firefox messes up their DNS filtering, chrome doesn't. so they remove firefox and enforce chrome. if you see that as a slippery slope, you're imagining it. they probably 1) have a decent app like ninite to remove and install apps, 2) don't have anything but their production environment, 3) don't have a homogenous environment in terms of patching (maybe they do), 4) don't have people to go around and make sure the config changes they push (however they would push them) took, worked, etc. so they block the app. maybe eventually they reinstall it. welcome to IT.
...which reinforces my point about how people actually doing this and people speculating about it tend to respond to issues like this.
> firefox messes up their DNS filtering, chrome doesn't
I take it you assume students are not creative enough to get the exact same result with Chrome? Because it is perfectly possible to do it. Unless of course you take steps to prevent that in Chrome. One way or another you either put in the work or the users will end up doing whatever they please. After configuring the OS doing the same for the browser is a relatively small step.
of course it's possible to do so. but DNS filtering works for most users, and is much easier to centrally manage on a budget (in terms of time / people / money) than browser settings.
i'm belaboring this point now, but people who actually do this stuff know that you can't just throw up a GPO to fiddle with chrome settings and expect everything to work. this culture of "power users" thinking they know the best course of action for every situation in IT (and it's always "that thing i Put In The Work to do when i was tailoring my own system") is really silly.
> know that you can't just throw up a GPO to fiddle with chrome settings
I thought we were talking about how hard it is to fix Firefox. This can be done on a budget - part of an afternoon - since it can be very easily managed with a plain old config file copied to all machines (at least until a couple of versions ago). With this gone you're left with Chrome. How would you make sure no user can use any one of the multiple options to abuse a non-managed Chrome and bypass this? Remember that your target isn't to have a browser that doesn't mess up filtering, it's to prevent students from using any (creative) means to access restricted material. And with Chrome there's one sure way to prevent those creative means. So don't answer, it will be GPOs.
And since your fix for DOH and DNS filtering is to uninstall the browser (!) when Chrome eventually implements it will make for an interesting conversation ;).
as i replied in the comment below, the goal isn't "absolute porn free paradise," it's "keep our current control working." sound shortsighted to you? it is. it's also the easiest thing, and frees everyone up to do other, more important work than impressing people who are aghast that an organization would uninstall 1 of 2 browsers b/c it bypasses some control of theirs.
as for once chrome implements DOH, they'd cross that bridge when they came to it. it's an uphill battle, because really content filtering, of course, should not be done through browser settings (remotely managed or otherwise), nor solely through DNS. if whoever tells IT what to do in that school district is hellbent on it being impossible to browse to pornhub, they'll ultimately need a layer 7 firewall. but again, when you're on the budget, you do fastest / cheapest / most effective.
(and if we return to pure hypothetical, i would argue that dns filtering really is the best way in their case, because anyone who could bypass that--besides just using firefox--will be able to bypass better chrome config, or your firefox config change, etc, since they can just edit host file, etc etc etc)
...which reinforces my point about how people actually doing this and people speculating about it tend to respond to issues like this.