Chrome Enterprise

Chrome Insider: Extension Management options through Group Policy

GPO Extension Management Blog Header_Opt3.jpg

Many enterprises are looking to better manage extensions on their corporate devices. Extensions themselves are a great tool for productivity and customization of Chrome. However, some extensions can have the potential for far reaching rights to sites your users visit and devices they browse from, giving IT the desire to closely manage which extensions are in their environment and how they behave. 

In an earlier post in this series, we’ve detailed how Chrome Browser Cloud Management is the easiest way to audit installed extensions and manage them. However, some enterprises may need to still use Group Policy on Windows or plists on Mac to manage extensions. So lets touch on management through those methods, for organizations that haven’t quite made the move to Chrome Browser Cloud Management yet. 

For starters, here are some of the most used options for managing extensions (some also apply to apps) via Windows Group Policy or via Plists on Macs:

Installing or allowing extensions

Blocking extensions

  • Extension Install Block List: These are the extensions that you will not allow to be installed. If they are installed already, they will be disabled. If a user tries to install them, it will be blocked. In the Chrome web store, the Add to Chrome button will be red and advise the user that the extension can’t be installed. 

  • Block External Extensions: This setting will block extensions from external sources being installed. An example of this is if an installed application is adding an extension to Chrome via the registry, this setting will block that extension from loading. 

Advanced management options

  • Extensions Settings: This policy provides a varied amount of functionality and requires a JSON script to be created and formatted in a single line string. This setting can be complex. We recommend using Chrome Browser Cloud Management as almost all of the functionality is included without needing to write JSON as well as the ability to audit installed extensions. If you do want to use this policy, it is covered in detail in the Managing Extensions in your Enterprise technical document. Some of the functionality that you can use within this policy are:

    • Install types: (Allowed, Blocked, Force Installed, Normal Installed) 

      • You can also display a custom message when the extension is blocked via the blocked installed message function.

    • Prevent extensions from altering websites: You can prevent all or specific extensions from running on specific websites. 

    • Managing by permissions: You can allow or block extensions by the specific rights or “permissions” that they require to run. 

      • This provides a baseline of functionality that you will or will not allow extensions to run on your users machines. 

      • If an extension is updated, bought, sold and updates the permissions that it requires, this will dynamically protect your users from permissions that you will not allow. 

Even if you decide that on-premises policy management is how you want to manage extensions long term, you can still use Chrome Browser Cloud Management to get much needed visibility into extensions that may exist in your environment. The newly improved apps and extension list is a great way to get a view of your current extension landscape, giving you more data to make better decisions around extension management.

You can enroll browsers to see this information, but still set policy through your existing tools if that's your preference. 

Well, that’s it for this edition of Chrome Insider. Here’s where you can find more posts in the series, or you can learn more about Chrome Browser Cloud Management.


A note on Google's commitment to inclusive naming conventions. The following policies have been deprecated, however will still continue to work until Chrome 95 to give administrators time to migrate to the new policies.

ExtensionInstallWhitelist replaced with ExtensionInstallAllowlist
ExtensionInstallBlacklist replaced with ExtensionInstallBlocklist