	Security Awareness and Training	Session Settings	Show Logout Button in Tray		Does not show logout button in tray
253	User	Supports	Security Awareness and Training	Session Settings	Show Logout Button in Tray		Show logout button in tray	Make it easy for team member's to follow the appropriate logout practices.
254	User	Requires	Security Awareness and Training	Startup	Home Button		Allow user to configure
255	User	Requires	Security Awareness and Training	Startup	Home Button		Always show 'Home' button	This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access.
256	User	Requires	Security Awareness and Training	Startup	Homepage		Allow user to configure
257	User	Requires	Security Awareness and Training	User Experience	Bookmark Editing		Enable bookmark editing	Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks.
258	User	Requires	Security Awareness and Training	User Experience	DNS Pre-fetching		Allow user to configure
259	User	Requires	Security Awareness and Training	User Experience	Download Location		Local Downloads folder, but allow team member to change	By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.
260	User	Requires	Security Awareness and Training	User Experience	Download Location		Set Google Drive as default, but allow team member to change	By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.
261	User	Requires	Security Awareness and Training	User Experience	Form Auto-fill		Allow user to configure	See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
262	User	Requires	Security Awareness and Training	User Experience	Google Translate		Allow user to configure
263	User	Requires	Security Awareness and Training	User Experience	Managed Bookmarks		Managed Bookmarks	It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phsihing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account.
264	User	Requires	Security Awareness and Training	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.
265	User	Requires	Security Awareness and Training	User Experience	Spell Check Service		Allow user to decide whether to use the spell checking web service	Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others.
266	Device	Inhibits	Temporary G Suite Accounts	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
267	Device	Supports	Traveler Sub-Organization(s)	Enrollment & Access	Forced Re-enrollment		Device is not forced to re-enroll after wiping	This will allow a team member to switch over to another sub-organization mid-trip while using the same device. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country.
268	Device	Inhibits	Traveler Sub-Organization(s)	Enrollment & Access	Forced Re-enrollment		Force device to re-enroll into this domain after wiping	If a team member needs to switch over to another sub-organization mid-trip while using the same device this would prohibit that switch. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country.
269	Device	Inhibits	Traveler Sub-Organization(s)	Sign-in Settings	Guest Mode		Allow guest mode	With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.
270	Device	Requires	Traveler Sub-Organization(s)	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain.
271	Device	Inhibits	Traveler Sub-Organization(s)	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
272	Device	Requires	Traveler Sub-Organization(s)	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain.
273	User	Inhibits	Traveler Sub-Organization(s)	Network	WebRTC UDP Ports		Maximum port (1024-65535)	Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there.
274	User	Inhibits	Traveler Sub-Organization(s)	Network	WebRTC UDP Ports		Minimum port (1024-65535)	Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there.
275	User	Requires	Traveler Sub-Organization(s)	Security	Malicious Sites		Prevent team member from proceeding anyway to malicious sites	If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook.
276	User	Requires	Webcam cover	Hardware	Video Input		Enable video input
277	Device	Inhibits	Whitelist(s)	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
278	User	Requires	Whitelist(s)	Apps and Extensions	App and Extension Install Sources		List of URL Patterns	A whitelist of apps can be valuable for preventing team member's from installing malicious apps and extensions that are masquerading as a team member's desired application. [We are already combatting this slightly by seeding the web-store with links to commonly used apps and extensions.] As stated elsewhere, Whitelisting requires a greater amount of administrator availability to ensure that the wait for new additions to the whitelist does not impede the team's ability to accomplish their work.
279	User	Requires	Whitelist(s)	Content	Cookies		Allow Session-Only Cookies for URL Patterns	Whitelisting problems: You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.
280	User	Requires	Whitelist(s)	Content	Images		Show Images on These Sites	Whitelisting problems
281	User	Requires	Whitelist(s)	Content	JavaScript		Allow These Sites to Run JavaScript	Whitelisting problems
282	User	Requires	Whitelist(s)	Content	Plug-ins		Allow Plug-ins on These Sites	Whitelisting problems
283	User	Requires	Whitelist(s)	Content	Pop-ups		Allow Pop-ups on These Sites	Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting.
284	User	Requires	Whitelist(s)	Apps and Extensions	Allowed Types of Apps and Extensions		Chrome Packaged App
285	User	Requires	Whitelist(s)	Apps and Extensions	Allowed Types of Apps and Extensions		Extension
286	User	Requires	Whitelist(s)	Apps and Extensions	Allowed Types of Apps and Extensions		Google Apps Script
287	User	Requires	Whitelist(s)	Apps and Extensions	Allowed Types of Apps and Extensions		Hosted App
288	User	Requires	Whitelist(s)	Apps and Extensions	Allowed Types of Apps and Extensions		Legacy Packaged App
289	User	Requires	Whitelist(s)	Apps and Extensions	Allowed Types of Apps and Extensions		Theme
290	User	Supports	Whitelist(s)	Android applications	Access to Android applications		Allow	By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624
291	User	Supports	Whitelist(s)	Content	Cookies		Allow Cookies for URL Patterns	If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.
292	User	Requires	Whitelist(s)	Apps and Extensions	App and Extension Install Sources		List of URL Patterns	If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play..
293	Device	Supports	Whitelist(s)	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	This initial setup and ongoing maintenance of the Chrome Web Store Recommendations will take effort, but it will help centralize secure app recommendations in one place.
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141


1	User	Impact ↧	App Store App Blocking/Restriction	Android applications	Unknown Sources		Allow install from unknown sources	If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/	Obstruction
2	User	Impact ↥	App Store App Blocking/Restriction	Android applications	Unknown Sources		Do not allow install from unknown sources		Obstruction
3	User	Impact ↧	Application/Protocol Blocking	Android applications	Access to Android applications		Allow	When communication apps are censored being able to search for alternative working secure communication apps in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution.	Obstruction
4	Device	Likelihood ↥	Application/Protocol Blocking	Device Update Settings	Auto Update Settings	Auto Update	Allow auto-updates	Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.)	Obstruction
5	Device	Likelihood ↧	Application/Protocol Blocking	Device Update Settings	Auto Update Settings	Auto Update	Stop auto-updates	Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.)	Obstruction
6	User	Impact ↧	Application/Protocol Blocking	Network	QUIC Protocol		Enabled	QUIC has the same security properties as HTTP/S. It also has the added perk of getting around basic HTTP/S protocol blocking. A device with QUIC enabled, connecting to a service that supports QUIC, will fallback to QUIC when HTTP/S is blocked. It is not a "real" circumvention protocol, but it does make connections just a small bit more resilient to HTTP/S blocking - https://twitter.com/seamustuohy/status/805474243509186561	Obstruction
7	User	Impact ↧	Application/Protocol Blocking	Network	WebRTC UDP Ports		Maximum port (1024-65535)	Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there.	Obstruction
8	User	Impact ↧	Application/Protocol Blocking	Network	WebRTC UDP Ports		Minimum port (1024-65535)	Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there.	Obstruction
9	User	Likelihood ↥	Certificate Spoofing	Security	Local Trust Anchors Certificates	Local Anchors Common Name Fallback	Allow	Setting this to allow can allow the name constraints certificate extension to be bypassed. Just follow best practice and block it. You will have to follow proper cert provisioning within your organization for private services. But, is that really too much to ask? - https://blogs.technet.microsoft.com/pki/2014/03/05/constraints-what-they-are-and-how-theyre-used/ - https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx	Deception
10	User	Likelihood ↥	Certificate Spoofing	Security	Local Trust Anchors Certificates	Local Anchors Sha1	Allow SHA-1 for local trust anchors	Sometimes you just have to follow best practice - https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html	Deception
11	User	Likelihood ↧	Certificate Spoofing	Security	Local Trust Anchors Certificates	Local Anchors Common Name Fallback	Block	Sometimes you just have to follow best practice	Deception
12	User	Impact ↧	Circumvention Tech Regulated	Android applications	Unknown Sources		Allow install from unknown sources	If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/	Legal
13	User	Impact ↥	Circumvention Tech Regulated	Android applications	Unknown Sources		Do not allow install from unknown sources		Legal
14	User	Likelihood ↥	Circumvention Tech Regulated	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member *cannot uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal.	Legal
15	User	Impact ↥	Compromised Account	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	Include all private apps and extensions from my domain.	If this option is selected AND team member's are given permission to publish private apps [See "Chrome Web Store Permissions"] this can increase our attack surface.	Surveillance
16	User	Impact ↥	Compromised Account	Chrome Web Store	Chrome Web Store Permissions		Allow user's to publish private apps that are restricted to your domain on Chrome Web Store.	If you allow team member's to publish private apps then a malicious actor who gets a hold of one of the devices can privately publish a malicious app and deliver it to your other team member's. By leveraging a compromised account to publish a private app to others within the google apps domain a malicious team member can increase the team member trust in the app they are receiving. If the team member account of admin is compromised and used in this way it can gain even more weight because it can be masqueraded as a directive from the admin/security team.The adversary can even hide their private app from administrators and other team member's through Google's built in app targeting system. They can publish an app targeting a specific country or even specific device models.	Surveillance
17	User	Impact ↥	Compromised Account	Chrome Web Store	Chrome Web Store Permissions		Allow user's to skip verification for websites not owned	This turns off the app verification feature that warns team member's when they are installing potentially harmful apps. This just amplifies the likelihood of a team member installing one of these apps if an adversary gains access to a team member account and begins spear phishing other team member's to install the private apps.	Surveillance
18	User	Impact ↧	Compromised Account	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device.	Surveillance
19	User	Impact ↧	Compromised Account	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	Client certs will only allow a device with a valid certificate installed on it to connect to a service. I'm not going to go in depth about it here. But, it means that if a travel team member's username and password are compromised for any account the attacker will also need to have access to a device with that team member's certs installed.	Surveillance
20	Device	Impact ↧	Compromised Account	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.	Surveillance
21	User	Likelihood ↥	Compromised Account	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices	This allows anyone with a team member's credentials to register a new device as that user. An adversary who forces a team member to provide their credentials could then register a different device, provide the team member the original device, and keep this new device on, and registered, to surveil the team member's actions.	Surveillance
22	Device	Impact ↧	Compromised Account	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	Surveillance
23	Device	Likelihood ↥	Compromised Account	Sign-in Settings	Single Sign-On Cookie Behavior		Enable transfer of SAML SSO Cookies into team member session during login	This allows your single sign on credentials to be saved across different logins. It ties the security of your internal services to the security of the chrome login. Which, if you are this far into this document is likely to be fine. But, it does mean that if the chrome travel account credentials are identified, but the SSO credentials are not, an adversary can't get past the chrome login to access your internal systems.	Surveillance
24	User	Impact ↥	Compromised Account	User Experience	Download Location		Force Google Drive		Surveillance
25	User	Impact ↥	Compromised Account	User Experience	Download Location		Set Google Drive as default, but allow team member to change		Surveillance
26	User	Impact ↧	Compromised Account	Verified Access	Verified Access		Enable for Enterprise Extensions	If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team members, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data.	Surveillance
27	User	Likelihood ↥	Compromised Device	Android applications	Access to Android applications		Allow	Adding android applications opens up a range of possibilities for making the chromebook more useful & usable for your team member's and more secure. It can also considerably increase the attack surface you have to contend with.	Surveillance
28	User	Likelihood ↥	Compromised Device	Android applications	Account Management		Google account	By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device.	Surveillance
29	User	Likelihood ↥	Compromised Device	Android applications	Unknown Sources		Allow install from unknown sources	This can considerably increase the attack surface you have to contend with. There are currently less controls in place for android applications than there are for apps and extensions.	Surveillance
30	User	Likelihood ↥	Compromised Device	Android applications	Unknown Sources		Allow install from unknown sources	Adding the ability to install untrusted apps does significantly increase the possible attack surface. Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled.	Surveillance
31	User	Likelihood ↧	Compromised Device	Android applications	Unknown Sources		Do not allow install from unknown sources		Surveillance
