Monthly Archives: January 2016

Disable Apps and Extensions for Institutional Chrome Users

One thing that students are constantly trying to do are find ways around our web filters. While many of our policies are open and fair, there are some sites blocked that tend to be constant distractions for the staff and/or student body.

So instead, they focus their time on finding ways around our filtering system so that they can then spend more time on said blocked applications. (Just imagine if doing Math was as engaging as trying to bypass a web filter to access was!)

Luckily, Google provides you with an easy way to manage and block undesired extensions for your organization. These restrictions will apply to the targeted users logged into Chrome on any desktop platform (Windows,Mac), but where it really shines are on Chromebooks since they are auto-logged in as that user in Chrome after they login.

How to Block apps and Extensions in Google Admin Console

First, login to your Google Admin Console at and select Device Management.

Screenshot 2016-01-14 09.59.41

Under the Device Management section, focus on the left side and select Chrome Management.

Screenshot 2016-01-14 10.00.08

Once in the Chrome Management console, select User Settings

Screenshot 2016-01-14 10.00.31

Now, select the Organizational Unit (OU) you want to apply this policy to effect. Remember that this is a USER setting, so you need to target the OU that your user accounts are in, NOT the OU your Chromebooks are in.

Screenshot 2016-01-14 10.02.59

The right-side of the window will change to show you the available user policies. Scroll down to the Apps and Extensions section.

Screenshot 2016-01-14 10.03.08

Here, you have a drop down menu where you have two options:

  • Allow all apps and extensions except the ones I block
  • Block all apps and extensions except the ones I allow

We currently allow all apps and extensions for our deployments as we don’t want to restrict something that is potentially useful. However, you may be close enough to the teachers and students that it wouldn’t create an undue burden to choose the second option and restrict student devices until a teacher requests an addition.

If you choose to Allow all except for those that you block, your next step will be to click on the Manage link next to Allowed Apps and Extensions. You’ll notice this new window says Blocked Apps and Extensions. If you chose to allow, this window would change to Allowed.

Screenshot 2016-01-14 10.03.28

Click on Chrome Web Store and then you can search by name or ID for the app you want to block. This example uses the popular Browsec plugin: Screenshot 2016-01-14 10.03.43

Remember to click Save once you have added your blocks/allows and the interface will update to show your new additions.Screenshot 2016-01-14 10.04.28

Don’t forget to click Save again in the bottom right corner to apply any changes you have made to your targeted users!Screenshot 2016-01-14 10.04.36


Installing Commvault Simpana 9 Software on Debian 8

After beating my head into my desk for far too long today, we were finally able to get the Commvault 9 file system agent to install on one of our Debian servers.

This can usually be done from the Commvault Console, if you don’t mind enabling root’s ssh access or logging into the client directly as root. Needless to say, we minded.

We chose to install the client using an account with sudo privileges and here are the steps we ran to complete the install:

  1. Our first step will be to create a group for all of our Commvault Simpana services to run under.
  2. Using DVD03 downloaded from your Commvault software portal, mount the disk.
  3. Next, change directories to your newly mounted drive.
  4. Now we want to run the installer, using sudo.
  5. Following any on-screen prompts, we can finish setting up the software, when asked about the group name, use the simpana group we created in the first step above.

Screenshot 2016-01-13 14.22.20

Autonomous Single App Mode with Casper

While planning for an online assessment our district will begin giving in February, I decided to scan through their technical guide again. Within the wonderful pages of setup and requirements was this gem:

“You can use a third-party MDM to initiate Autonomous Single App Mode (ASAM) mode (Lock to App). This allows selected apps to enable single app mode upon launch, and disable single app mode when they terminate.

ASAM is the recommended solution to manage single app mode because it reduces the workload on proctors. Proctors will no longer need to push profiles to devices to enable/disable single app mode, but can grant MIST the ability to invoke Single App mode on-demand when it starts.”

Well that sounds nice. It also sounds like an automagical way I can kill two birds with one stone: Get more devices supervised using the device enrollment program and positively impact student achievement by making technology more accessible to our teachers and students. (Can you tell I recently completed an annual evaluation?)

I already had the app in question in the “Apps” section of my Mobile Devices tab in the JSS so I went straight to create a new configuration profile.


ASAM General Tab

The first step is to fill out the General info screen of the new configuration profile and scope/categorize it for what makes sense in your environment.

Next, we want to add an app that supports ASAM mode, in this case Mist Kiosk. Since the app is already in my Apps catalog, I can type the app’s name and click on the “More choices” button (it looks like a circle with three dots inside) and it will bring up a list of apps that match that search and fill in the appropriate Bundle ID for me.

ASAM Restrictions Blank

ASAM Restrictions Complete

If, for some reason, you want to add an application’s Bundle ID that isn’t in your app catalog (and so I could force myself to work with Python) I built a Python Script that will pull that information from Apple’s App Store API. You can find that script here: GitHub –

Once you have the app bundle IDs that you need configured, don’t forget to click on the “Scope” tab, and scope it to the correct device, or group of devices, then click save.

ASAM Scope

Now, once the profile is delivered to the device, it will allow the requested app to automatically enable/disable single app mode.

Notes & Caveats

There are a few things you want to be aware of when deploying Autonomous Single App Mode apps and relying on them for test day.

  1. iPads must be supervised. If you’re not currently using DEP or Apple Configurator to accomplish this, you won’t be able to take advantage of ASAM.
  2. The iPad App must support it. My example uses Measurement Inc’s MIST Kiosk app, which specifically mentions support.
    1. I’m also deploying the app as managed using our Volume Purchase program. Your mileage may vary if using an unmanaged app.
  3. ASAM Mode is a RESTRICTIONS PROFILE. This means take careful inventory of the profiles you are deploying to devices. Configuration Profiles don’t merge settings from the same category well at times, so you may need to edit an existing profile that you are already deploying to make this work as to not create conflicts or undesired behavior. Also, note any boxes that are (aren’t) checked as this may effect your users experience and you want to know exactly what settings you are sending out to your fleet.