Chrome Insider: Extension Management options through Group Policy
Many enterprises are looking to better manage extensions on their corporate devices. Extensions themselves are a great tool for productivity and customization of Chrome. However, some extensions can have the potential for far reaching rights to sites your users visit and devices they browse from, giving IT the desire to closely manage which extensions are in their environment and how they behave.
In an earlier post in this series, we’ve detailed how Chrome Browser Cloud Management is the easiest way to audit installed extensions and manage them. However, some enterprises may need to still use Group Policy on Windows or plists on Mac to manage extensions. So lets touch on management through those methods, for organizations that haven’t quite made the move to Chrome Browser Cloud Management yet.
For starters, here are some of the most used options for managing extensions (some also apply to apps) via Windows Group Policy or via Plists on Macs:
Installing or allowing extensions
Extension Install Allow List: These are the extensions that you have approved to be installed within your environment.
Extension Install Force List: This will install the extension in the managed instance of Chrome. This setting overrides the extension block list policy, and the extension can’t be disabled on uninstalled.
Extension Allowed Types: Here you can create a list of what types of extensions and apps you will allow to be installed. Extensions, themes, user scripts, hosted applications, legacy packaged applications and platform applications are the values that are supported. Note that whatever you want to allow must be included in the list. Anything left off the list will not be installed. For more information on the different types, here is a link on Extensions and Apps in the Chrome web store.
Extension Install Sources: This policy allows you to get that older install functionality for specific URLs that you specify in this policy. Here is a link on the URL match patterns that can be used in this policy.
Extension Install Block List: These are the extensions that you will not allow to be installed. If they are installed already, they will be disabled. If a user tries to install them, it will be blocked. In the Chrome web store, the Add to Chrome button will be red and advise the user that the extension can’t be installed.
Block External Extensions: This setting will block extensions from external sources being installed. An example of this is if an installed application is adding an extension to Chrome via the registry, this setting will block that extension from loading.
Advanced management options
Extensions Settings: This policy provides a varied amount of functionality and requires a JSON script to be created and formatted in a single line string. This setting can be complex. We recommend using Chrome Browser Cloud Management as almost all of the functionality is included without needing to write JSON as well as the ability to audit installed extensions. If you do want to use this policy, it is covered in detail in the Managing Extensions in your Enterprise technical document. Some of the functionality that you can use within this policy are:
Install types: (Allowed, Blocked, Force Installed, Normal Installed)
You can also display a custom message when the extension is blocked via the blocked installed message function.
Prevent extensions from altering websites: You can prevent all or specific extensions from running on specific websites.
Managing by permissions: You can allow or block extensions by the specific rights or “permissions” that they require to run.
This provides a baseline of functionality that you will or will not allow extensions to run on your users machines.
If an extension is updated, bought, sold and updates the permissions that it requires, this will dynamically protect your users from permissions that you will not allow.
Even if you decide that on-premises policy management is how you want to manage extensions long term, you can still use Chrome Browser Cloud Management to get much needed visibility into extensions that may exist in your environment. The newly improved apps and extension list is a great way to get a view of your current extension landscape, giving you more data to make better decisions around extension management.
You can enroll browsers to see this information, but still set policy through your existing tools if that's your preference.
A note on Google's commitment to inclusive naming conventions. The following policies have been deprecated, however will still continue to work until Chrome 95 to give administrators time to migrate to the new policies.- ExtensionInstallWhitelist replaced with ExtensionInstallAllowlist
- ExtensionInstallBlacklist replaced with ExtensionInstallBlocklist