32	User	Likelihood ↥	Compromised Device	Apps and Extensions	Allow or Block All Apps and Extensions		Allow all apps and extensions except the ones I block		Surveillance
33	User	Likelihood ↧	Compromised Device	Apps and Extensions	Allow or Block All Apps and Extensions		Block all apps and extensions except the ones I allow		Surveillance
34	User	Likelihood ↧	Compromised Device	Apps and Extensions	Allowed Types of Apps and Extensions		Chrome Packaged App		Surveillance
35	User	Likelihood ↧	Compromised Device	Apps and Extensions	Allowed Types of Apps and Extensions		Extension		Surveillance
36	User	Likelihood ↧	Compromised Device	Apps and Extensions	Allowed Types of Apps and Extensions		Google Apps Script		Surveillance
37	User	Likelihood ↧	Compromised Device	Apps and Extensions	Allowed Types of Apps and Extensions		Hosted App		Surveillance
38	User	Likelihood ↧	Compromised Device	Apps and Extensions	Allowed Types of Apps and Extensions		Legacy Packaged App		Surveillance
39	User	Likelihood ↧	Compromised Device	Apps and Extensions	Allowed Types of Apps and Extensions		Theme		Surveillance
40	User	Likelihood ↧	Compromised Device	Apps and Extensions	App and Extension Install Sources		List of URL Patterns	A whitelist of app sources can be valuable for preventing team member's from installing malicious apps and extensions, or apps that are masquerading as a team member's desired application. There are a variety of app stores/sources that are far less managed than Google Play and are more likely to have malicious apps found in them.	Surveillance
41	User	Impact ↧	Compromised Device	Content	Google Drive Syncing		Disable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Surveillance
42	User	Impact ↥	Compromised Device	Content	Google Drive Syncing		Enable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Surveillance
43	Device	Impact ↥	Compromised Device	Enrollment & Access	Disabled device return instructions		Custom text to display	Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration.	Surveillance
44	Device	Impact ↧	Compromised Device	Enrollment & Access	Verified Mode		Require verified mode boot for Verified Access	See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot	Surveillance
45	Device	Impact ↥	Compromised Device	Enrollment & Access	Verified Mode		Skip boot mode check for Verified Access	If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used.	Surveillance
46	User	Impact ↧	Compromised Device	Hardware	Audio Input		Disable audio input	"I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. In the long-term I would move towards this with high-risk team's. But, you will have to get them all small headset/microphones and ensure that they remember to take them with them when they travel. This could be a huge impediment to their work if they can't use their ""secured travel device"" to conduct sensitive calls and/or video-chats. AV is always the worst. So, for team's I would start with it enabled, and then once you have made sure you can build adoption of the practices (and bought everyone nice travel headsets) you can move to disabling it."	Surveillance
47	User	Likelihood ↥	Compromised Device	Hardware	External Storage devices		Allow external storage devices	External storage devices add another attack surface for local attempts at compromise.	Surveillance
48	User	Likelihood ↥	Compromised Device	Hardware	External Storage devices		Allow external storage devices (read only)	External storage devices add another attack surface for local attempts at compromise.	Surveillance
49	User	Impact ↧	Compromised Device	Hardware	Video Input		Disable video input		Surveillance
50	User	Likelihood ↥	Compromised Device	Omnibox Search Provider	Omnibox Search Provider		Allow user to select the Omnibox Search Provider	"The threat here is Omnibox (search) Hijacking. This type of malware can redirect a team member to further malicious and/or phishing pages and surveil a team member's searches. By locking the omnibox search provider to a specific subset you can make this type of malware useless. - If you encounter one of these check out this short guidance to get rid of the: https://productforums.google.com/forum/#!msg/websearch/6W1JbCZMjMU/qCm7oM8cIMQJ	Surveillance
51	User	Likelihood ↧	Compromised Device	Omnibox Search Provider	Omnibox Search Provider		Lock the Omnibox Search Provider settings to the values below		Surveillance
52	Device	Likelihood ↧	Compromised Device	Other	USB Detachable Whitelist		List of VID:PID pairs	This limits the ability of devices from accessing your applications. Therefore limiting the possibility of malicious apps and/or malicious devices compromising the other.	Surveillance
53	User	Likelihood ↧	Compromised Device	Security	Remote access clients		Remote Access Host Client Domain - Configure the required domain name for remote access clients.	In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain.	Surveillance
54	User	Likelihood ↧	Compromised Device	Security	Safe Browsing		Always enable Safe Browsing	"Safe Browsing also protects you from abusive extensions and malicious software. At start up of Chrome, Safe Browsing scans extensions installed in your browser against the Safe Browsing list. If an extension on the list is found, Chrome will temporarily disable the extension, offer you relevant information and provide an option for you to remove the extension or re-enable it." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#malware
55	Device	Impact ↧	Compromised Device	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	Surveillance
56	Device	Impact ↧	Compromised Device	User & Device Reporting	Device Reporting	Device State Reporting	Enable device state reporting	Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.	Surveillance
57	User	Likelihood ↧	Compromised Device	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization		Surveillance
58	User	Likelihood ↥	Compromised Device	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases.	Surveillance
59	User	Likelihood ↥	Compromised Device	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases.	Surveillance
60	User	Impact ↧	Compromised Device	User Verification	Verified Mode	Verified Mode Boot Check	Require verified mode boot for Verified Access	See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot	Surveillance
61	User	Impact ↥	Compromised Device	User Verification	Verified Mode	Verified Mode Boot Check	Skip boot mode check for Verified Access	If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used.	Surveillance
62	Device	Impact ↧	Data requests from online services	Enrollment & Access	Verified Mode		Service accounts which can verify devices but do not receive device ID	If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is.	Surveillance
63	Device	Impact ↥	Data requests from online services	Other	System timezone automatic detection		Always send WiFi access-points to server while resolving timezone	This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect	Surveillance
64	User	Impact ↥	Data requests from online services	Security	Geolocation		Allow sites to detect team member's' geolocation	Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak.	Surveillance
65	User	Impact ↧	Data requests from online services	Security	Geolocation		Always ask the team member if a site wants to detect their geolocation	Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak.	Surveillance
66	User	Impact ↧	Data requests from online services	Security	Geolocation		Do not allow sites to detect team member's' geolocation	Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak.	Surveillance
67	User	Impact ↧	Data requests from online services	User Verification	Verified Mode		Service accounts which can verify team member's but do not receive team member data	If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is.	Surveillance
68	User	Impact ↥	Decryption Forced (Device)	Hardware	External Storage devices		Disallow external storage devices	USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device.	Forced Exposure
69	Device	Impact ↥	Device Confiscation	Enrollment & Access	Disabled device return instructions		Custom text to display	Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration.	Confiscation
70	User	Impact ↥	Device Confiscation	Hardware	External Storage devices		Disallow external storage devices	USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device.	Confiscation
71	Device	Impact ↧	Device Confiscation	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	Confiscation
72	Device	Impact ↧	Device Confiscation	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)	Confiscation
73	User	Impact ↥	Device Confiscation	Security	Browser History		Always save browser history	Confiscation of the travel device	Confiscation
74	User	Impact ↧	Device Confiscation	Security	Browser History		Never save browser history	This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. (Confiscation of the travel device)	Confiscation
75	User	Impact ↥	Device Confiscation	Security	Clear Browser History		Do not allow clearing history in settings menu	Confiscation of the travel device	Confiscation
76	User	Impact ↧	Device Confiscation	Security	Idle Settings	Action on idle	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device)	Confiscation
77	User	Impact ↧	Device Confiscation	Security	Idle Settings	Action on lid close	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device)	Confiscation
78	User	Impact ↧	Device Confiscation	Security	Lock Screen		Do not allow locking screen	This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device)	Confiscation
79	Device	Impact ↧	Device Confiscation	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	Confiscation
80	Device	Impact ↧	Device Confiscation	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Confiscation
81	Device	Impact ↧	Device Confiscation	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Confiscation
82	Device	Impact ↧	Device Confiscation	Sign-in Settings	Single Sign-On Camera Permissions		Whitelist of single sign-on camera permissions	You could remotely get a picture of everyone who tries to login! Wouldn't that be a fun way to see if folks are trying to access your devices behind your team member's back.	Confiscation
83	Device	Impact ↧	Device Confiscation	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.	Confiscation
84	User	Impact ↧	Encrypted Comms Regulated	Android applications	Unknown Sources		Allow install from unknown sources	If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/	Legal
85	User	Impact ↥	Encrypted Comms Regulated	Android applications	Unknown Sources		Do not allow install from unknown sources		Legal
86	User	Likelihood ↥	Encrypted Comms Regulated	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member *cannot uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal.	Legal
87	User	Likelihood ↥	Encryption Regulated	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member *cannot uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal.	Legal
88	User	Impact ↧	Endpoint/Route Disabling	Android applications	Access to Android applications		Allow	When endpoints (websites, servers, services) are blocked being able to search for working circumvention tools in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution.	Obstruction
89	User	Impact ↧	Endpoint/Route Disabling	Android applications	Unknown Sources		Allow install from unknown sources	If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/	Obstruction
90	User	Impact ↥	Endpoint/Route Disabling	Android applications	Unknown Sources		Do not allow install from unknown sources		Obstruction
91	Device	Impact ↧	Full Internet Shutdown	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.)	Obstruction
92	User	Impact ↧	Hotel Robbery & Theft	Content	Google Drive Syncing		Disable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Confiscation
93	User	Impact ↥	Hotel Robbery & Theft	Content	Google Drive Syncing		Enable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Confiscation
94	Device	Impact ↧	Hotel Robbery & Theft	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	Confiscation
95	Device	Impact ↧	Hotel Robbery & Theft	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)	Confiscation
96	User	Impact ↥	Hotel Robbery & Theft	Security	Browser History		Always save browser history		Confiscation
97	User	Impact ↧	Hotel Robbery & Theft	Security	Browser History		Never save browser history	This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion.	Confiscation
98	User	Impact ↥	Hotel Robbery & Theft	Security	Clear Browser History		Do not allow clearing history in settings menu		Confiscation
99	User	Impact ↧	Hotel Robbery & Theft	Security	Idle Settings	Action on idle	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
100	User	Impact ↧	Hotel Robbery & Theft	Security	Idle Settings	Action on lid close	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
101	User	Impact ↧	Hotel Robbery & Theft	Security	Lock Screen		Do not allow locking screen	This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
102	Device	Impact ↧	Hotel Robbery & Theft	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	Confiscation
103	Device	Impact ↧	Hotel Robbery & Theft	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.	Confiscation
104	Device	Impact ↧	Hotel Robbery & Theft	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.)	Confiscation
105	User	Likelihood ↥	In-Country Activities Regulated	Apps and Extensions	Pinned Apps and Extensions		Manage pinned apps	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.)	Legal
106	User	Likelihood ↧	In-Country Activities Regulated	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Legal
107	User	Likelihood ↥	In-Country Activities Regulated	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the 'For [YOUR_DOMAIN>TLD]' collection:	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Legal
108	User	Likelihood ↧	In-Country Activities Regulated	Chrome Web Store	Chrome Web Store Homepage		What should the collection name be?	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Legal
109	Device	Impact ↥	In-Country Activities Regulated	Enrollment & Access	Disabled device return instructions		Custom text to display	The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration.	Legal
110	Device	Impact ↥	In-Country Activities Regulated	Enrollment & Access	Forced Re-enrollment		Force device to re-enroll into this domain after wiping	If a team member needs to switch over a personal account mid-trip because conditions have changed and their association with your organization has become more dangerous this would prohibit them from doing so.	Legal
111	Device	Impact ↧	In-Country Activities Regulated	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials.	Legal
112	Device	Impact ↧	In-Country Activities Regulated	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials.	Legal
113	User	Impact ↧	In-Transit Robbery & Theft	Content	Google Drive Syncing		Disable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Confiscation
114	User	Impact ↥	In-Transit Robbery & Theft	Content	Google Drive Syncing		Enable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Confiscation
115	Device	Impact ↧	In-Transit Robbery & Theft	Enrollment & Access	Disabled device return instructions		Custom text to display	Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration.	Confiscation
116	User	Impact ↥	In-Transit Robbery & Theft	Hardware	External Storage devices		Disallow external storage devices	USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device.	Confiscation
