Skip to main content

We are trying to modify our com.google.chrome.plist to allow two extensions to be installed by end users.  We block all extensions in our .plist file by using the "*" wildcard under "ExtensionInstallBlocklist", and have now added the "ExtensionInstallAllowlist" policy with a string containing the two extension ID's.  The chrome://policy page shows that both of the policies are OK so they are being recognized and should be working, however, when installing those two extensions they still say they are blocked by the administrator.  The Chrome policy description page shows that blocking all extensions and allowing specified ones is the way to only allow just certain extensions.  Is there something I'm missing here?

Here is our plist, website url's have been removed:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>BrowserSignin</key>
<integer>0</integer>
<key>ComponentUpdatesEnabled</key>
<false/>
<key>ExtensionInstallAllowlist</key>
<array>
<string>giahjhmjbiiopleefbmlmjfaafdihidd</string>
<string>lpjhkdcegpcnffjlhpgeednnefdhagfk</string>
</array>
<key>ExtensionInstallBlocklist</key>
<array>
<string>*</string>
</array>
<key>HomepageLocation</key>
<string>[HIDDEN FROM POST]</string>
<key>NewTabPageLocation</key>
<string>about:blank</string>
<key>RestoreOnStartup</key>
<integer>4</integer>
<key>RestoreOnStartupURLs</key>
<array>
<string>[HIDDEN FROM POST]</string>
</array>
<key>SyncDisabled</key>
<true/>
</dict>
</plist>

 

We also tried swapping the allow key to be after the block key rather than alphabetically thinking maybe it was allowing those two and then blocking all after, and by swapping them (if the order did actually matter) it would block all extensions and then allow those two after, but no change.

What if you replace ExtensionInstallAllowlist to ExtensionInstallForcelist?

 

 

What if you replace ExtensionInstallAllowlist to ExtensionInstallForcelist?

 

 


We did try that, no change.  We also tried leaving the ExtensionInstallAllowlist in there and adding ExtensionInstallForcelist at the same time with the same ID's inside of it as well, still no change.  Its frustrating that the policy page shows that it's working, yet the exact ID shown there is blocked on the webstore and it even gives that matching ID on the blocked message.

We also tried removing the plist file so we could install any extensions, installed the two we are trying to allow, then added the plist file back in, and found it disables the two extensions.  Which the blocklist policy does say it will disable extensions that are already installed if they're blocked in the list, which with * is all of them, except we've allowed these two.  They show the same ID as the plist and webstore link on the Extensions page.

We ended up just keeping our .plist with the block all policy on all of the machines and then pushing a .plist with the extensions part removed for the students that need these two extensions (only a handful) and will just have to monitor as they can install any extensions.  Given our time spent troubleshooting and retrying different ways, we're assuming it's broken on Chrome.

Reply


Terms & ConditionsCookie settings