/
GCPWSetRegistryKeys.ps1
120 lines (95 loc) · 4.87 KB
/
GCPWSetRegistryKeys.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
<# This script downloads Google Credential Provider for Windows from
https://tools.google.com/dlpage/gcpw/, then installs and configures it.
Windows administrator access is required to use the script.
It also downloads Google Chrome from https://chromeenterprise.google/browser/download/
and enrolls the browser for Cloud Management for ease of administration.
Script modified from https://support.google.com/cloudidentity/answer/9250996?hl=en #>
<# Set the following key to the domains you want to allow users to sign in from.
For example:
$domainsAllowedToLogin = "acme1.com,acme2.com"
Also get the Chrome Enrollment Token from admin.google.com
Instructions: https://support.google.com/chrome/a/answer/9301891?hl=en #>
$domainsAllowedToLogin = ""
$enrollmenttoken = ""
Add-Type -AssemblyName System.Drawing
Add-Type -AssemblyName PresentationFramework
<# Check if one or more domains are set #>
if ($domainsAllowedToLogin.Equals('')) {
$msgResult = [System.Windows.MessageBox]::Show('The list of domains cannot be empty! Please edit this script.', 'GCPW', 'OK', 'Error')
exit 5
}
function Is-Admin() {
$admin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')
return $admin
}
<# Check if the current user is an admin and exit if they aren't. #>
if (-not (Is-Admin)) {
$result = [System.Windows.MessageBox]::Show('Please run as administrator!', 'GCPW', 'OK', 'Error')
exit 5
}
<# Choose the Chrome file to download. 32-bit and 64-bit versions have different names #>
$chromeFileName = 'googlechromestandaloneenterprise.msi'
if ([Environment]::Is64BitOperatingSystem) {
$chromeFileName = 'googlechromestandaloneenterprise64.msi'
}
<# Download the Chrome installer. #>
$chromeUrlPrefix = 'https://dl.google.com/chrome/install/'
$chromeUri = $chromeUrlPrefix + $chromeFileName
Write-Host 'Downloading Chrome from' $chromeUri
Invoke-WebRequest -Uri $chromeUri -OutFile $chromeFileName
<# Run the Chrome installer and wait for the installation to finish #>
$arguments = "/i `"$chromeFileName`""
$installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait)
<# Check if installation was successful #>
if ($installProcess.ExitCode -ne 0) {
$result = [System.Windows.MessageBox]::Show('Installation failed!', 'Chrome', 'OK', 'Error')
exit $installProcess.ExitCode
}
else {
$result = [System.Windows.MessageBox]::Show('Installation completed successfully!', 'Chrome', 'OK', 'Info')
}
<# Choose the GCPW file to download. 32-bit and 64-bit versions have different names #>
$gcpwFileName = 'gcpwstandaloneenterprise.msi'
if ([Environment]::Is64BitOperatingSystem) {
$gcpwFileName = 'gcpwstandaloneenterprise64.msi'
}
<# Download the GCPW installer. #>
$gcpwUrlPrefix = 'https://dl.google.com/credentialprovider/'
$gcpwUri = $gcpwUrlPrefix + $gcpwFileName
Write-Host 'Downloading GCPW from' $gcpwUri
Invoke-WebRequest -Uri $gcpwUri -OutFile $gcpwFileName
<# Run the GCPW installer and wait for the installation to finish #>
$arguments = "/i `"$gcpwFileName`""
$installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait)
<# Check if installation was successful #>
if ($installProcess.ExitCode -ne 0) {
$result = [System.Windows.MessageBox]::Show('Installation failed!', 'GCPW', 'OK', 'Error')
exit $installProcess.ExitCode
}
else {
$result = [System.Windows.MessageBox]::Show('Installation completed successfully!', 'GCPW', 'OK', 'Info')
}
<# Set the required registry key with the allowed domains #>
$registryPath = 'HKEY_LOCAL_MACHINE\Software\Google\GCPW'
$name = 'domains_allowed_to_login'
[microsoft.win32.registry]::SetValue($registryPath, $name, $domainsAllowedToLogin)
$domains = Get-ItemPropertyValue HKLM:\Software\Google\GCPW -Name $name
if ($domains -eq $domainsAllowedToLogin) {
$msgResult = [System.Windows.MessageBox]::Show('Configuration completed successfully!', 'GCPW', 'OK', 'Info')
}
else {
$msgResult = [System.Windows.MessageBox]::Show('Could not write to registry. Configuration was not completed.', 'GCPW', 'OK', 'Error')
}
<# Set the required registry key to enroll the browser
See https://www.reddit.com/r/gsuite/comments/igwvwz/can_i_deploy_a_managed_browser_through_gcpw/
for an alternative solution using Enhanced Desktop Security for Windows #>
$enrollmentregistryPath = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'
$enrollmentname = 'CloudManagementEnrollmentToken'
[microsoft.win32.registry]::SetValue($enrollmentregistryPath, $enrollmentname, $enrollmenttoken)
$tokens = Get-ItemPropertyValue HKLM:\Software\Policies\Google\Chrome -Name $enrollmentname
if ($tokens -eq $enrollmenttoken) {
$msgResult = [System.Windows.MessageBox]::Show('Configuration completed successfully!', 'Enrollment', 'OK', 'Info')
}
else {
$msgResult = [System.Windows.MessageBox]::Show('Could not write to registry. Configuration was not completed.', 'Enrollment', 'OK', 'Error')
}