117	Device	Impact ↧	In-Transit Robbery & Theft	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	Confiscation
118	Device	Impact ↧	In-Transit Robbery & Theft	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)	Confiscation
119	User	Impact ↥	In-Transit Robbery & Theft	Security	Browser History		Always save browser history		Confiscation
120	User	Impact ↧	In-Transit Robbery & Theft	Security	Browser History		Never save browser history	This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion.	Confiscation
121	User	Impact ↥	In-Transit Robbery & Theft	Security	Clear Browser History		Do not allow clearing history in settings menu		Confiscation
122	User	Impact ↧	In-Transit Robbery & Theft	Security	Idle Settings	Action on idle	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
123	User	Impact ↧	In-Transit Robbery & Theft	Security	Idle Settings	Action on lid close	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
124	User	Impact ↧	In-Transit Robbery & Theft	Security	Lock Screen		Do not allow locking screen	This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
125	Device	Impact ↧	In-Transit Robbery & Theft	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	Confiscation
126	Device	Impact ↧	In-Transit Robbery & Theft	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.	Confiscation
127	Device	Impact ↧	In-Transit Robbery & Theft	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.)	Confiscation
128	User	Impact ↥	Intermittent Connectivity	User Experience	Download Location		Force Google Drive	In some instances a team member will want to have offline data. Esp. in cases where online access will be Intermittent.	Obstruction
129	User	Impact ↥	Lacking/Intermittent Access to Broadband	Content	Google Drive Syncing over Cellular		Disable Google Drive syncing over cellular connections		Obstruction
130	User	Impact ↧	Lacking/Intermittent Access to Broadband	Content	Google Drive Syncing over Cellular		Enable Google Drive syncing over cellular connections	If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable	Obstruction
131	Device	Impact ↧	Lacking/Intermittent Access to Broadband	Other	Mobile Data Roaming		Allow mobile data roaming	If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable	Obstruction
132	Device	Impact ↥	Lacking/Intermittent Access to Broadband	Other	Mobile Data Roaming		Do not allow mobile data roaming		Obstruction
133	User	Impact ↥	Lacking/Intermittent Access to Broadband	User Experience	Download Location		Force Google Drive	In some instances a team member will want to have offline data. Esp. in cases where online access will be Intermittent.	Obstruction
134	User	Impact ↧	Limited/Throttled Connectivity	Content	Images	Images	Allow user to configure	There is the one case for low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet.	Obstruction
135	Device	Impact ↧	Limited/Throttled Connectivity	Device Update Settings	Auto Update Settings	Randomly scatter auto-updates over	[1-14] Day(s)	If you have multiple team members traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.	Obstruction
136	Device	Impact ↥	Limited/Throttled Connectivity	Device Update Settings	Auto Update Settings	Randomly scatter auto-updates over	None	If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.	Obstruction
137	User	Impact ↥	Limited/Throttled Connectivity	Network	Proxy Settings		Always use the proxy auto-config specified below	Proxies be inconvenient in low connectivity areas. If there are concerns about passive surveillance than the use of a proxy that is only configured to proxy non-TLS (HTTP) connections can provide a greater level of security against surveillance without impacting connections that already have TLS.	Obstruction
138	User	Impact ↥	Limited/Throttled Connectivity	Network	Proxy Settings		Always use the proxy specified below	Proxies be inconvenient in low connectivity areas.	Obstruction
139	User	Impact ↧	Limited/Throttled Connectivity	Network	Proxy Settings		Never use a proxy	Proxies be inconvenient in low connectivity areas.	Obstruction
140	User	Impact ↥	Limited/Throttled Connectivity	Network	QUIC Protocol		Disabled	QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad.	Obstruction
141	User	Impact ↧	Limited/Throttled Connectivity	Network	QUIC Protocol		Enabled	QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad.	Obstruction
142	User	Impact ↥	Limited/Throttled Connectivity	User Experience	Download Location		Force Google Drive	In some instances a team member will want to have offline data. Esp. in cases where data is throttled/slow.	Obstruction
143	User	Impact ↥	Login Forced (Device)	Apps and Extensions	Pinned Apps and Extensions		Manage pinned apps	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.)	Login Forced
144	User	Impact ↥	Login Forced (Device)	Apps and Extensions	Task Manager		Allow user's to end processes with the Chrome task manager	There is currently only one possible security related reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access.	Login Forced
145	User	Impact ↧	Login Forced (Device)	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Login Forced
146	User	Impact ↥	Login Forced (Device)	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the 'For [YOUR_DOMAIN>TLD]' collection:	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Login Forced
147	User	Impact ↧	Login Forced (Device)	Chrome Web Store	Chrome Web Store Homepage		What should the collection name be?	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Login Forced
148	User	Impact ↧	Login Forced (Device)	Content	Google Drive Syncing		Disable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Login Forced
149	User	Impact ↥	Login Forced (Device)	Content	Google Drive Syncing		Enable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Login Forced
150	User	Likelihood ↥	Login Forced (Device)	General	Smart Lock for Chrome		Allow Smart Lock for Chrome	Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesireable feature. We want multi-factor authentication for login to our travel devices. This removes a factor.	Login Forced
151	User	Impact ↥	Login Forced (Device)	Hardware	External Storage devices		Disallow external storage devices	USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device.	Login Forced
152	User	Impact ↧	Login Forced (Device)	Security	Incognito Mode		Allow incognito mode	Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode.	Login Forced
153	User	Impact ↥	Login Forced (Device)	Security	Incognito Mode		Disallow incognito mode	Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode.	Login Forced
154	Device	Impact ↧	Login Forced (Device)	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	Login Forced
155	Device	Impact ↧	Login Forced (Device)	Sign-in Settings	Single Sign-On Camera Permissions		Whitelist of single sign-on camera permissions	I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the device's camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges (QR codes for kids to login to stuff)	Login Forced
156	User	Impact ↥	Login Forced (Device)	Startup	Homepage		Homepage is always the new tab page	New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP
157	User	Impact ↥	Login Forced (Device)	User Experience	Bookmark Editing		Enable bookmark editing	Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks.	Login Forced
158	User	Impact ↥	Login Forced (Device)	User Experience	Managed Bookmarks		Managed Bookmarks	These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account.	Login Forced
159	User	Impact ↥	Login Forced (Device)	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases.	Login Forced
160	User	Impact ↥	Login Forced (Device)	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases.	Login Forced
161	User	Impact ↥	Login Forced (Service)	Security	Password Manager		Allow user to configure	In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts.	Login Forced
162	User	Impact ↥	Login Forced (Service)	Security	Password Manager		Always allow use of password manager		Login Forced
163	User	Impact ↧	Login Forced (Service)	Security	Password Manager		Never allow use of password manager	Choosing "never allow use" is an absolutist technical control that is appropriate for some high threat environments, but unnecessary and inconvenient in many others. It raises the question, "How does your team weigh the psycho-social value of being able to save a netflix password against their willingness to follow your instructions?"	Login Forced
164	Device	Impact ↧	Login Forced (Service)	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Login Forced
165	Device	Impact ↧	Login Forced (Service)	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials.	Login Forced
166	User	Impact ↧	Passive Internet Surveillance	Content	Cookies		Allow Cookies for URL Patterns		Surveillance
167	User	Impact ↧	Passive Internet Surveillance	Content	Cookies		Allow Session-Only Cookies for URL Patterns		Surveillance
168	User	Impact ↥	Passive Internet Surveillance	Content	Cookies	Default Cookie Setting	Allow sites to set cookies	Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D )	Surveillance
169	User	Impact ↧	Passive Internet Surveillance	Content	Cookies	Default Cookie Setting	Keep cookies for the duration of the session	Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D )	Surveillance
170	User	Impact ↧	Passive Internet Surveillance	Content	Cookies	Default Cookie Setting	Never allow sites to set cookies	Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D )	Surveillance
171	User	Impact ↥	Passive Internet Surveillance	Content	Third-Party Cookie Blocking		Allow third-party cookies	This is another fingerprinting threat, and therefore not very relevant for most contexts.	Surveillance
172	User	Impact ↧	Passive Internet Surveillance	Content	Third-Party Cookie Blocking		Disallow third-party cookies	This is another fingerprinting threat, and therefore not very relevant for most contexts.	Surveillance
173	User	Impact ↥	Passive Internet Surveillance	Network	Proxy Settings		Always auto detect the proxy		Surveillance
174	User	Impact ↧	Passive Internet Surveillance	Network	Proxy Settings		Always use the proxy auto-config specified below		Surveillance
175	User	Impact ↧	Passive Internet Surveillance	Network	Proxy Settings		Always use the proxy specified below		Surveillance
176	User	Impact ↥	Passive Internet Surveillance	Network	WebRTC UDP Ports		Maximum port (1024-65535)	One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments.	Surveillance
177	User	Impact ↥	Passive Internet Surveillance	Network	WebRTC UDP Ports		Minimum port (1024-65535)	One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments.	Surveillance
178	User	Impact ↥	Passive Internet Surveillance	Security	Online Revocation Checks		Perform online OCSP/CRL checks	Online OCSP/CRL checks should not be enabled. It is bad in just about every sort of way. To quote the chromium policy list "In light of the fact that soft-fail, online revocation checks provide no effective security benefit..." This means that on a failure a revoked certificate will still be used.	Surveillance
179	User	Impact ↥	Passive Internet Surveillance	User Experience	DNS Pre-fetching		Always pre-fetch DNS	I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS.	Surveillance
180	User	Impact ↧	Passive Internet Surveillance	User Experience	DNS Pre-fetching		Never pre-fetch DNS	I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS.	Surveillance
181	User	Impact ↥	Passive Mobile Data Surveillance	Security	Online Revocation Checks		Perform online OCSP/CRL checks	https://bugs.chromium.org/p/chromium/issues/detail?id=361820	Surveillance
182	User	Likelihood ↥	Pharming	Content	JavaScript	JavaScript	Allow sites to run JavaScript	Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis.	Deception
183	User	Likelihood ↥	Pharming	Content	JavaScript		Allow These Sites to Run JavaScript		Deception
184	User	Likelihood ↧	Pharming	Content	JavaScript	JavaScript	Do not allow sites to run JavaScript	Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis.	Deception
185	User	Impact ↥	Pharming	Content	Outdated Plugins		Allow outdated plugins to be used as normal plugins	Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions	Deception
186	User	Impact ↧	Pharming	Content	Outdated Plugins		Disallow outdated plugins	Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions	Deception
187	User	Impact ↧	Pharming	Content	Plug-ins	Plug-ins	Block all plug-ins	Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)	Deception
188	User	Impact ↥	Pharming	Content	Plug-ins	Plug-ins	Run plug-ins automatically	Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)	Deception
189	User	Impact ↥	Pharming	Content	Plugin Authorization		Always run plugins that require authorization	Flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.	Deception
190	User	Impact ↧	Pharming	Content	Plugin Authorization		Ask for user permission before running plugins that require authorization	Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.	Deception
191	User	Impact ↧	Pharming	Content	URL Blocking		URL Blacklist	A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist	Deception
192	User	Impact ↥	Pharming	Security	Malicious Sites		Allow user to proceed anyway to malicious sites	If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook.	Deception
193	User	Impact ↧	Pharming	Security	Malicious Sites		Prevent team member from proceeding anyway to malicious sites		Deception
194	User	Impact ↧	Pharming	Security	Safe Browsing		Always enable Safe Browsing	Safe browsing helps protect team member's from websites that may contain malware and/or pharmed content. When a team member attempts to connect to a url safe browsing checks web pages against local copies of Google's "Safe Browsing lists." If the hash of a url the team member is attempting to visit matches one of the hashes of the items in the Safe Browsing Lists it will warn the user. [1] The privacy preserving implementation of safe browsing make enabling it the obvious choice. [1] https://github.com/scheib/chromium/blob/9ae6b4f4a8679c8598316544dccf378b86f99845/chrome/browser/safe_browsing/client_side_model_loader.cc	Deception
195	User	Impact ↧	Pharming	User Experience	Form Auto-fill		Never auto-fill forms	Browser autofill phishing/pharming was just trending on the info-sec news circuit.	Deception
196	User	Impact ↧	Pharming	User Experience	Managed Bookmarks		Managed Bookmarks	It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account.	Deception
197	User	Likelihood ↥	Phishing	Content	JavaScript	JavaScript	Allow sites to run JavaScript	Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis.	Deception
198	User	Likelihood ↥	Phishing	Content	JavaScript		Allow These Sites to Run JavaScript		Deception
199	User	Likelihood ↧	Phishing	Content	JavaScript	JavaScript	Do not allow sites to run JavaScript	Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis.	Deception
