Thursday, August 25, 2016

Taming the Chrome - Implementing Google Chrome in XenDesktop 5.6

If you are like me, you have probably noticed that Google Chrome doesn't want to play nicely inside of your VDI. In the recent years, Chrome has come a long way towards being more enterprise friendly, but it isn't quite there yet.

We are going to start this journey with the low hanging fruit. First off, you are going to want to grab a copy of the following.
  1. Chrome for Work MSI - https://www.google.com/work/chrome/chrome-browser/
  2. Chrome ADMX Templates -  https://www.google.com/work/chrome/chrome-browser/
  3. Google Updater ADMX templates  -https://support.google.com/chrome/a/answer/6350036#Obtaining_the_Administrative_Tem

A Word on Direct Write
I've noticed many complaints on the Citrix subreddit, as well as various comments about Direct Write causing issues under certain conditions. The text will appear blurry, or pixelated. I've seen this happen when using chrome over RDP or ICA.  To mitigate this problem, the --disable-direct-write seems to help.

    Version 52 and above of the Chrome for Work MSI have removed the --disable-direct-write flag.
https://productforums.google.com/forum/#!topic/chrome/Q6QGBRvULbQ Unfortunately, google does not publish old versions of the binary. I have a working copy of an older version, if somebody needs it, email me at devon.dieffenbach@gmail.com


Installing the ADMX Templates on the Golden Image
For the ADMX settings for Google Updater and Google Chrome, I have chosen to make these particular changes to the Local Group policy of the Golden Image. Extract your ADMX templates to %systemroot%\PolicyDefinitions.
Chrome.admx goes into %systemroot%\PolicyDefinitions
chrome.adml (from en-us subfolder) goes into %systemroot%\PolicyDefinitions\en-US
Do the same for GoogleUpdate.admx and GoogleUpdate.adml

 When Dealing with VDI, I have noticed that ADM templates have some issues with loading, whereas ADMX do not.
 

Configuring Local Group policy
launch gpedit.msc from the Golden image.
Chrome settings are located under Administrative Templates -> Google -> Google Chrome
Update settings are located under Administrative Templates -> Google -> Google Update

Prevent Google Update
Because --disable-direct-write is missing in later versions of Chrome, I have found it necessary to disable Google Update. If you choose not to do this, you run the risk of Chrome updating to the latest version and making the text look ugly for users of that image.
The following settings are necessary to disable automatic update:
Administrative Templates -> Google -> Google Update -> Applications
  1. Allow Installation Default: Enabled
  2. Update Policy Override Default: Enabled | Policy (Manual Updates Only)


Install / Configure Chrome Launcher
In order to ensure a consistent user experience, there are various chrome flags that need to be set. For our environment, I have narrowed this down to the following: --disable-print-preview --disable-popup-blocking --disable-smooth-scrolling --allow-no-sandbox-job --disable-gpu --disable-direct-write

Unfortunately, I have not found a reliable way to set these preferences for all users. I started out by removing shortcuts for all users and replacing them with a shortcut to a bat file with the chrome Icon.

    Chrome seems to have some sort of background daemon that dictates the installation of its shortcuts. Chrome shortcuts do not behave in the standard way. In my case, I have tried deleting them, but they will often show back up. This is just another one of those bizarre Chrome specific quirks that seem specifically designed to annoy sysadmins.


In order to address the issue of not being able to control startup switches, and because chrome's shortcut system was difficult to predict, I figured the best way to ensure my flags were passed, was to replace the chrome.exe with a wrapper, and have that wrapper call a renamed original chrome.exe.

I wrote a quick and dirty solution in C# and have posted the solution (and binaries) to github.
Binary Download
Visual Studio Solution

Once you have a copy of ChromeLaunch.exe, you will need to navigate to the program folder where Chrome is installed on your golden image. Rename chrome.exe to gchrome.exe. Place chromelaunch.exe into the directory and name it gchrome.exe

Current caveats:
  • I've not yet implemented argument passing. If something launches the chrome browser and passes other arguments, they will be discarded. You can fix this yourself in the solution, or wait for me to eventually get around to doing it.
  • I'm not sure if having chrome.exe renamed to gchrome.exe will break other applications. I have not seen it so far, but hey… it's not like chrome.exe was working anyways? Right?

    Out of personal preference, I made the binary with the hidden golden icon. I extracted the icon from the original chrome.exe using Nirsoft's IconsExtract  http://www.nirsoft.net/utils/iconsext.html. It looked cool, and I wanted to differentiate it between the rest of the Applications that are auto populated in the menu from Citrix Receiver. 

3 comments:

  1. Good article. I'm dealing with many of these issues as well.. capital one login

    ReplyDelete
  2. Nice post, thank you! There are lots of great tools but I like improver.io the most. It's a lightweight, friendly and free Chrome extension with good match rate.candidate sourcing tools

    ReplyDelete
  3. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. Chrome Flags

    ReplyDelete