Secure Your Google Chromebook

If you are permitted to access or maintain sensitive institutional data using your mobile device, please meet the minimum expectations below.

See Your Responsibilities for Protecting University Data When Using Your Own Devices for a complete list of your responsibilities when using your own devices to work with sensitive U-M data.

By meeting the minimum expectations below, you also protect your personal data.

Because different versions of Chrome OS are used on a variety of Chromebooks, the steps listed below may differ for the version used on your device. If the following steps do not match your Chromebook, please contact your local IT support for assistance. 

Getting to Settings: Chrome (browser) and Chromebook Settings are interchangeable. You can access Settings through the browser or desktop links.

Important! All changes listed below will be reset if you enter into developer mode.

Minimum Expectations

Expand All Content

Settings

Disable guest browsing.

Disable guest browsing to prevent other users from logging into the machine as a guest.

  1. In Settings, scroll down to the People section, and click the Manage other users… button.
  2. Uncheck the box for Enable Guest browsing.

Note: Only the owner account can make changes on this screen.

Require a password to wake from sleep.

Require a password when your Chromebook wakes from sleep prevents unauthorized users from accessing your account if you have logged in to the machine and left it unattended.

  1. In Settings, scroll down to the People section.
  2. Check the box to Require password to wake from sleep.
  3. Test by closing the screen (if a laptop) or allowing the screen to go black (if a desktop machine). Upon waking the machine, you should see a prompt to enter a password.

Restrict sign-in to specific users.

You can prevent someone from creating a new account on your Chromebook by restricting sign-in to known users.

  1. In Settings, scroll down to the People section and click the Manage other users… button.
  2. Check the Restrict sign-in to the following users: box. 
    Note: Only the owner account can make changes on this screen.
  3. In the text field at the bottom of the window, enter the name or email address of the user(s) that you would like to allow to log in to your machine, and press Enter.
  4. When you have finished entering users, click Done

Install U-M VPN software if you expect to use untrusted networks.

Untrusted networks include guest wireless in a hotel or coffee shop. Use a U-M VPN—Virtual Private Network—for a secure computing experience when accessing a U-M network from a remote location, or when using a wireless connection.

  • Members of the U-M community can download and install the U-M VPN or the one appropriate for their campus (UMHS users should use the UMHS VPN). See Use a Secure Internet Connection.
  • NOTE: U-M VPN works on Windows Tablets, but does not work on Windows phones

Review privacy settings.

These settings are recommended to improve privacy while using the Chromebook:

  1. In Settings​, scroll down to the bottom and click Show advanced settings... 
  2. Scroll down to the Privacy section.
  3. Make sure that the following options are checked:
    • Protect you and your device from dangerous sites
    • Send a “Do Not Track” request with your browsing traffic
  4. Make sure that the following options are not checked:
    • Use a web service to help resolve navigation errors
    • Use a prediction service to help complete searches and URLS typed in the address bar or the app launcher search box
    • Use a prediction service to load pages more quickly
    • Automatically report details of possible security incidents to Google
    • Use a web service to help resolve spelling errors
    • Automatically send usage and crash reports to Google

Configure passwords and forms.

Configure the Passwords and forms settings to protect your personal information and U-M login information. To configure them, go to Settings.

  1. If Advanced settings are hidden, scroll down to the bottom and click Show advanced settings...
  2. Scroll down to the Passwords and forms section.
  3. Make sure that the following options are not checked:
    • Enable Autofill to fill out web forms in a single click
    • Offer to save your web passwords

 

Connections

Use a secure network connection. Your cellular carrier network is the best choice.

Use your cellular carrier network and turn off wireless when you are not using it. If you use a wireless connection, make sure it is a secure wireless network, such as MWireless.

Install a U-M VPN if you will be using untrusted wireless networks.

A Virtual Private Network (VPN) protects your data through an encrypted connection to the university’s network. You should install and use a U-M VPM if you will be using untrusted networks, such as in hotels, coffee shops, or other public wi-fi. See Use a Secure Internet Connection for information about different U-M VPNs available for Ann Arbor, Flint, and Dearborn campuses, and UMHS.

The example below uses the U-M Ann Arbor VPN to describe how to install a U-M VPN. 

After installing the VPN Client on your Chromebook, do the following: 

  1. In the Chrome Web Store, find the Cisco AnyConnect app
  2. Install and open the application.
  3. Select Add New Connection (this option may take a minute or two to show up).
  4. In the Name field, provide a name for the VPN connection, such as U-M VPN.
  5. In the Server Address field, enter the VPN address to connect to based on your U-M affiliation: 
    • Staff, faculty, students, and sponsored affiliates: umvpn.umnet.umich.edu
    • Alumni and retirees: umvpn3.umnet.umich.edu
  6. Click the Save Changes button and close the AnyConnect window.