200	User	Impact ↥	Phishing	Content	Notifications	Notifications	Allow sites to show desktop notifications	"This is a complex one for me. It does fall under the basic guidelines for not destroying your team's workflow using security. But, I think desktop notifications are ripe for future phishing attacks (see below). As such, if after surveying my team member base I discover that notifications are not being used I would choose the option ""Do not allow notifications."" But, if there are team member's who do already use notifications I would just do some user-awareness training around the possible threats of notifications and allow them to show/block notifications as they see fit. I choose this over (allowing a team member to configure) because of how convinceing I beleive these attacks will be. I see desktop notifications as a likely future avenue for phishing and wateringhole attacks. I have not seen examples of this being abused. But, their feature set combined with their platform native look makes them especially likely to be used in this way. These alerts don't require the website to be open, can play sounds or cause the team member's device to vibrate, stay shown until a team member to interacts with them, and run javascript or take a team member to a URL when they click on events. This makes them a convinceing interface for fakeing legitimate platform security/anti-virus/etc. alerts. https://developers.google.com/web/fundamentals/engage-and-retain/push-notifications/notification-behaviour"	Deception
201	User	Impact ↧	Phishing	Content	Notifications	Notifications	Do not allow sites to show desktop notifications		Deception
202	User	Impact ↥	Phishing	Content	Outdated Plugins		Allow outdated plugins to be used as normal plugins	Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions	Deception
203	User	Impact ↧	Phishing	Content	Outdated Plugins		Disallow outdated plugins	Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions	Deception
204	User	Impact ↧	Phishing	Content	Plug-ins	Plug-ins	Block all plug-ins	Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)	Deception
205	User	Impact ↥	Phishing	Content	Plug-ins	Plug-ins	Run plug-ins automatically	Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)	Deception
206	User	Impact ↥	Phishing	Content	Plugin Authorization		Always run plugins that require authorization	Flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.	Deception
207	User	Impact ↧	Phishing	Content	Plugin Authorization		Ask for user permission before running plugins that require authorization	Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.	Deception
208	User	Impact ↧	Phishing	User Experience	Form Auto-fill		Never auto-fill forms	Browser autofill phishing/pharming was just trending on the info-sec news circuit.	Deception
209	User	Impact ↧	Phishing	User Experience	Managed Bookmarks		Managed Bookmarks	It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obfuscated account.	Deception
210	Device	Impact ↥	Power Outage	Power & Shutdown	Power Management		Do not allow device to sleep/shut down when idle on the sign-in screen	The device will still draw power with idle. It's not a huge amount. But, if they are dealing with limited power it might be nice to know that their device will conserve power as much as possible.	Obstruction
211	User	Impact ↥	Spoofed Access Point	Network	Proxy Settings		Always auto detect the proxy		Deception
212	User	Impact ↧	Targeted Workplace Raids	Content	Google Drive Syncing		Disable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Confiscation
213	User	Impact ↥	Targeted Workplace Raids	Content	Google Drive Syncing		Enable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Confiscation
214	Device	Impact ↧	Targeted Workplace Raids	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	Confiscation
215	Device	Impact ↧	Targeted Workplace Raids	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)	Confiscation
216	User	Impact ↥	Targeted Workplace Raids	Security	Browser History		Always save browser history		Confiscation
217	User	Impact ↧	Targeted Workplace Raids	Security	Browser History		Never save browser history	This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion.	Confiscation
218	User	Impact ↥	Targeted Workplace Raids	Security	Clear Browser History		Do not allow clearing history in settings menu		Confiscation
219	User	Impact ↧	Targeted Workplace Raids	Security	Idle Settings	Action on idle	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
220	User	Impact ↧	Targeted Workplace Raids	Security	Idle Settings	Action on lid close	Logout	This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
221	User	Impact ↧	Targeted Workplace Raids	Security	Lock Screen		Do not allow locking screen	This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do.	Confiscation
222	Device	Impact ↧	Targeted Workplace Raids	Sign-in Settings	Guest Mode		Allow guest mode	Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions.	Confiscation
223	Device	Impact ↧	Targeted Workplace Raids	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.	Confiscation
224	Setting	Risk Mod	Threat	Category	Title	Sub Item	Option	Comments	Threat Category
225	User	Likelihood ↥	Topical/Information Censorship	User Experience	DNS Pre-fetching		Always pre-fetch DNS	I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS.	Legal
226	User	Likelihood ↧	Topical/Information Censorship	User Experience	DNS Pre-fetching		Never pre-fetch DNS	I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS.	Legal
227	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Cast		Do not allow team member's to Cast		Insider Threat
228	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Cookies		Allow Cookies for URL Patterns		Insider Threat
229	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Cookies		Allow Session-Only Cookies for URL Patterns		Insider Threat
230	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Cookies	Default Cookie Setting	Keep cookies for the duration of the session		Insider Threat
231	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Cookies	Default Cookie Setting	Never allow sites to set cookies		Insider Threat
232	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Google Drive Syncing		Disable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Insider Threat
233	User	Likelihood ↧	Traveler Circumvent Mitigations	Content	Google Drive Syncing		Enable Google Drive syncing	"Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.	Insider Threat
234	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Images	Images	Do not show images	This is not relevant for security purposes and would cause any normal team member to be furious.	Insider Threat
235	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	JavaScript		Allow These Sites to Run JavaScript		Insider Threat
236	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	JavaScript	JavaScript	Do not allow sites to run JavaScript		Insider Threat
237	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Notifications	Notifications	Always ask the team member if a site can show desktop notifications	Because of the "exhausted Traveler 'just work!' problem" I think that initial acceptance of the initial phishing website to provide notifications will be hard to stop. After this the attacker can then send the notification based phishing attack at a later point.	Insider Threat
238	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Notifications	Notifications	Do not allow sites to show desktop notifications	It does fall under the basic guidelines for not destroying your team's workflow using security.	Insider Threat
239	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Outdated Plugins		Disallow outdated plugins	Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions	Insider Threat
240	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Plug-ins	Plug-ins	Block all plug-ins	Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)	Insider Threat
241	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Pop-ups	Pop-ups	Block all pop-ups	Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)	Insider Threat
242	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Safe Search and Restricted Mode	Google Safe Search for Google Web Search queries	Always use Safe Search for Google Web Search queries	All "Safe Search" does is filter explicit or pornographic images. Not relevant to our security model. And, if it gets in the way of researcher and/or personal device usage when traveling the team member is going to find a way to circumvent it.	Insider Threat
243	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Safe Search and Restricted Mode	Restricted Mode for YouTube	Enforce at least Moderate Restricted Mode on YouTube	Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention.	Insider Threat
244	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Safe Search and Restricted Mode	Restricted Mode for YouTube	Enforce Strict Restricted Mode for YouTube	Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention.	Insider Threat
245	User	Likelihood ↥	Traveler Circumvent Mitigations	Content	Screenshot		Disable screenshot	I see no reason to disable screenshot. Especially if team member's are conducting research, etc. where they may need screenshots of websites or temporary communications they have on the chromebook.	Insider Threat
246	Device	Likelihood ↥	Traveler Circumvent Mitigations	Device Update Settings	Auto Update Settings	Auto reboot after updates	Allow auto-reboots	This can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying.	Insider Threat
247	Device	Likelihood ↧	Traveler Circumvent Mitigations	Device Update Settings	Release Channel		Allow user to configure	The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. They will end up having to use other devices that work.	Insider Threat
248	Device	Likelihood ↧	Traveler Circumvent Mitigations	Device Update Settings	Release Channel		Move to Beta Channel	Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.	Insider Threat
249	Device	Likelihood ↧	Traveler Circumvent Mitigations	Device Update Settings	Release Channel		Move to Development Channel	Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.	Insider Threat
250	Device	Likelihood ↧	Traveler Circumvent Mitigations	Enrollment & Access	Forced Re-enrollment		Force device to re-enroll into this domain after wiping	This will allow you to enforce specific devices for specific types of domains. If a team member tries to reset their device to use it with a regular account this will not work.	Insider Threat
251	Device	Likelihood ↥	Traveler Circumvent Mitigations	Enrollment & Access	Verified Access		Enable for Content Protection	Ahhh, built in copyright protections. I don't care about you at all for this context. But, possibly in the future your team member's will want to buy protected media from YouTube or others that use this. Who knows.	Insider Threat
252	Device	Likelihood ↥	Traveler Circumvent Mitigations	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place.	Insider Threat
253	User	Likelihood ↥	Traveler Circumvent Mitigations	Hardware	Audio Input		Disable audio input	"I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. In the long-term I would move towards this with high-risk team's. But, you will have to get them all small headset/microphones and ensure that they remember to take them with them when they travel. This could be a huge impediment to their work if they can't use their ""secured travel device"" to conduct sensitive calls and/or video-chats. AV is always the worst. So, for team's I would start with it enabled, and then once you have made sure you can build adoption of the practices (and bought everyone nice travel headsets) you can move to disabling it."	Insider Threat
254	User	Likelihood ↥	Traveler Circumvent Mitigations	Hardware	Audio Output		Disable audio output		Insider Threat
255	User	Likelihood ↥	Traveler Circumvent Mitigations	Hardware	External Storage devices		Allow external storage devices (read only)	Don't break core functionality for security reasons.	Insider Threat
256	User	Likelihood ↥	Traveler Circumvent Mitigations	Hardware	External Storage devices		Disallow external storage devices	Don't break core functionality for security reasons.	Insider Threat
257	User	Likelihood ↥	Traveler Circumvent Mitigations	Hardware	Video Input		Disable video input	This makes me happy from a privacy perspective (except that you have to disable hangouts separately). But, the inability to whitelist anything except google hangouts could lead to it getting in the way of staff conducting their work. If you are only using google hangouts for video communications within your org, and among the possible partners your team will have to communicate with while traveling this could be a way to ensure that video based surveillance by apps cannot occur. The same considerations mentioned about the use of ephemeral devices still apply.	Insider Threat
258	User	Likelihood ↥	Traveler Circumvent Mitigations	Network	Proxy Settings		Always use the proxy auto-config specified below	Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy.	Insider Threat
259	User	Likelihood ↥	Traveler Circumvent Mitigations	Network	Proxy Settings		Always use the proxy specified below	Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy.	Insider Threat
260	User	Likelihood ↥	Traveler Circumvent Mitigations	Omnibox Search Provider	Omnibox Search Provider		Lock the Omnibox Search Provider settings to the values below	By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox.	Insider Threat
261	User	Likelihood ↥	Traveler Circumvent Mitigations	Omnibox Search Provider	Search Suggest		Never allow team member's to use Search Suggest		Insider Threat
262	Device	Likelihood ↥	Traveler Circumvent Mitigations	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.	Insider Threat
263	Device	Likelihood ↥	Traveler Circumvent Mitigations	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)	Insider Threat
264	User	Likelihood ↥	Traveler Circumvent Mitigations	Printing	Printing		Disable printing	Don't destroy a team member's ability to use the device to get the work done!	Insider Threat
265	User	Likelihood ↧	Traveler Circumvent Mitigations	Security	Geolocation		Allow sites to detect team member's' geolocation		Insider Threat
266	User	Likelihood ↥	Traveler Circumvent Mitigations	Security	Geolocation		Allow user to configure	This is unintentional circumvention in many cases. Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily.	Insider Threat
267	User	Likelihood ↧	Traveler Circumvent Mitigations	Security	Geolocation		Always ask the team member if a site wants to detect their geolocation	This might be annoying to some traveler's. But, the tradeoff is important. Proper security awareness training around why should be available for those who find it difficult. Having your team member's trust that you will be receptive to their difficulties enough to reach out to tell you that this is difficult is critical for seemingly small things, like geolocation, that actually can have significant security implications because of the information they leak.	Insider Threat
268	User	Likelihood ↥	Traveler Circumvent Mitigations	Security	Geolocation		Do not allow sites to detect team member's' geolocation	Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps)	Insider Threat
269	User	Likelihood ↥	Traveler Circumvent Mitigations	Security	Idle Settings		Idle time in minutes (leave empty for system default)	When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices).	Insider Threat
270	User	Likelihood ↥	Traveler Circumvent Mitigations	Security	Lock Screen		Do not allow locking screen	Having all the applications and windows one had open wiped every time the have to walk away from their computer can become frustrating very quickly. As such, this option should be saved for specific higher risk environments.
