1. Make it ridiculously easy to install hardware vendor keys and register it with OS of choice. (like a standardized dialog box in UEFI and a standardized/regulated IPMI-like interface)

2. Allow for only measured boot on those devices.

3. Provided facility to verify signatures.

Do this on consumer and enterprise laptops and desktops alike and all of these weird set of conditions just go out of play and replaced by something much much simpler.

Some IT departments just see a “more secure” checkbox and will always check it, even if it doesn’t make sense holistically- sometimes compliance incentivises (or forces) this behaviour.

A common example is forcing intune/device enrolment for mobile devices (including ipads)- but not for the infinitely less secure laptops: because no such endpoint enforcement checkbox exists

can you put a restriction to ban Chrome and force Firefox then?

What? Are you serious? An organization has EVERY right to enforce whatever controls they deem appropriate for their environment. Period.

Other way to look at it is, the company is paying for everything, and they get to make decisions based on what suits their security needs.

Sadly, it is much more difficult to pretend being on a different browser than it was in the past. :/

Those are real, practical reasons. Not just "if I do this I get to check another box".

Yes. I know. It's a pain that when you cannot do what you want to do. But it's not your laptop. It's the company's. Supporting more browsers to the same standard that I just described would take engineering resources, of which I do not have an infinite supply. And the priority goes to keeping the company secure.

If course the reverse can also be argued, for example that Firefox supports proper adblocking.

Of course Google is going to suggest using Chrome, if they detect that the browser might be out of date.

At the end of the day user-preference is what dictates which browser is used and how it is configured. Developers will have to deal with what users choose to do on their end.

You can only patronize people for so long before they look for a way around silly restrictions. Trying to keep someone safe by putting up walls, whether the threat is real or imaginary, is pointless when it is in the user's power to trivially defeat those walls - and when extension and browser developers are going to line up to sell them demolition tools (see ad blocking).

Advice is going to go much further than roadblocks, long term.

Being forced to use various tools for compliance is frustrating, doubly so if it helps create a stronger monopoly position, because a monopoly position creates stagnation, which makes worse products.

But those worse products are forced on users, even when better ones start to come about.

This is the crux of my issue, Microsoft is the king of this behaviour, and they are using this a lot which is squeezing the metaphorical testicles of almost all companies in Europe.

Sure, which is why you should lock down the laptop. Blocking Firefox in Google Workspace seems like entirely the wrong layer for this.

People know how it ended, but don't seem to remember how it started, which is a shame.

See the whole thing with libxml2 for example, or how they started boringssl to "fix" the issues with openssl, but they run it as an internal project you cannot depend on.

They've kneecapped ad-blockers, when ad networks are perhaps one of the biggest causes of malware installs/page hijacking/other unwanted behaviour. I'm not sure how you can consider Chrome remotely secure in this light.

But it is my craft, and to be limited to what tools I can use in my craft can decrease the value of my work, and in doing so decrease the company's productivity.

Your corporate serfdom is not in question, but I disagree with that notion too.

I absolutely see many problems with this and you really ought to as well.

You can make Firefox pass CAA if you want. You take the Chrome "SecureConnect Reporting" (Context-Aware Access) plugin, port it to Firefox with some light changes, and you can report whatever you want to CAA.

The issue presented doesn’t seem to be “an up to date browser check” it seems to be a “is it latest chrome” check, which is a very different thing.

* A user intentionally leaking sensitive documents outside the corporate network

* A user installing an infected browser extension that gives attackers access to corporate resources

* A user accessing malware or ransomware which infects corporate resources.

That's on top of the cost of having the IT department having to debug issues among users with bespoke tool sets which can often interact in unintuitive ways.

There are many stupid ways that companies "optimize" costs that cost them more in the end. Standardizing the browser and extension set for data loss protection is not one of them.

And if your company has any web presence or apps, you usually can't cherry pick which browsers your customers can use. That means some portion of your company will need access to other browsers for QA purposes.

Why did you even compare it to IE6, out of the curiosity?

After the lawsuit against Microsoft, and the raise of Firefox, Safari and Chrome we had it all good again.

Then devs had to get comfy with Google offerings, including shipping Chrome packaged with their pseudo native applications.

I find this incredibly amusing, and at a different point in my life I'd already be gone.

When you outsource IT, there are many, many misaligned incentives.

But really, we have a couple of million enterprise end-users, some of which surely using Edge. If we as much as move a button without telling them about it three months in advance, it's the end of the world. In 10 years time, no customer has raised it.

Call me old school, but wedging an already dominant browser to be the only full fledge option in GSuite using companies reeks anti-competition.

Same here, but only on Chrome. Firefox works fine.

How so? Bad actors buying existing extensions with large user bases then publishing a new version which does bad stuff is a pretty common pattern. It certainy seems like a reasonable concern for a corp IT department.

There is zero problem here guys.

Two different companies can partner together and release features in both of the company's interests.

If the organization is indeed enabling a specific check for Chrome that seems a little over the top but they're the ones supporting their users and if they want to make their life easier by only dealing with one browser that's their decision to make. It's like saying that everyone has to use Windows, or a specific line of laptops, or any other standardization to simplify the support workload.

Monopolies aren't a prerequisite for antitrust action, they're the failure state when you should have acted sooner.

When there are unpatched browser vulnerabilities, attackers will use ad networks to inject attack code into reputable-but-ad-laden websites. And even when there aren't unpatched vulnerabilities out there, many ad networks will happily accept scam ads, ads that trick people into downloading malware, fake download buttons and suchlike.

But if they all use Chrome, wouldn't those be really weak ad blockers?

This is a difference between America and Europe in mentality towards this.

Everything is a monopoly these days. Its practically meaningless in these conversations.

Every feature of their apps needs to be easily integrated into whatever random POS every single food truck uses! I should be able to buy tacos from any taco vendor through the Taco Bell app. They're a monopoly!

But someone thinks it is, which is harmful to them on top of being an annoyance to everyone else.

If you don't want your user to run whatever version with whatever extension you can do that.

Of course, so far the only workable model for web browsers is having a giant megacorp fund their development and maintenance. Which is a huge issue, and we will do basically nothing about it.

(Don't get me wrong. I have high hopes for Ladybird and even Servo, but they may come too late if effectively-proprietary features force most users to stick to Chrome anyways.)

But how many companies are running Workspace + Windows with on-prem AD? I suspect that number is shrinking pretty rapidly. You can do it with InTune as well, but it starts to get real messy if your users aren't on Windows or you have non-windows endpoints.

If you're a mac shop, on google workspace, and using something like JamF (or even Intune+EntraID), you are stuck deploying .plist files to each endpoint, you don't get compliance reporting back, and you lose a ton of visibility.

These are all things that don't matter to each individual user, but are hugely important to IT/security in the company, and Firefox unfortunately just doesn't have any centralized management platform for it.

This feature supposedly ensures (or at least pushes users to) only the approved browsers running approved configurations are allowed to log in to the company's instances of Workspace.

But if either side is close to a monopoly, both cannot be part of the same company, even if that means breaking an existing company up.