Connect to the U-M VPN.

Note: You must have a network connection to connect via the VPN.

See Use a Secure Internet Connection for information about different U-M VPNs available for Ann Arbor, Flint, and Dearborn campuses, and UMHS. The example below uses the U-M Ann Arbor VPN to describe the process.

Connect to the U-M VPN by doing the following:

  1. Go to Settings.
  2. Under the Internet connection section, click Private network.
  3. In the drop down menu, click Cisco AnyConnect: U-M VPN (user).
  4. At the bottom of the window, click the Connect button.
  5. Enter your uniqname and password in the respective Username and Password fields, and click the Submit button.

When not using WiFi and Bluetooth, turn them off.

Management

Keep your Chrome operating system updated for the latest security updates and improvements.

To check for and apply updates to your Chromebook:

  1. In Settings, click About Chrome OS, located at the top of the Settings window.
  2. In the About window that appears, click Check for and apply updates.
  3. Your Chromebook will start to install any available updates. Restart your Chromebook if directed to finish updates.

Only install trusted apps and extensions.

Extensions are extra features that can be added to the Google Chrome web browser. Install extensions from the Chrome Web Store. This is the most reliable source for securely adding extensions. For example, you may download the AdBlock extension to block advertisements while using the Chrome browser.

Applications (or apps) can be used to perform stand alone functions within the operating system. Install apps from the Chrome Web Store. This is the most reliable source for securely adding applications. For example, Google Docs is an app that runs through the Google Chrome web browser. Another example is the Google Drive app, which allows you to access your files stored in the cloud. A third example is the Cisco AnyConnect VPN client, which is used to connect to the U-M VPN service.

Do not make unauthorized modifications to your Chrome operating system.

Do not unlock or otherwise bypass device security features that prevent you from changing your operating system or gaining privileged control (or "root access") to it. (This hacking process is often called "jailbreaking" or "rooting.") You may do this only if it is required for your university work.

Be aware of where data is being stored and store sensitive university data only in approved locations.

Store and share sensitive university data using approved services that meet the requirements of regulation and policy.

  • Check the Sensitive Data Guide for services approved for use with specific sensitive data types.
  • Be aware that personal storage services should not be used to store sensitive university data, nor should these services be used to store information relating to university business.

If you travel outside of the U.S., be aware certain types of sensitive data cannot be accessed or maintained outside the country.

There are legal restrictions on certain sensitive data types (such as Export Control, HIPAA, and FISMA). See the Sensitive Data Guide for details.

Before you sell or give away your device, back it up, then erase all content and settings with Powerwash.

Powerwash removes all user accounts and data from the machine and resets it back to factory settings. This option would best used for clearing data from a loaner laptop before returning it. If using a shared machine, make sure to check with users who have an account on the machine before using Powerwash. There are two ways to run Powerwash, using the Settings menu, or using shortcut keys.

  1. In Settings, scroll down to the bottom and click Show advanced settings…
  2. Scroll down to the Powerwash section and click the Powerwash button.
  3. You will see a prompt to restart the machine. Click the Restart button.
  4. After restarting, you will see a window asking if you want to run Powerwash. Click the Powerwash button.
  5. Click the Continue button.
  6. After the device resets, it will have factory default settings, and all user accounts and data will have been deleted.

 

Report security incidents.

If your device is lost or stolen and you've used it to store or access sensitive university data, notify the ITS Service Center.

Additional Best Practices

Consider these additional options for enhanced security for your device and the data maintained on or accessed from it.

  • Turn off GPS/location services for apps where you do not need it.
  • Set your web browser for private browsing. In Chrome, open the Chrome menu and look for the advanced privacy settings.
  • Turn on airplane mode when you do not need to use your phone, GPS, radio, WiFi, or Bluetooth. Look for the airplane, offline, flight, or standalone mode setting.
  • Avoid using public Wi-Fi hotspots.
  • Protect yourself online. Learn about strong passwords, how to protect your identity, how to avoid phishing scams, and more.
  • Put a sticker on your computer with your name and contact information. This low-tech, practical step enables somebody to contact you if they find your lost computer.
  • Register your devices. The U-M Police Department offers a free laptop and personal electronics registration program to members of the U-M community to deter theft and assist in the recovery of stolen property.
  • Travel safely with technology. Take precautions when you are away from home to protect your privacy and the university's sensitive data.
  • Consider using mobile anti-virus products, but understand that these are relatively new on the market and are still maturing.

Related U-M Policies and Standards