271	User	Likelihood ↥	Traveler Circumvent Mitigations	Security	Malicious Sites		Prevent team member from proceeding anyway to malicious sites		Insider Threat
272	User	Likelihood ↥	Traveler Circumvent Mitigations	Session Settings	Show Logout Button in Tray		Does not show logout button in tray		Insider Threat
273	User	Likelihood ↧	Traveler Circumvent Mitigations	Session Settings	Show Logout Button in Tray		Show logout button in tray	Make it easy for team member's to follow the appropriate logout practices.	Insider Threat
274	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	Accessibility Control		Turn off accessibility settings on sign-in screen upon logout	Don't be evil. If a team member needs accessibility settings have them be saved between logins. You can always hard reset the device when you get it back to remove this. But, don't force the team member to keep reconfiguring their accessibility controls.	Insider Threat
275	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	Guest Mode		Do not allow guest mode	Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this.	Insider Threat
276	Device	Likelihood ↧	Traveler Circumvent Mitigations	Sign-in Settings	Guest Mode		Do not allow guest mode	With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.	Insider Threat
277	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	Sign-in Keyboard		[All the Keyboards]	Useful if all your team member's are of a non-english (the default) keyboard setup.	Insider Threat
278	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	Sign-in Language		[All the Languages]	Useful if all your team member's are of a non-english (the default) language.	Insider Threat
279	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If accounts other than the sub-org accounts can access device team member's might log in with their personal accounts	Insider Threat
280	Device	Likelihood ↧	Traveler Circumvent Mitigations	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device.	Insider Threat
281	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues.	Insider Threat
282	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	Single Sign-On Cookie Behavior		Disable transfer of SAML SSO Cookies into team member session during login	It can be annoying to have to log into multiple services each time you login	Insider Threat
283	Device	Likelihood ↧	Traveler Circumvent Mitigations	Sign-in Settings	Single Sign-On Cookie Behavior		Enable transfer of SAML SSO Cookies into team member session during login	It can be annoying to have to log into multiple services each time you login	Insider Threat
284	Device	Likelihood ↧	Traveler Circumvent Mitigations	Sign-in Settings	team member Data		Do not erase all local team member data	This is the opposite of the ephemeral mode we have been talking about. And for good reason. It does not delete all team member state between logins. This way any settings and/or configurations do not have to be re-entered every login. This is a lot less of a pain than the other option.	Insider Threat
285	Device	Likelihood ↥	Traveler Circumvent Mitigations	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.	Insider Threat
286	Device	Impact ↧	Traveler Circumvent Mitigations	User & Device Reporting	Device Reporting	Device State Reporting	Enable device state reporting	Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.	Insider Threat
287	Device	Likelihood ↧	Traveler Circumvent Mitigations	User & Device Reporting	Device Reporting	Device team member Tracking	Enable tracking recent device user's	Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.	Insider Threat
288	Device	Impact ↧	Traveler Circumvent Mitigations	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.)	Insider Threat
289	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Bookmark Bar		Disable bookmark bar	There is no security reason to disable this	Insider Threat
290	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Bookmark Bar		Enable bookmark bar	Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.	Insider Threat
291	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Bookmark Editing		Disable bookmark editing	Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks.	Insider Threat
292	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Developer Tools		Never allow use of built-in developer tools	Don't dis empower team member's for no reason.	Insider Threat
293	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Download Location		Force Google Drive	We don't want forced online storage. Likely lead to unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.	Insider Threat
294	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Download Location		Local Downloads folder, but allow team member to change	By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.	Insider Threat
295	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Download Location		Set Google Drive as default, but allow team member to change	By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups.	Insider Threat
296	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Form Auto-fill		Never auto-fill forms	See all the previous comments about giving team member's the power to increase their security without breaking their workflow.	Insider Threat
297	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Google Translate		Never offer translation	Don't break all the useful things on the internet.	Insider Threat
298	User	Likelihood ↧	Traveler Circumvent Mitigations	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization		Insider Threat
299	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Multiple Sign-in Access		Managed team member must be the primary team member (secondary team member's are allowed)	I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.	Insider Threat
300	User	Likelihood ↥	Traveler Circumvent Mitigations	User Experience	Multiple Sign-in Access		Unrestricted team member access (allow any team member to be added to any other user's session)	I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.	Insider Threat
301	User	Likelihood ↥	Traveler Circumvent Mitigations	Verified Access	Verified Access		Enable for Enterprise Extensions	With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place.	Insider Threat
302	User	Likelihood ↥	Traveler Detained	Apps and Extensions	Pinned Apps and Extensions		Manage pinned apps	Pinning apps makes them more easily used but also makes them more visible during a casual search by a border patrol. It is worth considering this trade off when pinning apps that might raise an officials suspicions if the device is casually examined.	Detained
303	User	Impact ↥	Traveler Detained	Security	Clear Browser History		Allow clearing history in settings menu	The laws around the destruction of evidence differ by country. An rough assessment of the legal risks associated with team member's clearing their history, using incognito mode, and/or ephemeral mode should be done in the early phases of exploring how to deal with data retention/destruction during travel.	Detained
304	Device	Impact ↥	Traveler Detained	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact.	Detained
305	Device	Impact ↧	Traveler Detained	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Detained
306	Device	Impact ↧	Traveler Detained	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Detained
307	Device	Impact ↥	Traveler Detained	Sign-in Settings	Single Sign-On IdP Redirection		Allow user's to go directly to SAML SSO IdP page	This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).	Detained
308	Device	Impact ↧	Traveler Detained	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.)	Detained
309	Device	Likelihood ↧	Traveler Mislead/Lie to Border Officials	Enrollment & Access	Disabled device return instructions		Custom text to display	This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.	Legal
310	Device	Likelihood ↥	Traveler Mislead/Lie to Border Officials	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	If the domain that is used for travel accounts does not have any website or online presence and is attempting to hide the affiliation of the team member (this is a whole other can of worms that I'm not getting into) then this can open up the same "hiding identity risks." (""domain shown"" + ""not welcome"" + ""no online presence for domain"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad]	Legal
311	Device	Impact ↥	Traveler Mislead/Lie to Border Officials	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	If the domain that is used for travel accounts does not have any website or online presence and is attempting to hide the affiliation of the team member (this is a whole other can of worms that I'm not getting into) then this can open up the same "hiding identity risks." (""domain shown"" + ""not welcome"" + ""no online presence for domain"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad]	Legal
312	Device	Impact ↧	Traveler Mislead/Lie to Border Officials	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Legal
313	Device	Impact ↧	Traveler Mislead/Lie to Border Officials	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Legal
314	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	I will choose which private apps and extensions to include.	Private apps can be used to create organization specific web applications for a variety of purposes. You could, for instance, use it to add a pinned web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess."	Legal
315	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Content	Client Certificates		Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it.	Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. Of course, this requires clear and absolutist language to be included in the border-guard facing documentation to make this clear.	Legal
316	Device	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Enrollment & Access	Disabled device return instructions		Custom text to display	This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.	Legal
317	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	General	Avatar		Upload Avatar File	Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content	Legal
318	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	General	Wallpaper		Upload Wallpaper File	Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual.	Legal
319	Device	Likelihood ↥	Traveler Perceived to be Misleading/Lying to Border Officials	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection"	Legal
320	Device	Impact ↥	Traveler Perceived to be Misleading/Lying to Border Officials	Sign-in Settings	Autocomplete Domain		Use the domain name, set below, for autocomplete at sign in	If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection"	Legal
321	Device	Impact ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Legal
322	Device	Impact ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Legal
323	Device	Likelihood ↥	Traveler Perceived to be Misleading/Lying to Border Officials	Sign-in Settings	Single Sign-On IdP Redirection		Allow user's to go directly to SAML SSO IdP page	This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).	Legal
324	Device	Impact ↥	Traveler Perceived to be Misleading/Lying to Border Officials	Sign-in Settings	Single Sign-On IdP Redirection		Allow user's to go directly to SAML SSO IdP page	This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).	Legal
325	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Startup	Home Button		Always show 'Home' button	This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access.	Legal
326	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Startup	Homepage		Homepage is always the Homepage URL, set below	This has to be set for the "always show home button" option in [Startup > Home Button] to work.	Legal
327	User	Likelihood ↥	Traveler Perceived to be Misleading/Lying to Border Officials	Startup	Homepage		Homepage is always the new tab page	This can't be set for the "always show home button" option in [Startup > Home Button] to work.	Legal
328	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Startup	Pages to Load on Startup		Pages to Load on Startup	For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies.	Legal
329	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	Startup	Pages to Load on Startup		Pages to Load on Startup		Legal
330	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	User Experience	Managed Bookmarks		Managed Bookmarks	Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks.	Legal
331	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	User Experience	Managed Bookmarks		Managed Bookmarks Folder Name	For proof of inaccess it could be valuable to name this something official.	Legal
332	User	Likelihood ↧	Traveler Perceived to be Misleading/Lying to Border Officials	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization	Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user.	Legal
333	User	Likelihood ↥	Traveler/Partner Association Regulated	Apps and Extensions	Pinned Apps and Extensions		Manage pinned apps	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.)	Legal
334	User	Likelihood ↧	Traveler/Partner Association Regulated	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Legal
335	User	Likelihood ↥	Traveler/Partner Association Regulated	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use the 'For [YOUR_DOMAIN>TLD]' collection:	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Legal
336	User	Likelihood ↧	Traveler/Partner Association Regulated	Chrome Web Store	Chrome Web Store Homepage		What should the collection name be?	See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name.	Legal
337	Device	Impact ↥	Traveler/Partner Association Regulated	Enrollment & Access	Disabled device return instructions		Custom text to display	The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration.	Legal
338	Device	Impact ↥	Traveler/Partner Association Regulated	Enrollment & Access	Forced Re-enrollment		Force device to re-enroll into this domain after wiping	If a team member needs to switch over a personal account mid-trip because conditions have changed and their association with your organization has become more dangerous this would prohibit them from doing so.	Legal
339	User	Likelihood ↥	Traveler/Partner Association Regulated	Network	WebRTC UDP Ports		Maximum port (1024-65535)	One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments.	Legal
340	User	Likelihood ↥	Traveler/Partner Association Regulated	Network	WebRTC UDP Ports		Minimum port (1024-65535)	One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments.	Legal
341	Device	Likelihood ↥	Traveler/Partner Association Regulated	Sign-in Settings	Sign-in Keyboard		[All the Keyboards]	Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world.	Legal
342	Device	Likelihood ↥	Traveler/Partner Association Regulated	Sign-in Settings	Sign-in Language		[All the Languages]	Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world.	Legal
343	Device	Impact ↧	Traveler/Partner Association Regulated	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials.	Legal
344	Device	Impact ↧	Traveler/Partner Association Regulated	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices)	Legal
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060


1
2	Is there a way to make managed Chromebooks NOT display the organization's domain name?	A partial solution: add a secondary domain, add one user on that domain and allow it to enroll devices. Will show the secondary domain. Note: that does not limit the initial domain from showing when a device is disabled by an admin. Additionally using "domain autocomplete at sign-in" with another domain will show that domain. But, won't stop sign in on your primary travel account.


