Chrome BrowserSignIn Bypass
Bypass force sign in for fun and profit! Managing Google Chrome can be a bear sometimes. With dozens of policies to comb through for any given need, it’s a platform unto itself. Instead of managing settings at a machine level through a MDM profile (on Mac), it’s sometime easier to force sign into the browser and then manage policies through Google Admin. A common workflow is for the user to open Google Chrome and then be prompted to sign into their organization’s Google Workspace domain account.
Admins can do this with two policies -
RestrictSigninToPattern. The first forces browser sign in. A user can’t use Chrome at all without first signing in.
The second defines a regular expression used to determine which Google accounts can be used to sign into the browser. A common pattern is
.@mydomain.com where only accounts ending in @mydomain.com would be able to sign in. If
RestrictSigninToPattern is set to
.@mydomain.com and I try to sign in with email@example.com I get the message below.
Sign in fails and I can’t continue. The policy is working as expected. I can’t continue until I sign into a Google Workspace managed account where all the appropriate policies would be enforced from Google Admin. Not only do I want that, if I’m an admin I usually need that. I don’t want people using Chrome without our enterprise policies set, and enforcing them through sign in means I can have one predictable set of policies across all platforms - Mac, PC, and Chrome OS.
Playing around with Chrome policies recently, I found it trivial to bypass force sign in.
- Open any text editor where you can follow a link. Visual Studio Code for example.
- Click the link to open the URL.
- Chrome will open the URL in a new guest profile.
Without having ever signed in, I can browse around to any site I want with that newly created guest profile. No enterprise policies enforced, free to do whatever I want. The screenshot is a little small, but here Chrome
BrowserSignIn set to 2 for “Force users to sign-in to use the browser” and
RestrictSigninToPattern to my Google workspace domain. As an added bonus,
BrowserGuestModeEnabled is set to false which should mean “If this policy is set to false, Google Chrome will not allow guest profiles to be started.” Not only is the force sign policy being bypassed, another policy specifically meant to stop guest browsing isn’t working either.
Google support pointed me to Chromium bug 1120255, but that’s not quite what I’m seeing here. I’ve started bug 1158615. Go there and make a comment if this issue impacts you and your organization. As of writing this I don’t believe there’s any mitigation available to stop this. If you depend on policies coming down after sign in, let Google know about it and hopefully we’ll see a solution in a future Chrome release.