I recently caught a student using a fairly clever exploit that allows a user to open a window in incognito mode, thus bypassing the GoGuardian extensions and filtering.
Reproduction steps are as follows (screenshots attached):
1. Power on Chromebook. This exploit is most reproduceable when the Chromebook is has been recently powered on.
2. Log in with an account that is subject to the GoGuardian extensions
3. Navigate to chrome://inspect in the browser
4. Click "Other" menu button on the left-hand side of the screen
5. You will see chrome://app-list and chrome://oobe/lock in this menu. If chrome://oobe/lock does not appear, wait a couple minutes and it should show up
6. Click "inspect" under chrome://oobe/lock - this will launch an inspect window in incognito mode
7. Click the "Audits" tab in the inspect window
8. Click the "Learn more" link to launch an incognito session in a full browser window
As the GoGuardian extensions are not loaded in incognito mode, this completely circumvents GoGuardian filtering and tracking within the incognito session.
This works even when developer tools and incognito mode are disabled in Google Admin as per GoGuardian setup instructions.
Fortunately, resolution is simple - all you need to do is blacklist chrome://inspect in Google Admin under Device management -> Chrome -> User Settings -> URL Blacklist or via the GoGuardian URL blacklist function.
I'd recommend either including chrome://inspect in the default GoGuardian blacklist, or updating the "Getting Started" documentation to add this to the Google Admin URL Blacklist.
Mommy in Foot and Foot In Mommy :D commented
i hate go guardian, it a dumb piece of ****
Oscar Ramirez commented
blocking this can also be bypassed by going to taskbar and closing the backround processes for a limited time
Jose V. commented
speaking off the devil here it is HAHAHA go find another job go guardian.
Kyshawn Chappell commented
just unblock everything for the students the students can't learn if everything is unblocked
Aiden demars commented
why is go guardian a thing it gets annoying all the time
Mr. Jones commented
This only opened up more ways for my students to find a way to unenroll their computers all together! Please tell me how I can retrieve them after this!
F u google put it back
IT only works at home
In the beginning, the trick work's good, but 1 week later the oobe/lock don't appear, i wait 1 hour and it don't appear, i restart the page and it don't works what i can do ? HELP PLEASE.ㅠㅠ
Kyle Tillman commented
We just discovered this exploit two weeks ago and I've been shaking my head ever since. We have long had the Dev tools off but that didn't stop this from being accessible. We have since blocked Chrome://inspect but I'm just scouring the internet looking for more ways that the students will try and bypass our filter.
I was able to block inspect in Google Admin Console: Device Management/Chrome Management/User Settings/User Experience/Developer Tools _Never Allow Developer Tools
Agree this would be a great default currently but may not be needed in the future as Google may fix it permanently.
You can and should block chrome://inspect in Google Admin Chrome Management.
This seems to mostly be a Google issue. I called support and spoke to them about the same thing. I have incognito mode restricted through Chrome Management as well but the oobe/lock inspect issue gives kids backdoor. Google advised me to blacklist chrome://inspect. They are working on a resolution.