1	< Index
2	Setting	Impact	Requirement	Category	Title	Sub Item	Option	Comments

3	User	Inhibits	Allow for Greater Security	Content	Cookies	Default Cookie Setting	Allow sites to set cookies	I would consider this the default. You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way.
4	User	Supports	Allow for Greater Security	Content	Cookies	Default Cookie Setting	Allow user to configure	With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option.
5	User	Supports	Allow for Greater Security	Content	Google Drive Syncing		Allow user to decide whether to use Google Drive syncing
6	User	Inhibits	Allow for Greater Security	Content	Google Drive Syncing		Enable Google Drive syncing
7	User	Inhibits	Allow for Greater Security	Content	JavaScript	JavaScript	Allow sites to run JavaScript
8	User	Inhibits	Allow for Greater Security	Content	Outdated Plugins		Allow outdated plugins to be used as normal plugins
9	User	Inhibits	Allow for Greater Security	Content	Plug-ins	Plug-ins	Run plug-ins automatically	Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738)
10	User	Inhibits	Allow for Greater Security	Content	Plugin Authorization		Always run plugins that require authorization
11	User	Supports	Allow for Greater Security	Content	Plugin Authorization		Ask for user permission before running plugins that require authorization	Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way.
12	User	Inhibits	Allow for Greater Security	Content	Pop-ups	Pop-ups	Allow all pop-ups	Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)
13	User	Inhibits	Allow for Greater Security	Content	Third-Party Cookie Blocking		Allow third-party cookies	This is another fingerprinting threat, and therefore not relevant for this context.
14	User	Inhibits	Allow for Greater Security	Network	Proxy Settings		Always auto detect the proxy	Are you kidding me.
15	User	Inhibits	Allow for Greater Security	Omnibox Search Provider	Omnibox Search Provider		Lock the Omnibox Search Provider settings to the values below	By locking to a search provider that is less secure than others you can disrupt the threat model of your travelers if they accidentally type an address wrong and it get's interpreted as a search.
16	User	Supports	Allow for Greater Security	Omnibox Search Provider	Search Suggest		Always allow team member's to use Search Suggest	See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
17	User	Inhibits	Allow for Greater Security	Security	Geolocation		Allow sites to detect team member's' geolocation
18	User	Supports	Allow for Greater Security	Security	Incognito Mode		Allow incognito mode	Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode.
19	User	Inhibits	Allow for Greater Security	Security	Incognito Mode		Disallow incognito mode
20	User	Inhibits	Allow for Greater Security	Security	Password Manager		Always allow use of password manager	Since the third option allows a team member to configure this option I see no reason to prevent some team member's from enabling greater security by turning password manager usage off. If you are thinking about this option just use the "team member configuration" option instead.
21	User	Inhibits	Allow for Greater Security	Startup	Homepage		Homepage is always the new tab page
22	User	Supports	Allow for Greater Security	User Experience	DNS Pre-fetching		Allow user to configure	I don't think that not pre-fetching will impact the team member significantly. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model.
23	User	Supports	Allow for Greater Security	User Experience	DNS Pre-fetching		Always pre-fetch DNS
24	User	Inhibits	Allow for Greater Security	User Experience	Download Location		Force Google Drive	We don't want forced online storage. If a team member needs to keep their profile free of downloads for their own increased security forcing this will get in their way.
25	User	Supports	Allow for Greater Security	User Experience	Form Auto-fill		Allow user to configure	See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
26	User	Supports	Allow for Greater Security	User Experience	Google Translate		Allow user to configure
27	User	Inhibits	Allow for Greater Security	User Experience	Google Translate		Always offer translation	See all the previous comments about giving team member's the power to increase their security without breaking their workflow.
28	User	Supports	Allow for Greater Security	User Experience	Spell Check Service		Allow user to decide whether to use the spell checking web service	Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others.
29	User	Inhibits	Allow for Greater Security	User Experience	Spell Check Service		Enable the spell checking web service	Chrome does come with a client-side spell checker. This option will enable the web-based spell checker that sends all a team member's typing to Google's servers. Note, that if the team member is using google docs it is already using this feature, just natively within google docs.
30	Device	Inhibits	Allow for Greater Security	Device Update Settings	Auto Update Settings	Auto Update	Stop auto-updates	If you don't have an admin with this capability and capacity to quickly check and release updates then this will require allowing updates and building staff capacity at finding alternate solutions when things break. Because updates are critical for security. Don't let an admin's fear of things breaking combined with a lack of time get in the way of real security.
31	Device	Supports	Allow for Greater Security	Device Update Settings	Release Channel		Allow user to configure	The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. It's just not cool.
32	Device	Supports	Allow for Greater Security	Sign-in Settings	Guest Mode		Allow guest mode
33	Device	Inhibits	Allow for Greater Security	Sign-in Settings	Guest Mode		Do not allow guest mode	Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this.
34	Device	Inhibits	Allow for Greater Security	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
35	User	Supports	Localizable & Internationalizable Practices	Android applications	Unknown Sources		Allow install from unknown sources	If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.)
36	User	Inhibits	Localizable & Internationalizable Practices	Android applications	Unknown Sources		Do not allow install from unknown sources	If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.)
37	User	Both	Localizable & Internationalizable Practices	Apps and Extensions	App and Extension Install Sources		List of URL Patterns	If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play..
38	User	Inhibits	Low Resourced Administrator	Enrollment Controls	Enrollment Permissions		Do not allow team member's in this organization to enroll new or deprovisioned devices	This option requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel.
39	User	Inhibits	Low Resourced Administrator	Enrollment Controls	Device Enrollment		Place Chrome device in team member organization	A user's organizational unit determines which services and features are available to that user. By putting all our temporary travel accounts into a specific team member organization designated for travel we can set our travel team member permissions in that organizational unit once, instead of every time we create a new user. This also applies to Solo team member's who want to increase the ease of device setup and refreshing.
40	User	Supports	Low Resourced Administrator	Chrome Web Store	Chrome Web Store Homepage	Which private apps should be included in the collection?	Include all private apps and extensions from my domain.	Because we are restricting team member's to a "travel" sub-organization we can segment any "internal" private apps used in daily business from the apps that are available during travel. This allows administrators to manage what apps are available simply by adding and/or removing them from the organization. This would allow them to avoid the extra step of adding those apps in this menu. When team member's are given permission to publish private apps this can increase our attack surface. [See "Chrome Web Store Permissions"].
41	User	Supports	Low Resourced Administrator	Apps and Extensions	Force-installed Apps and Extensions		Manage force-installed apps	The auto-installation of these apps will also decrease the number of steps an administrator needs to worry about during the device setup process.
42	User	Inhibits	Low Resourced Administrator	Content	Cookies		Allow Cookies for URL Patterns	If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.
43	User	Requires	Receptive and Trusted Admin/Security Team	Content	Cookies		Allow Cookies for URL Patterns	If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.
44	User	Requires	Receptive and Trusted Admin/Security Team	Content	Cookies		Allow Session-Only Cookies for URL Patterns	You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff.
45	User	Requires	Receptive and Trusted Admin/Security Team	Content	Cookies	Default Cookie Setting	Keep cookies for the duration of the session
46	User	Requires	Receptive and Trusted Admin/Security Team	Content	Cookies	Default Cookie Setting	Never allow sites to set cookies	You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way.
47	User	Supports	Receptive and Trusted Admin/Security Team	Content	Google Drive Syncing		Enable Google Drive syncing	This, when used in the following travel document support use-case, can make the travel device far more useful for the Traveler than it would be otherwise. Offline access to required documents is a very useful thing. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device.
48	User	Requires	Receptive and Trusted Admin/Security Team	Content	JavaScript		Allow These Sites to Run JavaScript
49	User	Requires	Receptive and Trusted Admin/Security Team	Content	JavaScript	JavaScript	Do not allow sites to run JavaScript
50	User	Requires	Receptive and Trusted Admin/Security Team	Content	Notifications		Allow These Sites to Show Desktop Notifications
51	User	Requires	Receptive and Trusted Admin/Security Team	Content	Notifications	Notifications	Do not allow sites to show desktop notifications
52	User	Requires	Receptive and Trusted Admin/Security Team	Content	Outdated Plugins		Disallow outdated plugins
53	User	Supports	Receptive and Trusted Admin/Security Team	Content	Plug-ins		Allow Plug-ins on These Sites	if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator.
54	User	Requires	Receptive and Trusted Admin/Security Team	Content	Plug-ins	Plug-ins	Block all plug-ins
55	User	Requires	Receptive and Trusted Admin/Security Team	Content	Pop-ups	Pop-ups	Block all pop-ups	Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.)
56	User	Requires	Receptive and Trusted Admin/Security Team	Omnibox Search Provider	Omnibox Search Provider		Lock the Omnibox Search Provider settings to the values below	By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox.
57	User	Requires	Receptive and Trusted Admin/Security Team	Security	Geolocation		Always ask the team member if a site wants to detect their geolocation
58	User	Requires	Receptive and Trusted Admin/Security Team	Security	Geolocation		Do not allow sites to detect team member's' geolocation	Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps)
59	User	Requires	Receptive and Trusted Admin/Security Team	User Experience	DNS Pre-fetching		Never pre-fetch DNS	I don't think that not pre-fetching will impact the team member in any meaningful way. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model.
60	User	Requires	Receptive and Trusted Admin/Security Team	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization	Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's.
61	User	Requires	Receptive and Trusted Admin/Security Team	Verified Access	Verified Access		Enable for Enterprise Extensions	With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security.
62	Device	Requires	Receptive and Trusted Admin/Security Team	Device Update Settings	Auto Update Settings	Auto reboot after updates	Allow auto-reboots	Auto-Reboots can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying.
63	Device	Supports	Receptive and Trusted Admin/Security Team	Device Update Settings	Release Channel		Move to Beta Channel	Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.
64	Device	Supports	Receptive and Trusted Admin/Security Team	Device Update Settings	Release Channel		Move to Development Channel	Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to test apps here if they want to. But, the travel accounts should be on stable or configure by default.
65	Device	Requires	Receptive and Trusted Admin/Security Team	Enrollment & Access	Disabled device return instructions		Custom text to display	This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.
66	Device	Requires	Receptive and Trusted Admin/Security Team	Enrollment & Access	Verified Access		Enable for Enterprise Extensions	With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security.
67	Device	Requires	Receptive and Trusted Admin/Security Team	Other	System timezone automatic detection		Always use coarse timezone detection	This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
68	Device	Requires	Receptive and Trusted Admin/Security Team	Other	System timezone automatic detection		Never auto-detect timezone	The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone.
69	Device	Requires	Receptive and Trusted Admin/Security Team	Other	Time Zone		[All the timezones]	If you have a specific timezone that your team member's want as a default and the devices are being reset from some other location this might make sense. I don't really see it though.
70	Device	Requires	Receptive and Trusted Admin/Security Team	Other	USB Detachable Whitelist		List of VID:PID pairs	This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here.
71	Device	Requires	Receptive and Trusted Admin/Security Team	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.
72	Device	Requires	Receptive and Trusted Admin/Security Team	Power & Shutdown	Scheduled Reboot		Number of days before reboot; leave empty for unset	In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?)
73	Device	Requires	Receptive and Trusted Admin/Security Team	Sign-in Settings	Guest Mode		Allow guest mode	With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds.
74	Device	Requires	Receptive and Trusted Admin/Security Team	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
75	Device	Requires	Receptive and Trusted Admin/Security Team	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues.
76	Device	Requires	Receptive and Trusted Admin/Security Team	Sign-in Settings	team member Data		Erase all local team member data	This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device.
77	Device	Requires	Receptive and Trusted Admin/Security Team	User & Device Reporting	Device Reporting	Device State Reporting	Enable device state reporting	Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.
78	Device	Supports	Receptive and Trusted Admin/Security Team	User & Device Reporting	Device Reporting	Device State Reporting	Enable device state reporting	Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future.
79	Device	Requires	Receptive and Trusted Admin/Security Team	User & Device Reporting	Device Reporting	Device team member Tracking	Enable tracking recent device user's	Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.
80	Device	Supports	Receptive and Trusted Admin/Security Team	User & Device Reporting	Device Reporting	Device team member Tracking	Enable tracking recent device user's	Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.
81	Device	Requires	Receptive and Trusted Admin/Security Team	User & Device Reporting	Inactive Device Notifications	Email addresses to receive notification reports	Email addresses to receive notification reports	Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed.
82	Device	Requires	Receptive and Trusted Admin/Security Team	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen.
83	Device	Supports	Receptive and Trusted Admin/Security Team	User & Device Reporting	Inactive Device Notifications	Inactive Device Notification Reports	Enable inactive device notifications	Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen.
84	User	Requires	Receptive and Trusted Admin/Security Team	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices	It should be noted that a team member who purchase a chromebook independently will often have to also purchase the "management license" for that chromebook separately. If you are going to support team member enrollment make sure you have clear, easy to follow guidance that your will guide your team member's through the steps required to prepare the device for enrollment.
85	User	Supports	Receptive and Trusted Admin/Security Team	Android applications	Access to Android applications		Allow	This may be useful for gaining initial adoption when you do not have the capacity to do an assessment of the app needs of all of your team member's.
86	User	Inhibits	Security must not make the traveler ineffective	Hardware	Video Input		Disable video input	Make sure that your traveler's do not need to use non-google video apps to communicate with their partners, etc when they are traveling.
87	User	Supports	Security must not make the traveler ineffective	Android applications	Android applications on Chrome devices		Allow	Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. When I considered this I decided that by increasing the utility of the device was more likely to build adoption and adherence to the security procedures.
88	Device	Supports	Security must not make the traveler ineffective	Device Update Settings	Auto Update Settings	Randomly scatter auto-updates over	[1-14] Day(s)	If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.
89	Device	Inhibits	Security must not make the traveler ineffective	Device Update Settings	Auto Update Settings	Randomly scatter auto-updates over	None	If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time.
90	Device	Inhibits	Security must not make the traveler ineffective	Enrollment & Access	Disabled device return instructions		Custom text to display	This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination.
91	Device	Inhibits	Security must not make the traveler ineffective	Power & Shutdown	Power Management		Allow device to sleep/shut down when idle on the sign-in screen	This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one.
92	Device	Inhibits	Security must not make the traveler ineffective	Sign-in Settings	Sign-in Restriction		Do not allow any users to Sign-in	This would limit a significant amount of the controls we have put in place. So, no. Don't use this.
93	User	Supports	Security must not make the traveler ineffective	User Experience	Bookmark Bar		Allow user to decide whether to enable bookmark bar	Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.
94	User	Supports	Security must not make the traveler ineffective	User Experience	Bookmark Bar		Enable bookmark bar	Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one.
95	User	Supports	Security must not make the traveler ineffective	Apps and Extensions	Pinned Apps and Extensions		Manage pinned apps	Pinning apps that are common in team member's workflows will make it easier and quicker for a team member to adopt to the chromebook workflow.
96	User	Supports	Self-Managed Considerations	Enrollment Controls	Device Enrollment		Place Chrome device in team member organization	This will make it far easier for self-managed groups to grow without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc.
97	User	Inhibits	Self-Managed Considerations	Enrollment Controls	Enrollment Permissions		Do not allow team member's in this organization to enroll new or deprovisioned devices	This option requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel.
98	User	Inhibits	Self-Managed Considerations	Enrollment Controls	Asset Identifier During Enrollment		team member's in this organization can provide asset ID and location during enrollment	If you are an individual you don't need to track who has what hardware.
99	User	Supports	Self-Managed Considerations	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices	It should be noted that a team member who purchase a chromebook independently will often have to also purchase the "management license" for that chromebook separately. If you are going to support team member enrollment make sure you have clear, easy to follow guidance that your will guide your team member's through the steps required to prepare the device for enrollment.
100	User	Supports	Self-Managed Considerations	Enrollment Controls	Enrollment Permissions		Allow user's in this organization to enroll new or deprovisioned devices	Self managed groups: This might makes it easier for self-managed groups to increase the number of chromebooks being used without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc.
101	User	Supports	Support Personal Computing Needs	Hardware	Audio Input		Disable audio input	By disabling internal microphones you have greater assurances that the apps that your team member's are installing are not listening in on them at all times. This helps to lock down the device even if the team member installed a non-work-related app that attempts to listen to the environment. I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in.
102	User	Inhibits	Support Personal Computing Needs	Hardware	Video Input		Disable video input	This removed the traveler's ability to use a webcam to chat with their loved ones unless they are using google hangouts. Depending upon how you support this, this would get in the way of many traveler's personal needs.
103	User	Requires	Support Personal Computing Needs	User Experience	Multiple Sign-in Access		Block multiple sign-in access for team member's in this organization	I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling.
104	Device	Requires	Support Personal Computing Needs	Sign-in Settings	Sign-in Restriction		comma-delimited list of usernames	You can use *.YOURDOMAIN domain to limit across the board. Also important to take into consideration possible secondary google apps domains that your team member's might need to access, and keep separate from their current device, on their account.
105	Device	Requires	Support Personal Computing Needs	Sign-in Settings	Sign-in Restriction		Restrict Sign-in to list of users:	This will allow you to limit the ability for personal accounts to be used with these chromebooks. As with all other restrictions on team member capabilities this should be done after working with your team member's to identify an appropriate solution for meeting their personal computing needs during travel.
106	Device	Supports	Support Personal Computing Needs	User & Device Reporting	Device Reporting	Device team member Tracking	Enable tracking recent device user's	Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data.
107	User	Supports	Widely Dispersed Team	Chrome Web Store	Chrome Web Store Homepage	Chrome Web Store Homepage	Use a custom page, set below	The Chrome Web Store Recommendations can be a valuable tool. In distributed and/or largely independent team's it provides a simple portal for app recommendations for commonly requested mitigations. As a team member perceives their threat landscape changing around them they may decide to incorporate additional technical mitigations (such as VPN's, password managers, encrypted communications tools, etc.). The security team and/or administrators can seed the recommendations section with the apps that have been previously used and evaluated.
108	User	Inhibits	Allow for Greater Security	Startup	Homepage		Homepage is always the new tab page	New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947


1	< Index
2	Term	Definition	Source

3	Bookmark Bar
4	Chrome OS CA Certificates
5	Chrome Password Manager	Not a regular password manager... this is the chrome one.
6	Chrome Plug-Ins
7	Client Certificate
8	Compatibility	How consistent the innovation is with the values, experiences, and needs of the potential adopters.	Diffusion of Innovation Theory
9	Complexity	How difficult the innovation is to understand and/or use.	Diffusion of Innovation Theory
10	Content Protection (Verified Mode)
11	Cookies
12	data compression proxy
13	Desktop Notifications
14	Device Enrollment
15	DNS Pre-fetching
16	Enterprise Extensions
17	Google Cloud Print
18	Google Drive Syncing
19	Guest Mode
20	Impact ↥
21	Impact ↧
22	incognito mode
23	IP-Only Timezone Identification
24	Kiosk Mode
25	Likelihood ↥
26	Likelihood ↧
27	local team member data
28	Lock Screen
29	Logout
30	malicious sites
31	Managed Bookmarks
32	Multiple Sign-in Access
33	Observability	The extent to which the innovation provides tangible results.	Diffusion of Innovation Theory
34	OCSP/CRL
35	Omnibox Search Provider
36	Organizational Identity Provider (IdP)
37	persistent Cookies
38	Pinned apps
39	Private apps and extensions
40	Privilege Group
41	Proof Of Inaccess	The "proof of inaccess" mitigation is a set of smaller controls that are put in place to provide "proof" to a border guard that the Traveler only has access to the accounts they have provided and that they have no ability to regain access to those accounts without an external party intervening. (administrators, security team, etc.).
42	Proxy
43	Public Session Kiosk
44	QUIC Protocol
45	Relative Advantage	The degree to which an innovation is seen as better than the idea, program, or product it replaces.	Diffusion of Innovation Theory
46	Remote Access Client
47	Remote Access Host
48	Restricted Mode on YouTube
49	Safe Browsing
50	Safe Search
51	SAML SSO Cookies
52	Search Suggest
53	Security Assertion Markup Language (SAML)
54	Sensitive Contacts	In-Country people and organization's whom, if officials knew were connected to the Traveler and/or their activities during the trip, could lead to unacceptable impacts to the travel or themselves during the trip.
55	Sensitive Data	Data that could lead to unacceptable impacts for the team/organization, the travelers, their partners, or their beneficiaries.
56	SHA-1 deprecation
57	Single App Kiosk
58	Single Sign-On (SSO)
59	Sleep
60	Smart Lock
61	SSL record splitting
62	Third-Party Cookies
63	TPM
64	Triability	The extent to which the innovation can be tested or experimented with before a commitment to adopt is made.	Diffusion of Innovation Theory
65	Unknown sources
66	USB VID:PID Pairs
67	Verified Access
68	Verified Mode
69	Verified Mode Boot
70	WebGL
71	WebRTC
72	WiFi AP Timezone API


1	< Index
2	Type	Needs Full Incorporation	Name	Link

3	G Suite Settings	N/A	G Suite main settings index	https://admin.google.com/AdminHome?pli=1&fral=1#AppDetails:service=chrome+os
4	G Suite Settings	N/A	G Suite Device Settings menu	https://admin.google.com/AdminHome?pli=1&fral=1#ServiceSettings/notab=1&service=chrome+os&subtab=devicesettings
5	G Suite Settings	N/A	G Suite Public Session Settings menu	https://admin.google.com/AdminHome?pli=1&fral=1#ServiceSettings/notab=1&service=chrome+os&subtab=publicaccountsettings
6	G Suite Settings	N/A	G Suite User Settings menu	https://admin.google.com/AdminHome?pli=1&fral=1#ServiceSettings/notab=1&service=chrome+os&subtab=usersettings
7	General Info	No	Chrome Device Deployment Guide	https://docs.google.com/document/d/1QtgW1rdyqaGVP3cqDSagTacewsND41t22hD3hdS7b-w/edit
8	General Info	No	Manage Chromebooks using Active Directory	https://storage.googleapis.com/support-kms-prod/830E9C5A45A805B87FDDF591DABD883705EE
9	General Info	No	Mobile Device Management Help	https://support.google.com/a/answer/6328699?hl=en
10	General Info	Yes	Chrome Device Settings Help	https://support.google.com/chrome/a/answer/1375678?hl=en#enrollment-access
11	General Info	Yes	Chrome User Settings Help	https://support.google.com/chrome/a/answer/2657289?hl=en&ref_topic=2935995
12	General Info	No	Public Session Settings Help	https://support.google.com/chrome/a/answer/3017014?hl=en
13	General Info	No	Android Application Settings Help	https://support.google.com/chrome/a/answer/7131624?hl=en
14	General Info	No	Chromium OS Design Docs - Protecting Cached team member Data	https://www.chromium.org/chromium-os/chromiumos-design-docs/protecting-cached-user-data
15	General Info	No	Chromium OS Design Docs - Security Overview	https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview
16	General Info	No	Chromium OS Design Docs - System Hardening	https://www.chromium.org/chromium-os/chromiumos-design-docs/system-hardening
17	General Info	No	Chromium OS Design Docs - Verified Boot	https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot
18	General Info	No	Chromium OS Design Docs - Secure Web Proxy	https://www.chromium.org/developers/design-documents/secure-web-proxy
19	Citation	No	Group Policy Administrative Templates Catalog (Chrome)	http://getadmx.com/?Category=Chrome
20	Citation	N/A	"Brazilian Court Orders Google To Remove 'Secret' App From The Play Store And Remotely Wipe It From Phones"	http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/
21	Citation	Yes	Constraints: what they are and how they’re used	https://blogs.technet.microsoft.com/pki/2014/03/05/constraints-what-they-are-and-how-theyre-used/
22	Citation	Yes	Chrome Issue: Deprecate chrome://plugins	https://bugs.chromium.org/p/chromium/issues/detail?id=615738
23	Citation	N/A	CAPEC-195: Principal Spoof	https://capec.mitre.org/data/definitions/195.html
24	Citation	N/A	CAPEC-595: Connection Reset	https://capec.mitre.org/data/definitions/595.html
25	Citation	N/A	CAPEC-603: Blockage	https://capec.mitre.org/data/definitions/603.html
26	Citation	N/A	CAPEC-616: Establish Rogue Location	https://capec.mitre.org/data/definitions/616.html
27	Citation	N/A	CAPEC-89: Pharming	https://capec.mitre.org/data/definitions/89.html
28	Citation	N/A	CAPEC-98: Phishing	https://capec.mitre.org/data/definitions/98.html
29	Citation	N/A	Clever Badges	https://clever.com/products/badges
30	Citation	Yes	Web Fundamentals: Chrome Notification Behavior	https://developers.google.com/web/fundamentals/engage-and-retain/push-notifications/notification-behaviour
31	Citation	N/A	dnstwist	https://github.com/elceef/dnstwist
32	Citation	Yes	Client Side Loader Source Code for Safe Browsing on Chromium	https://github.com/scheib/chromium/blob/9ae6b4f4a8679c8598316544dccf378b86f99845/chrome/browser/safe_browsing/client_side_model_loader.cc
33	Citation	No	Choosing Strategy over Tactics	https://medium.com/@seamustuohy/choosing-strategy-over-tactics-77aec0c0a53c
34	Citation	Yes	[FAQ] "PUPs" - Potentially Unwanted Programs	https://productforums.google.com/forum/#!msg/websearch/6W1JbCZMjMU/qCm7oM8cIMQJ
35	Citation	Yes	Additional domains FAQ	https://support.google.com/a/answer/175747
36	Citation	No	Access another computer with Chrome Remote Desktop	https://support.google.com/chrome/answer/1649523
37	Citation	Yes	Twitter comments on why users might need to override malicious ID classification	https://twitter.com/brettmorrison/status/891804686579359745
38	Citation	N/A	My Twitter	https://twitter.com/seamustuohy
39	Citation	No	Google Privacy Policy - Information we collect	https://www.google.com/policies/privacy/#infocollect
40	Citation	No	SANS Critical Security Controls	https://www.sans.org/critical-security-controls
41	Citation	Yes	X.509 Name Constraints certificate extension – all you should know	https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx
42	Citation	Yes	SHA-1 Certificates in Chrome	https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html
43	General Info	No	Google Chrome Privacy Whitepaper	https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html
44	Citation	Yes	Copilot HTTPS and the QUIC protocol	https://twitter.com/seamustuohy/status/805474243509186561
45	Citation	Yes	Chrome Security FAQ	https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md
46	Citation	Yes	How private browsing works	https://support.google.com/chrome/answer/7440301
47	Citation	No	Technical analysis of client identification mechanisms	https://dev.chromium.org/Home/chromium-security/client-identification-mechanisms
48	Citation	Yes	OCSP: Check For Server Certificate Revocation checkbox is confusing	https://bugs.chromium.org/p/chromium/issues/detail?id=361820
49	General Info	No	Google Safe Browsing	https://safebrowsing.google.com/
50	Citation	Yes	Turks detained for using encrypted app 'had human rights breached'	https://www.theguardian.com/world/2017/sep/11/turks-detained-encrypted-bylock-messaging-app-human-rights-breached
51	Citation	Yes	Turkey coup plotters' use of 'amateur' app helped unveil their network	https://www.theguardian.com/technology/2016/aug/03/turkey-coup-gulen-movement-bylock-messaging-app
52	Citation	Yes	DHS proposes to add request for social media identifiers to ESTA and to Form I-94W:	https://www.federalregister.gov/documents/2016/06/23/2016-14848/agency-information-collection-activities-arrival-and-departure-record-forms-i-94-and-i-94w-and#h-11
53	Citation	Yes	Illustrative List Of Overregulation Of Non Profit Organizations (Iv. Limitation To The Right To Communication And Cooperation)	http://fatfplatform.org/wp-content/uploads/2015/10/Catalogue-of-government-overregulation-July-2015_final-.pdf#page=6
54	Citation	Yes	Defending Civil Society Report	http://fatfplatform.org/wp-content/uploads/2015/02/DCS_Report_Second_Edition_English.pdf
55	General Info	Yes	Security Brag Sheet	https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet
56	General Info	Yes	Chrome Sandbox	https://chromium.googlesource.com/chromium/src/+/b4730a0c2773d8f6728946013eb812c6d3975bec/docs/design/sandbox.md
57	General Info	Yes	Chrome-specific security education documentation	https://www.chromium.org/Home/chromium-security/education
58	General Info	Yes	Technical analysis of client identification mechanisms	https://dev.chromium.org/Home/chromium-security/client-identification-mechanisms
59	General Info	Yes	Chrome Extensions: Threat Analysis and Countermeasures	http://www.cse.psu.edu/~trj1/cse597-s13/docs/chrome_ext_ndss_12.pdf
60	General Info	Yes	The Security Architecture of the Chromium Browser	http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf
61	General Info	Yes	Protecting Cached User Data	https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/protecting-cached-user-data
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997


1	< Index
2	TODO List

3	Requirements was added as a data-set after I did the initial configuration walk-through. As such, all configuration options need to be explored in relation to the requirements.
4	Go through each mitigation and check it against the entire list of possible controls. I've missed a bunch of connections.
5	Add network shutdown threats related to having chromebook delete all local information.
6	Add phishing threats for items before "Security, Safe Browsing, Always enable Safe Browsing"
7	Add threat "Traveler Circumvents of Mitigations" for items before "Security, Geolocation, Allow sites to detect team member's' geolocation"
8	Add mitigation "Receptive and Trusted Admin/Security Team" for items before "Security, Geolocation, Allow sites to detect team member's' geolocation". This should be added to all controls that will impede the team member's workflow. (Use the "Traveler circumvent mitigation as a guide for later items that were missed)
9	Add threat of "website fingerprinting" for items before "Content 3D Content Always allow display of 3D content"
10	QUESTION: can we change the organization a team member is in, and therefore their devices configuration without access to the device? Is it easy enough to do that a team member could easily re-enroll their device once we have changed their group?
11	Add "Needs Assessment (Apps)" "required" mitigation to ALL whitelisting and blacklisting items
12	Add "Supports" "Receptive and Trusted Admin/Security Team" Mitigation in places where there are identified edge-cases that an administrator should watch out for and communicate to their team member's so that they show the receptiveness and build the trust that they need. (Do this across the board)
13	Add "requires" "threat intel feeds" for any blacklists once you have done whitelists and blacklists
14	Add mitigation element about allowing team member's to obtain greater privacy from Google on items that send additional data to google, (i.e. spell checking web service.) Not the purpose of this exercise, but just nice.
15	Add Google, M-LAT's, and company data collection from both a privacy and security standpoint to the assumptions section so that it is not included in every mitigation and threat item. :D Like many other information leaks in chrome the info from these individual points (printing, spell checking) are each a very specific aspect of a threat-model.
16	Add target specific options in 'settings - threat'
17	Have comments on how each threat impacts the threat context from "threat context comments" populate the items and chart in "threat context"
18	Add "Inhibits Low Resourced Administrator" Requirement to all Whitelist Mitigations
19	Add "Inhibits Self-Managed Considerations" Requirement to all Whitelist Mitigations
20	Use cases columns need to be removed from the "[X] - settings" pages now that the "self-managed considerations" requirement has been added. But, simply removing them will break lot's of QUERY calls all over the place. A full review of all queries needs to be done after the column is removed.
21	Move all "chromebook settings specific" mitigations out of mitigations and into the settings. If there is a larger mitigation that is missing add it to the mitigations.
22	Clean up mitigation language
23	Add new user settings (Single Sign-On Online Login Frequency) and (Single Sign-On) to configuration options [Also, did these appear because I upgraded to device management?]
24	proof of inaccess items (icon, wallpapper, homepage, page to load on startup,
25	Look into the notification "Multiple sign-in will be disabled for users where SSL-inspecting certs are in effect" that occurs when you disable multiple sign-in access. What does that mean?
26	re-work the "user settings" considerations for the option "sign in keyboards" that you can create an ordered list. This means you can support a wide range of languages. This is not default, it's opening up access.
27	Make note that android apps have to be added in the "app mangement interface in a horrible way" https://admin.google.com/AdminHome#ChromeAppList:
28	Add subscriber for when apps we have approved request new permissions
29	Explore if Android apps can be added to the "recommended apps" section
30	Check out how the Android app "Custom configuration" option for admins work. Can I actually load up a custom config file for my team with VPN credentials, Umbrella Guides, etc?
31	Check out SAML IdP // SSO and Secure Tunnels and other services I might want in regards to Cusom Configuration. i.e. can I pre-configure VPN access for my team directly from the admin interface so they don't have to?
32	TODO Add "recovery codes" mitigation for non-google accounts (i.e. social media, email, etc.) for security team to lockdown accounts if detained.
33	Create example "proof of inaccess" backgrounds, icons, etc.
34	Evaluate if Public Keyosks could be useful for completely non-logged in sessions for users in high risk environments?
35	USER SETTING -> "Chrome Web Store, Chrome Web Store Permissions, Allow user's to skip verification for websites not owned" I think this is turning off the harmful app detection warnings in Google Play... I should do some testing to check though. https://support.google.com/googleplay/android-developer/answer/2992033?hl=en
36	USER SETTING -> "Security, Idle Settings" "All of these workflows need to be run through to get correct guidance on how they work and feel."
37	Sit down with the chrome design documents and use them to add/modify threats/mitigations impacts
38	Sit down with google chrom privacy whitepaper and use them to add/modify threats/mitigations impacts https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html
39	Sit down.... Chrome Security FAQ - https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md
40	explore site isolation
41	Chrome Browser Profiles offer no additional security: "Because the data for all users which have been used for an instance of Chrome are associated with a single operating system identity, there is no expectation of special privacy. That is, there is no additional encryption of preferences and settings on the local machine other than that which already exists for user data directories in Chrome. Obviously, a password is needed to log in to a specific Chrome identity on the browser. However, no additional protection for the user data directories is planned. On Mac OS X, in fact, because passwords are stored in the commonly accessible keychain, it will be possible for a user in one account to access the passwords that have been stored on that machine by a user with another account."	https://www.chromium.org/user-experience/multi-profiles
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997

Published by Google Sheets–Report Abuse–Updated automatically every 5 minutes